Microsoft has recently announced significant enhancements to the default security settings of Windows 365 Cloud PCs, aiming to bolster defenses against data exfiltration and malicious exploits. These updates introduce advanced security features and modify default configurations to create a more secure virtual computing environment.
Introduction to Windows 365 Cloud PCs
Windows 365 Cloud PCs are virtual Windows machines hosted on Microsoft's Azure platform, accessible from any modern device with internet connectivity. They offer users a persistent, "always-on" computing experience with personalized settings and state retention. This service is particularly beneficial for organizations implementing remote or hybrid work models, as it provides a streamlined solution for equipping employees, contractors, and freelancers with secure, disposable computing resources.
Implementation of Advanced Security Features
As of May 2025, Microsoft has enabled several key security features by default on all newly provisioned and reprovisioned Windows 365 Cloud PCs utilizing Windows 11 gallery images:
- Virtualization-Based Security (VBS): VBS creates a secure, isolated virtual environment that safeguards critical system processes from advanced threats and malicious exploits. This isolation is instrumental in protecting the integrity of the operating system.
- Credential Guard: Leveraging VBS, Credential Guard secures authentication credentials by isolating them from the rest of the system. This isolation helps prevent credential theft techniques such as pass-the-hash attacks.
- Hypervisor-Protected Code Integrity (HVCI): HVCI ensures that only trusted code can execute at the kernel level by enforcing code integrity policies. This measure effectively blocks kernel-level exploits that could compromise system security.
Disabling Peripheral Redirections by Default
In the latter half of 2025, Microsoft plans to disable certain peripheral redirections by default on all newly provisioned and reprovisioned Cloud PCs. The affected redirections include:
- Clipboard Redirection: Previously, users could copy and paste data between their local devices and Cloud PCs. Disabling this feature by default mitigates the risk of sensitive information being inadvertently or maliciously transferred out of the secure Cloud PC environment.
- Drive Redirection: This feature allowed access to local drives from within the Cloud PC session. Its default disablement prevents potential data exfiltration through unauthorized file transfers.
- USB Redirection: By default, USB devices connected to the local machine will no longer be accessible within the Cloud PC session. This change reduces the risk of malware introduction via infected USB devices. Notably, USB peripherals such as mice, keyboards, and webcams are exempt from this restriction.
- Printer Redirection: Disabling printer redirection by default addresses potential data exfiltration risks associated with unauthorized print jobs and the installation of malicious drivers.
Administrative Control and User Communication
While these security features are enabled by default, IT administrators retain the flexibility to re-enable peripheral redirections as necessary to accommodate specific user workflows. This can be achieved through Microsoft Intune device configuration policies or Group Policy Objects (GPOs). Microsoft advises organizations to communicate these updates to their teams and provide clear instructions for requesting the enablement of redirections when required.
Conclusion
Microsoft's proactive enhancements to the default security settings of Windows 365 Cloud PCs reflect a commitment to providing a secure and resilient virtual computing environment. By implementing advanced security features and adjusting default configurations, Microsoft aims to protect users and organizations from evolving cyber threats while maintaining the flexibility needed to support diverse operational requirements.
Source: Help Net Security Microsoft boosts default security of Windows 365 Cloud PCs - Help Net Security
