Microsoft boosts default security of Windows 365 Cloud PCs

Windows 365 Cloud PCs now come with new default settings aimed at preventing / minimizing data exfiltration and malicious exploits, Microsoft has announced.

Windows 365 Cloud PCs are Azure (i.e., Windows 365 service)-hosted virtual Windows PCs the company offers as a service. They are accessible from any modern device with internet access, and provide users with their own “always-on” Cloud PC with saved state and settings.

They are often provisioned by enterprises who offer remote and/or hybrid work options, and are an easy solution for providing contractors and freelancers with a “disposable” computer.

VBS, Credential Guard, HVCI

As of May 2025, all newly provisioned and reprovisioned Windows 365 Cloud PCs using a Windows 11 gallery image have Virtualization-Based Security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI) enabled by default.

VBS creates an isolated virtual environment to protects system processes from advanced threats and malicious exploits, and is used by Credential Guard to secure authentication credentials. HVCI makes sure that only verified code can be run at the kernel level (and thus blocks kernel-lever exploits).

Disabled redirections

In the second half of 2025, all newly provisioned and reprovisioned Cloud PCs will come with clipboard, drive, USB, and printer redirections switched off by default.

“Redirection enables users to share resources and peripherals, such as the clipboard, webcams, USB devices, printers, and more, between their local device (client-side) and a remote session (server-side) over the Remote Desktop Protocol (RDP). Redirection aims to provide a seamless remote experience, comparable to the experience using their local device,” Microsoft explains.

Unfortunately, they can also be abused. The clipboard redirection, for example, can be abused to copy/paste sensitive information from Cloud PCs to physical devices. Printer redirection can be used for data exfiltration via print jobs or to inject malicious drivers.

Malicious USB sticks plugged into the local machine can be redirected into the Cloud PC session, where they can, for example, drop malware. (USB mice, keyboards, and webcams are exempt from thus default “ban”.)

Notification about the new redirection defaults in the Microsoft Intune admin center (Source: Microsoft)

All four of these redirections are now disabled by default, but can be re-enabled by IT administrators via Intune device configuration policies or Group Policy Objects (GPOs), or manually.

“This change to clipboard, drive, USB, and printer redirections being disabled by default may impact user workflows, so we recommend that you communicate this update to your teams and Windows 365 users. Additionally, we recommend that you provide instructions for requesting redirection enablement as appropriate,” Derek Su, Product Manager at Microsoft, advised.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!