MC1113663: Plan for Change: Windows 365 Strengthening Security by Default: Redirections Disabled for Newly Provisioned Cloud PCs

As mentioned in MC1056257, as part of Microsoft’s Secure Future Initiative (SFI), Windows 365 is enhancing the default security of Cloud PCs by disabling clipboard, drive, USB, and printer redirections for all newly provisioned and reprovisioned Cloud PCs. This change minimizes the risk of data exfiltration and malware injections, providing a more secure experience by default. IT admins can enable these redirections as needed using either the Intune Settings Catalog or Group Policy (GPO).

How This Will Affect Your Organization:

The rollout of this change will begin in August 2025 and will gradually take place over 1-4 months for all customers. To help admins prepare, a banner will be displayed in the Microsoft Intune Admin Center on the provisioning policy, individual device action, and bulk action pages. This banner will notify admins of the new default settings for newly provisioned or reprovisioned Cloud PCs and provide documentation on how to override them by creating Intune device configuration policies or GPO.

Admin Impact:

• Manual configuration required: For users that require redirection, IT admins must manually enable redirections through Intune policies or GPO if needed.
• Minor change in the Microsoft Intune admin center: Banners will be placed across key Intune pages to inform admins ahead of the change.

End User Impact:

• Default settings change: Clipboard, drive, USB, and printer redirections will be disabled by default on first-time access to Cloud PCs.

What You Need to Do to Prepare:

• Understand the change: Review the new redirections default settings and their impact on provisioning and reprovisioning Cloud PCs. If redirections are required, enable them for the users who require redirections using multiple device configurations. For Intune-managed redirections, please see the following documentation. For GPO-managed redirections, please see this documentation.
• If an administrator needs to revert the redirection settings, they can use their established management controls. Alternatively, they can leverage Intune's built-in device groups and filters. For detailed instructions, refer to the section "Use the 'All devices' group and device filters" in the official Microsoft blog post. This method offers the quickest way to revert the redirection settings to be enabled.
• Communicate with your end users: Inform your end users of the new default settings and provide instructions for requesting redirection enablement if needed.

Additional Information:

• Windows 365 Post-Provisioning Configuration