- Microsoft is tightening default security configurations for Windows 365 Cloud PCs by disabling file redirections and enabling virtualisation-based protection by default.
- These changes are intended to strengthen endpoint security and align with Microsoft’s Secure Future Initiative, though they may affect some aspects of user experience.
Microsoft this week has announced a new wave of security measures for its Windows 365 Cloud PC service, with the goal being to increase protection within its enterprise cloud environments.
The updates, which will begin rolling out in the second half of 2025, will introduce default restrictions on file and device redirections, while also enabling virtualisation-based security (VBS) features on supported systems.
These changes are set to be a part of Microsoft’s broader Secure Future Initiative, which focuses on hardening systems against new threats through proactive and built-in protections.
Redirection Restrictions to Minimise Risk
One of the most notable updates is Microsoft’s decision to disable certain redirection features by default.
Newly provisioned or reprovisioned Cloud PCs will now block clipboard, drive, USB, and printer redirections.
This restriction is designed to prevent data theft by hackers and malware, and limit the vulnerabilities and potential entry points between local devices and the cloud environment.
Microsoft said, “Accessing a file will disable the clipboard, making it impossible to copy files between the Cloud PC and physical devices.” This update, while predominantly introduced for security purposes, could also cause workflow limitations for users accustomed to easy file transfers.
Not all devices will be affected.
Hardware accessories such as mice, keyboards, and webcams, all classified under high-level redirection, will continue to function as they always have. Moreover, shared-use systems such as Windows 365 Frontline Cloud PCs, will keep their existing policies.
Virtualisation-Based Security Now Enabled by Default
Alongside the new redirection controls, Microsoft has also activated a suite of VBS features across Windows 11-based Cloud PCs. These include:
- Credential Guard – To protect user credentials by isolating them from the rest of the system.
- HVCI (Hypervisor-Protected Code Integrity) – To ensure that only trusted code runs at the kernel level (the highest level of access).
- Virtual Secure Mode – Which uses hardware-level virtualisation to create isolated memory spaces for critical operations.
These features already began rolling out in May 2025 and are designed to defend against sophisticated threats such as credential theft and kernel-level exploits.
Administrative Control and Implementation Timeline
While the changes will be enforced by default, administrators will still be able to manually reenable redirection functionality using Microsoft Intune or Group Policy Objects (GPO), if business needs require it. This will give IT teams flexibility while still maintaining Microsoft’s secure-by-default stance.
Aligning with the Secure Future Initiative
These latest updates are a part of Microsoft’s ongoing efforts to deliver more secure, cloud-native computing experiences.
Windows 365 Cloud PCs have already proven to be helpful for businesses wanting to manage remote endpoints, and these latest security defaults simply show that these platforms are a great solution for hybrid workforces.
*
Your cybersecurity is the most important digital shield between you and those who would love to help themselves to your data. At 24/7 IT Services, we help our clients regain control and confidence in their IT by providing excellent IT Security Solutions, Managed IT Support, Cloud Computing and more. If you need an IT partner, contact us today.
