In a significant move to enhance enterprise security, Microsoft is updating the default configuration for Windows 365. Effective now, several Remote Desktop Protocol (RDP) device redirections will be disabled by default for all newly provisioned and reprovisioned Cloud PCs.
This “secure by default” approach is a key part of the Microsoft Secure Future Initiative (SFI), designed to provide a more secure computing experience out of the box by minimizing potential data security risks.
What Is Changing?
When a new Cloud PC is provisioned or an existing one is reprovisioned, the following device redirections will now be disabled by default:
- Clipboard Redirection: Prevents copying and pasting data between the local device and the Cloud PC.
- Drive Redirection: Restricts access to local drives (e.g., C: drive, USB sticks) from within the Cloud PC session.
- Opaque Low-Level USB Redirection: Disables the redirection of a wider range of USB devices.
- Printer Redirection: Prevents the user from accessing their local printers from the Cloud PC.
Important: This change only affects newly provisioned and reprovisioned Cloud PCs. The settings for your existing, active Cloud PCs will not be changed automatically.
Why Is This Change Being Made?
The primary goal of this update is to reduce the risk of two major security threats:
- Data Exfiltration: By disabling drive and clipboard access by default, it becomes much harder for sensitive corporate data to be moved from the secure Cloud PC environment to a less secure local device.
- Malware Injection: Restricting access from local drives and USB devices minimizes the chance of malware being transferred from a user’s local machine to the Cloud PC and the corporate network.
How to Manage These Settings
While these features are now disabled by default, administrators still have full control. If your business processes require the use of clipboard, local drives, or printers, you can re-enable these redirections through your device management policies.
This change ensures that enabling these access channels is a deliberate administrative choice rather than an overlooked default setting.
For detailed instructions on how to configure and manage these RDP settings for your organization, please refer to the official Microsoft documentation:
