Microsoft has unveiled a series of enhancements to its Windows 365 Cloud PCs, focusing on bolstering security measures to safeguard against data exfiltration and malicious exploits. These virtual Windows PCs, hosted on Azure, offer users an “always-on” computing environment accessible from any modern device with internet connectivity. This service is particularly favored by enterprises looking to facilitate remote and hybrid work arrangements, as well as providing contractors and freelancers with a flexible, disposable computing solution.
VBS, Credential Guard, HVCI
Starting in May 2025, all newly provisioned and reprovisioned Windows 365 Cloud PCs utilizing a Windows 11 gallery image will have several advanced security features enabled by default. These include Virtualization-Based Security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI).
- VBS creates a secure, isolated virtual environment that protects system processes from sophisticated threats and exploits.
- Credential Guard leverages VBS to secure authentication credentials, ensuring that sensitive information remains protected.
- HVCI guarantees that only verified code is executed at the kernel level, effectively blocking potential kernel-level exploits.
Disabled Redirections
In a further step towards enhancing security, Microsoft has announced that, beginning in the latter half of 2025, all newly provisioned and reprovisioned Cloud PCs will have clipboard, drive, USB, and printer redirections disabled by default. These redirections allow users to share resources and peripherals between their local devices and remote sessions via the Remote Desktop Protocol (RDP), creating a seamless experience akin to using local devices.
However, these features can also pose security risks. For instance, clipboard redirection may be exploited to transfer sensitive information from Cloud PCs to physical devices, while printer redirection could facilitate data exfiltration through print jobs or the injection of malicious drivers. Additionally, malicious USB devices connected to local machines could be redirected into Cloud PC sessions, potentially leading to malware deployment.
While the default settings will disable these redirections, IT administrators retain the ability to re-enable them through Intune device configuration policies, Group Policy Objects (GPOs), or manual adjustments. Derek Su, Product Manager at Microsoft, emphasized the importance of communication regarding these changes, noting that they may impact user workflows. He recommends that organizations inform their teams and Windows 365 users about the update and provide guidance on how to request the re-enablement of redirection features as needed.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
