New Enhanced security defaults for Windows 365 Cloud PCs



 Windows IT Pro Blog:

Today, we're excited to share details about two new secure by default capabilities for Windows 365 Cloud PCs. At Microsoft, security is our top priority, and by embedding Microsoft-recommended security settings, we make security a foundational part of the cloud experience. These capabilities for newly provisioned and reprovisioned Windows 365 Cloud PCs include:
  • Disabling by default redirections for clipboard, drive, USB, and printer.
  • Enabling by default virtualization-based security (VBS), Credential Guard, and hypervisor-protected code integrity (HVCI) for Windows 365 Cloud PCs running a Windows 11 gallery image.

Select redirections disabled for newly provisioned and reprovisioned Cloud PCs​

Windows 365 is enhancing Cloud PC security by having clipboard, drive, USB, and printer redirections disabled by default for all newly provisioned and reprovisioned Cloud PCs. This change minimizes the risk of data exfiltration and malware injections, which provides a more secure experience and aligns with the Microsoft Secure Future Initiative (SFI) principle to have security protections enabled and enforced by default.

Note: These redirection defaults are also being applied to newly created host pools for Azure Virtual Desktop.

Default setting changes begin rollout soon​

This change will begin gradually rolling out in the second half of 2025. To help IT admins prepare, a banner (shown in the screenshot below) will be displayed in the Microsoft Intune Admin Center on the provisioning policy, individual device action, and bulk action pages. This banner will notify you of the new default settings for newly provisioned or reprovisioned Cloud PCs and link to documentation on how to override them by creating Intune device configuration policies or Group Policy Objects (GPOs).

Screenshot - On the

On the "Create a provisioning policy" page in the Microsoft Intune admin center, a dismissible banner provides notifications about the new redirection defaults.

Newly provisioned or reprovisioned Windows 365 Cloud PCs will have clipboard, drive, USB, and printer redirections disabled by default. For example, a user accessing files on a newly provisioned Cloud PC will not be able to use the clipboard to copy files from the Cloud PC to their physical device and vice versa.

Note: USB redirections are disabled by default, but USB mice, keyboards, and webcams will not be affected. These devices are managed through high-level redirection, which targets specific functionalities rather than the entire device. The disabled USB redirection specifically targets opaque low-level redirection for niche devices not supported by high-level redirection.

USB redirections for devices that support high-level redirection will continue to work. For more information on supported resources or peripherals and the recommended redirection method to use for each, please visit this documentation.
Click to expand...

Reprovisioning flow for Windows 365 Frontline Cloud PCs in shared mode​

When existing Windows 365 Frontline Cloud PCs in shared mode are reprovisioned directly from the device overview page as shown below, the new redirection defaults will not occur because the existing provisioning policy, which has these four redirections enabled by default, still stands.

Screenshot - From the device overview page, reprovisioning will not enable the new redirection defaults because existing policies are in place.

From the device overview page, reprovisioning will not enable the new redirection defaults because existing policies are in place.

If the IT admin wants existing Windows 365 Frontline Cloud PCs in shared mode to receive these new redirection defaults, they need to be reprovisioned from the provisioning policy page by selecting the Reprovision button as shown below. Please note if you select Schedule Reprovision, you will need to schedule the reprovisioning to take place after the new defaults go live.

Screenshot - From the provisioning policy page, you can reprovision and enable the new redirection defaults.

From the provisioning policy page, you can reprovision and enable the new redirection defaults.

Manually enable redirections for new Cloud PCs as needed​

After the rollout begins, if IT admins want users to have one or more of the four redirections enabled, they will need to manually revert the redirection settings.

Note: When new Cloud PCs are provisioned, the new defaults for disabling redirections will be applied. Subsequently, Intune will sync and implement the IT admin’s desired settings from the existing policies, overriding the default configurations. This process assumes that the new Cloud PC is being added to an existing group that has been assigned to the relevant policy.
Click to expand...

IT admins can manage settings in two ways:
If you need to revert redirection settings, you can use your established management controls. Alternatively, you can take advantage of the Intune built-in device groups and filters. This is the quickest way to revert the redirection settings and enable them for your organization’s Cloud PCs. For detailed instructions, refer to the section "Use the 'All devices' group and device filters" in Application deployment in Windows 365: recommended practices.

This change to clipboard, drive, USB, and printer redirections being disabled by default may impact user workflows, so we recommend that you communicate this update to your teams and Windows 365 users. Additionally, we recommend that you provide instructions for requesting redirection enablement as appropriate.

For additional information on the post-provisioning process, visit the Windows 365 post-provisioning configuration documentation.

VBS, Credential Guard, and HVCI are enabled by default for new Cloud PCs running a Windows 11 gallery image​

Since May 2025, all newly provisioned and reprovisioned Windows 365 Cloud PCs running a Windows 11 gallery image have VBS, Credential Guard, and HVCI enabled by default.

Screenshot - This

This "System Information" on your device shows that VBS is running and that Credential Guard and HVCI, which use VBS, are running as intended.
  • VBS uses hardware virtualization to create a secure memory enclave that helps protect critical system processes from advanced threats and malicious exploits. To learn more, visit our VBS documentation.
  • Credential Guard uses VBS to secure authentication credentials, minimizing the risk of theft and lateral attacks. To learn more, visit our Credential Guard documentation.
  • HVCI/memory integrity allows only verified code to run at the kernel level, preventing malicious exploits. To learn more, visit our HVCI/memory integrity documentation.
These changes will strengthen protection against credential theft and kernel-level exploits, enhancing the Cloud PC security without requiring manual configuration.

Learn more about Windows 365 security​

For an overview of security controls and concepts in Windows 365, visit our documentation.


 Source:

techcommunity.microsoft.com

Enhanced security defaults for Windows 365 Cloud PCs - Windows IT Pro Blog

New secure by default capabilities for newly provisioned and reprovisioned Windows 365 Cloud PCs are coming soon.
techcommunity.microsoft.com techcommunity.microsoft.com
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
Microsoft enhancing your ability to move Windows 365 Cloud PCs
Replies
0
Views
158
Brink
Brink
  • Article Article
MSIgnite 2024: Windows 365 Link - the first Cloud PC device for Windows 365
Replies
5
Views
645
XxXxX
XxXxX
  • Article Article
AI-driven insights reduce TCO for Windows 365 Cloud PCs
Replies
0
Views
423
Brink
Brink
  • Article Article
New end-user experiences for Windows in the cloud: December 2024
Replies
0
Views
198
Brink
Brink
  • Article Article
New Windows 365 features help provide a more secure workspace
Replies
0
Views
394
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom