Windows 365 Cloud PCs will get new security defaults starting late 2025

Microsoft is rolling out two security changes for newly provisioned and reprovisioned Windows 365 Cloud PCs later this year. Clipboard, drive, USB, and printer redirection will be disabled by default to reduce data exfiltration and malware risks. These defaults apply to newly created host pools in Azure Virtual Desktop as well.

A dismissible banner will appear in Microsoft Intune to notify admins of these new default security settings. Redirection defaults only apply to new or reprovisioned Cloud PCs, not existing ones with active provisioning policies. Admins can override defaults by creating Intune device configuration policies or Group Policy Objects (GPOs).

USB mice, keyboards, and webcams are unaffected, since they use high-level redirection, not the disabled low-level redirection. To apply the new defaults to shared mode Cloud PCs, reprovision from the provisioning policy page, not from the device overview. Scheduling reprovisioning before defaults go live won’t enable the new settings unless timed properly.

Admins can manually re-enable redirections using the Intune Settings Catalog or Group Policy after provisioning completes. Using built-in Intune device groups and filters is the fastest way to manage redirection policies at scale. Microsoft recommends informing users and offering a way to request redirection features if needed.

All Cloud PCs using Windows 11 gallery images will now enable VBS, Credential Guard, and HVCI by default. VBS uses virtualization to secure memory and protect critical processes from advanced threats. Credential Guard uses VBS to isolate and protect login credentials from theft and reuse.

HVCI ensures only verified kernel-level code runs, blocking common malware and rootkit attacks. These defaults require no user action and align with Microsoft’s Secure Future Initiative (SFI).