Starting in the second half of 2025, Microsoft will implement new default security settings for Windows 365, which will affect all cloud PCs that are configured for the first time or reconfigured. The idea is clear: to make the environment more secure from the outset, without administrators having to do anything extra.
Among the main changes, features such as the clipboard, drive access, USB, and printer redirection will be disabled by default. Why? Because these features, while useful, can also be gateways for data theft or malware if not properly controlled. By blocking the ability to copy files between cloud PCs and physical devices, that risk is significantly reduced.
However, not all USB will be limited. Microsoft clarified that USB device redirection will only affect low-level devices. That means peripherals such as mice, keyboards, and webcams will continue to function normally, as they are managed through high-level redirection. So there's no need to worry if you use this type of equipment.
And it's not just Windows 365 that will benefit from these changes: newly created host pools for Azure Virtual Desktop will also adopt these new security settings.
In addition, since last month, Microsoft has already started to enable several advanced protection technologies by default on Cloud PCs that use Windows 11 images from the gallery. These include:
-
Virtualization-based security (VBS)
-
Credential Guard (protection against credential theft)
-
Hypervisor-protected code integrity (HVCI)
These features help create “secure zones” within the system memory, making it much more difficult for an attacker to execute malicious code at the operating system kernel level.
“Windows 365 is improving PC security in the cloud by having the clipboard, drive, USB, and printer redirections disabled by default for all newly provisioned and re-provisioned cloud PCs.”
In summary: less manual configuration, more automatic security, and a more reliable environment from the outset. Microsoft is strongly committed to making working from the cloud not only more convenient, but also much more secure.
Key changes to default security in Windows 365 and Microsoft 365
Starting in May 2025, Microsoft has begun enabling several advanced security features by default on all Windows 365 cloud PCs that use Windows 11 images from the gallery. If you are provisioning or re-provisioning a Cloud PC, they now come with virtualization-based security (VBS), Credential Guard, and hypervisor-based code integrity (HVCI) already enabled. Basically, these are extra layers of defense that help protect the system from within, preventing malicious code from doing its thing.
To keep IT administrators informed, Microsoft will also display warning banners in the Intune Admin Center explaining these new security settings. From there, administrators can decide whether to keep these default settings or change them, for example, if their users need to continue using features such as USB redirection, printers, or shared clipboards.
Microsoft will display a banner in Intune about the new settings that disable redirection in Windows 365, with the option to override them via policies.
The idea is that when a new PC is configured in the cloud, the new default settings (such as disabling redirects) are applied first, and then, if that machine belongs to a group with custom policies in Intune, those policies are automatically applied and replace the default settings. In other words, if you already have policies configured, you won't have to worry about losing your custom settings.
But it doesn't end there. Microsoft has also announced that, starting in July 2025, it will begin updating the default security settings for all Microsoft 365 tenants. One of the most important changes is that access to files in SharePoint, OneDrive, and Office will be blocked if you try to use old or insecure authentication methods.
Specifically, Microsoft 365 will no longer allow legacy browser authentication for OneDrive and SharePoint using the RPS (Relying Party Suite) protocol, and will also block FPRPC (FrontPage Remote Procedure Call), which was used to open Office files. All of this is aimed at closing doors that no longer meet modern security standards.
In addition, since January, the company has begun disabling all ActiveX controls in the Windows versions of Microsoft 365 and Office 2024 apps. And in July, another new feature will arrive: a new function in Teams that will block screenshots during meetings, ideal for protecting sensitive information displayed in real time.
Finally, if you use Outlook, keep in mind that starting in July, .library-ms and .search-ms files will also be added to the list of blocked attachments, which means they can no longer be sent or received by email to avoid security risks.
