Microsoft Enhances Security for Windows 365 Cloud PCs

Microsoft has taken a bold step in fortifying its Windows 365 Cloud PCs by unveiling a suite of new security defaults aimed at creating a secure-by-default environment. These enhancements are designed to protect sensitive data and prevent unauthorized access across the Cloud PC ecosystem. Key changes include the disabling of clipboard, drive, USB, and printer redirections by default, significantly reducing the risk of data theft and malware attacks (Bleeping Computer). Additionally, the integration of virtualization-based security (VBS) and Credential Guard ensures that sensitive data is protected from unauthorized access by creating secure memory enclaves and isolating credentials in a virtualized environment (Bleeping Computer). These measures are part of Microsoft’s broader strategy to enhance the security posture of its cloud services, providing organizations with the tools they need to protect their data in an increasingly digital world.

Overview of Windows 365 Security Enhancements

Security Defaults for Windows 365 Cloud PCs

Microsoft has announced significant security enhancements for Windows 365 Cloud PCs, focusing on creating a secure-by-default environment. These enhancements are designed to protect data and prevent unauthorized access across various components of the Cloud PC ecosystem. One of the primary changes is the disabling of clipboard, drive, USB, and printer redirections by default. This measure is aimed at minimizing the risk of data theft and malware attacks by restricting the ability to transfer files between Cloud PCs and physical devices (Bleeping Computer).

Virtualization-Based Security and Credential Guard

Virtualization-based security (VBS) and Credential Guard are now enabled by default on Windows 365 Cloud PCs running Windows 11 gallery images. VBS creates secure memory enclaves, which help protect sensitive data from being accessed by unauthorized users. Credential Guard, on the other hand, protects credentials by isolating them in a virtualized environment, making it difficult for malicious software to extract them (Bleeping Computer). These features work together to enhance the overall security posture of Cloud PCs by preventing malicious code execution at the kernel level.

Hypervisor-Protected Code Integrity

Hypervisor-protected code integrity (HVCI) is another security feature that has been enabled by default on Windows 365 Cloud PCs. HVCI leverages the hypervisor to enforce code integrity policies, ensuring that only trusted code can run in kernel mode. This feature is crucial in preventing kernel-level exploits, which are often used by attackers to gain control over a system. By enabling HVCI, Microsoft aims to provide an additional layer of protection against sophisticated attacks targeting the kernel (Windows IT Pro Blog).

Legacy Authentication and ActiveX Controls

In addition to the security enhancements for Cloud PCs, Microsoft is also updating security defaults for Microsoft 365 tenants. Starting in July, access to SharePoint, OneDrive, and Office files via legacy authentication protocols will be blocked. This change is part of a broader effort to phase out outdated authentication methods that are more susceptible to attacks. Furthermore, Microsoft has disabled all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps, reducing the attack surface for potential exploits (Bleeping Computer).

Notification and Configuration Options for IT Administrators

To ensure a smooth transition to the new security defaults, Microsoft will display notification banners in the Intune Admin Center. These banners will alert IT administrators about the changes and provide guidance on how to manage them. Administrators will have the option to override the new defaults using Intune device configuration policies or Group Policy Objects if specific redirection capabilities are required for their end-users (Bleeping Computer).

Azure Virtual Desktop Integration

The security enhancements for Windows 365 Cloud PCs are also being extended to Azure Virtual Desktop. Newly created host pools for Azure Virtual Desktop will have the same security defaults applied, including the disabling of certain redirections and the enabling of VBS, Credential Guard, and HVCI. This integration ensures that organizations using both Windows 365 and Azure Virtual Desktop can benefit from a consistent security framework across their virtual environments (Bleeping Computer).

Impact on Hybrid Work Environments

The security enhancements for Windows 365 Cloud PCs are particularly relevant in the context of hybrid work environments. As organizations continue to adopt flexible work models, the need for secure and reliable cloud-based solutions has become increasingly important. By implementing these security defaults, Microsoft aims to provide organizations with the tools they need to protect their data and maintain compliance with industry standards, regardless of where their employees are working (Neowin).

Future Developments and Customer Support

Microsoft’s commitment to enhancing the security of Windows 365 Cloud PCs is part of a broader strategy to continuously improve its cloud services. The company has indicated that it will continue to roll out new features and updates to address emerging security challenges. Additionally, Microsoft is offering a 20% discount on all Windows 365 plans to new customers, demonstrating its commitment to supporting organizations during these changing times (Windows Experience Blog).

Conclusion

The introduction of new security defaults for Windows 365 Cloud PCs marks a significant advancement in Microsoft’s efforts to provide a secure and reliable cloud computing experience. By implementing these changes, organizations can better protect their data and reduce the risk of cyber threats. The integration of these security features with Azure Virtual Desktop ensures a consistent security framework across virtual environments, which is crucial for organizations adopting hybrid work models. As Microsoft continues to roll out new features and updates, it remains committed to addressing emerging security challenges and supporting organizations in navigating the complexities of modern cybersecurity (Neowin).

References

• Bleeping Computer. (2025). Microsoft unveils new security defaults for Windows 365 Cloud PCs. https://www.bleepingcomputer.com/news/security/microsoft-unveils-new-security-defaults-for-windows-365-cloud-pcs/
• Windows IT Pro Blog. (2025). Enhanced security defaults for Windows 365 Cloud PCs. https://techcommunity.microsoft.com/blog/windows-itpro-blog/enhanced-security-defaults-for-windows-365-cloud-pcs/4424914
• Neowin. (2025). Microsoft is making Windows 365 Cloud PCs more secure by enabling VBS and HVCI by default. https://neowin.net/news/microsoft-is-making-windows-365-cloud-pcs-more-secure-by-enabling-vbs-and-hvci-by-default/
• Windows Experience Blog. (2025). Secure your organization against changing conditions with a special offer from Windows 365. https://blogs.windows.com/windowsexperience/2025/05/01/secure-your-organization-against-changing-conditions-with-a-special-offer-from-windows-365/