Microsoft has announced new security defaults for Windows 365 Cloud PCs, set to roll out in the second half of 2025.
The changes will apply to all newly provisioned and reprovisioned Cloud PCs and are designed to minimize risks associated with data theft and malware.
Under the new defaults, clipboard, drive, USB, and printer redirections will be disabled by default, preventing users from copying files between Cloud PCs and physical devices. USB redirection changes will only impact low-level access, so USB-based mice, keyboards, and webcams will continue functioning normally. These new defaults will also apply to new Azure Virtual Desktop host pools.
Since May 2025, Microsoft has also been enabling virtualization-based security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI) by default on Windows 11 gallery images for Cloud PCs, offering enhanced protection against kernel-level threats and malicious code execution.
Admins will be notified of these updates via banners in the Intune Admin Center and can override defaults using Group Policy or Intune policies if redirection is necessary for users.
Additionally, Microsoft revealed it will update Microsoft 365 security defaults starting in July 2025, blocking access to OneDrive, SharePoint, and Office files via legacy authentication protocols like RPS and FPRPC. Other security updates include the disabling of ActiveX controls in Office apps, blocking screenshots in Teams meetings, and adding .library-ms and .search-ms to Outlook’s list of blocked file attachments.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
These changes signal Microsoft’s ongoing push to modernize its security stack and reduce exposure to legacy threats.
