What just happened? Cloud-based Windows installs are generally more secure than local setups, especially against physical and network attacks targeting endpoint devices. Now, Microsoft is raising the bar further by enhancing security features specifically for Windows 365 Cloud PCs.
Microsoft recently announced two security-focused changes to the Windows 365 Cloud PC platform. The subscription-based service will soon disable all user-level file redirections and enable several virtualization-based security features to strengthen data and code integrity. Both changes will be enabled by default, though specific admin settings could complicate implementation.
Redmond said "select redirections," including clipboard, drive, USB, and printer redirections, will be disabled by default on newly provisioned or reprovisioned Cloud PCs. This change aims to reduce risks like data theft and malware, but it could negatively affect user experience. For example, Microsoft explained that accessing a file will disable the clipboard, making it impossible to copy files between the Cloud PC and physical devices.
While USB redirections are disabled by default, devices managed through "high-level redirections" won't be affected. Mice, keyboards, and webcams fall into this category and should continue working as expected. Additionally, existing provisioning policies ensure that Windows 365 Frontline Cloud PCs in shared mode remain unaffected.
Disabling redirections should make Windows Cloud PCs more secure and better aligned with Microsoft's Secure Future Initiative. Windows 365 Cloud PC offers access to a limited Windows environment hosted on Microsoft's cloud platform. The company introduced the service as a more productive way to use Windows while improving security and resilience for enterprise organizations.
The supposedly secure Cloud PC platform now needs even more security – along with a bit of user-level frustration since people still need to work with files, whether they're local or in the cloud. Microsoft introduced the Windows 365 Cloud PC service a few years ago and has steadily added new features. It's now even selling a $350 "dumb" terminal designed solely to access Windows images hosted in the cloud.
Microsoft will begin rolling out changes to file and device redirection policies in the second half of 2025. System administrators will need to manually reenable these features through Intune or GPO if they want to restore them. Meanwhile, Microsoft activated the new virtualization-based security enhancements in May 2025, offering what's likely a more user-friendly way to improve protection on the cloud platform.
Microsoft now includes virtualization-based security features like VBS, Credential Guard, and HVCI by default on Cloud PCs running Windows 11. The VBS system uses hardware virtualization to create a secure memory enclave for critical processes. Credential Guard builds on this foundation to protect access credentials. Memory integrity, also known as HVCI, enforces kernel-level code integrity by allowing only verified code to run.