MC1035715 – Plan for Change: Enhanced Security for Windows 365 Cloud PCs with Default VBS, Credential Guard and HVCI

Product:

Intune, Windows 365

Platform:

Online, Windows Desktop, World tenant

Status:

Change type:

New feature, User impact, Admin impact

Links:

Details:

Summary:
Enhanced security features (VBS, Credential Guard, HVCI) will be enabled by default on new and reprovisioned Windows 365 Cloud PCs starting end of April 2025. Existing Cloud PCs can enable these via Windows Security or Intune. No preparation needed; disabling these features increases security risks. More details in Microsoft documentation.

Details:
To strengthen security against evolving cybersecurity threats, Virtualization-Based Security (VBS), Credential Guard, and Hypervisor-Protected Code Integrity (HVCI) will be enabled by default on all newly provisioned and reprovisioned Windows 365 Cloud PCs. This change will start at the end of April 2025 and will gradually roll out over the following 1-2 months for all customers. This update enhances protection against credential theft and kernel-level exploits, ensuring Cloud PCs are secure without requiring manual configuration. For existing Cloud PCs, you can enable these security features through either Windows Security or Intune. For more information, please visit enable virtualization-based protection of code integrity.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-03-19

updated:
2025-03-19

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Security Feature Activation
Enabling VBS, Credential Guard, and HVCI by default may lead to compatibility issues with legacy applications that are not designed to work with these security features, potentially disrupting user workflows.
   - roles: IT Admin, End User
   - references: https://learn.microsoft.com/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security#how-to-turn-on-memory-integrity, https://learn.microsoft.com/windows-hardware/design/device-experiences/oem-vbs

Performance Overhead
The activation of these security features may introduce performance overhead on some devices, leading to slower response times and affecting user experience during resource-intensive tasks.
   - roles: End User, IT Support
   - references: https://learn.microsoft.com/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security#how-to-turn-on-memory-integrity, https://learn.microsoft.com/windows-hardware/design/device-experiences/oem-vbs

User Training and Awareness
Users may require training or awareness sessions to understand the implications of these new security features, as they may not be familiar with the changes and their benefits, potentially leading to confusion.
   - roles: End User, Training Coordinator
   - references: https://learn.microsoft.com/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security#how-to-turn-on-memory-integrity, https://learn.microsoft.com/windows-hardware/design/device-experiences/oem-vbs

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Automated Security Compliance Monitoring
Implementing automated tools to monitor compliance with VBS, Credential Guard, and HVCI settings across all Cloud PCs can help ensure that security configurations remain intact and any deviations are promptly addressed. This will reduce the administrative burden on IT staff and enhance overall security posture.
   - next-steps: Research and select compliance monitoring tools that integrate with Intune. Develop a deployment plan for these tools across the organization.
   - roles: IT Security Administrators, System Administrators, Compliance Officers
   - references: https://learn.microsoft.com/en-us/mem/intune/protect/protect-devices, https://www.csoonline.com/article/3622972/how-to-automate-compliance-monitoring-for-cloud-environments.html

User Training and Awareness Programs
Creating targeted training programs to educate users about the importance of VBS, Credential Guard, and HVCI can improve user compliance and reduce the likelihood of disabling these critical security features. This will enhance the overall security culture within the organization.
   - next-steps: Develop training materials and schedule sessions to educate employees on the benefits of these security features. Utilize feedback to refine the training approach.
   - roles: HR Managers, IT Security Trainers, Department Heads
   - references: https://www.sans.org/security-awareness-training/, https://www.csoonline.com/article/3257884/the-importance-of-security-awareness-training.html

Streamlined IT Administrative Processes
By automating the enabling of VBS, Credential Guard, and HVCI through Intune policies, IT administrators can reduce the time spent on manual configurations, allowing them to focus on more strategic initiatives. This will also ensure consistency across devices.
   - next-steps: Review current Intune policies and update them to include automatic enabling of these security features for all new and reprovisioned Cloud PCs. Test the policies in a controlled environment before full deployment.
   - roles: IT Administrators, IT Operations Managers, Help Desk Staff
   - references: https://learn.microsoft.com/en-us/mem/intune/protect/protect-devices, https://www.techrepublic.com/article/how-to-use-intune-to-manage-windows-10-security-settings/

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only