Microsoft is set to implement significant security enhancements for Windows 365 Cloud PCs starting in late 2025. These changes aim to bolster the security posture of Cloud PCs by modifying default settings and introducing advanced protective features.
To mitigate risks associated with data exfiltration and malware infiltration, Microsoft will disable clipboard, drive, USB, and printer redirections by default on all newly provisioned and reprovisioned Windows 365 Cloud PCs. This policy change extends to newly created host pools in Azure Virtual Desktop as well. Administrators will receive notifications about these new default settings through a dismissible banner in Microsoft Intune. It's important to note that these defaults will not affect existing Cloud PCs with active provisioning policies. Admins retain the flexibility to override these settings by creating Intune device configuration policies or Group Policy Objects (GPOs). Notably, USB peripherals such as mice, keyboards, and webcams, which utilize high-level redirection, will remain unaffected by this change. (techcommunity.microsoft.com)
By implementing these security defaults, Microsoft aims to provide a more secure and resilient environment for Windows 365 Cloud PC users, addressing potential vulnerabilities and aligning with best practices in cloud security.
Source: Windows Report Windows 365 Cloud PCs will get new security defaults starting late 2025
Disabling Device Redirections by Default
To mitigate risks associated with data exfiltration and malware infiltration, Microsoft will disable clipboard, drive, USB, and printer redirections by default on all newly provisioned and reprovisioned Windows 365 Cloud PCs. This policy change extends to newly created host pools in Azure Virtual Desktop as well. Administrators will receive notifications about these new default settings through a dismissible banner in Microsoft Intune. It's important to note that these defaults will not affect existing Cloud PCs with active provisioning policies. Admins retain the flexibility to override these settings by creating Intune device configuration policies or Group Policy Objects (GPOs). Notably, USB peripherals such as mice, keyboards, and webcams, which utilize high-level redirection, will remain unaffected by this change. (techcommunity.microsoft.com)Enabling Advanced Security Features
In addition to modifying redirection settings, Microsoft will enable several advanced security features by default on Cloud PCs running Windows 11 gallery images. These features include Virtualization-Based Security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI).- Virtualization-Based Security (VBS): Utilizes hardware virtualization to create a secure region of memory, enhancing protection against advanced threats.
- Credential Guard: Leverages VBS to isolate and protect login credentials from theft and reuse.
- Hypervisor-Protected Code Integrity (HVCI): Ensures that only verified kernel-level code runs, effectively blocking common malware and rootkit attacks.
Implications for Administrators and Users
While these default settings aim to enhance security, administrators have the option to re-enable device redirections if necessary. This can be accomplished using the Intune Settings Catalog or Group Policy after provisioning is complete. To manage redirection policies at scale efficiently, Microsoft recommends utilizing built-in Intune device groups and filters. Additionally, it's advisable to inform users about these changes and provide a mechanism for them to request redirection features if needed. (techcommunity.microsoft.com)By implementing these security defaults, Microsoft aims to provide a more secure and resilient environment for Windows 365 Cloud PC users, addressing potential vulnerabilities and aligning with best practices in cloud security.
Source: Windows Report Windows 365 Cloud PCs will get new security defaults starting late 2025
