Microsoft has rolled out a public preview of context-based redirections for Windows 365, giving IT administrators dynamic control over data flows to and from cloud PCs. The feature, which entered preview in June 2026, allows organizations to enforce conditional access policies on clipboard copy-paste, drive mounting, printer access, and USB redirection based on real-time user sign-in context. For the first time, hardware and data redirection controls can adapt to signals like device compliance, network location, and Entra ID authentication strength, rather than relying on static, one-size-fits-all settings.

This release targets Windows 365 Enterprise and Flex dedicated Cloud PC deployments, where data isolation is paramount. By tying redirection rights to Conditional Access authentication context, Microsoft is essentially erecting a dynamic perimeter around cloud desktops—one that tightens or loosens based on the trustworthiness of the endpoint and the identity trying to connect.

The Data Leakage Conundrum in Cloud PCs

Windows 365 has long supported redirection capabilities that let users copy files from a local machine to their cloud PC, attach USB drives, or print to local printers. While these features bridge the gap between physical and virtual workspaces, they also create persistent data leakage risks. An employee could, for instance, copy sensitive corporate data from the cloud desktop to a personal laptop’s clipboard, or save confidential files to an unencrypted USB stick—all while the organization’s data loss prevention (DLP) systems remain blind.

Static redirection policies, configured through Remote Desktop Protocol (RDP) properties or Microsoft Intune, have offered some relief. Administrators could block clipboard redirection outright, disable drive redirection, or restrict printer usage. But those settings are binary and inflexible: a user who accesses the same Cloud PC from a compliant managed laptop and an unmanaged home computer would face identical redirection rules. This creates a brittle security model that either hampers productivity or leaves dangerous gaps.

Context-based redirections change that calculus. Now, a policy can allow clipboard usage only when the connection originates from a corporate-managed device that meets Intune compliance policies. A USB drive might be mountable only if the user signed in with phishing-resistant MFA and the device is joined to Entra ID. Printing could be blocked outright from non-corporate networks, but enabled inside the office. The policy engine evaluates these conditions at sign-in—and continuously thereafter—adjusting redirection permissions without user intervention.

How Context-Aware Redirections Work

The underlying engine leverages Conditional Access authentication context, an Entra ID feature designed to enforce granular step-up authentication for sensitive resources. When a user attempts to establish a Windows 365 remote session, the Cloud PC connector tags the sign-in with a predefined authentication context. That tag is then evaluated by Conditional Access policies that administrators configure to either grant or block specific redirection channels.

Crucially, the evaluation does not stop at the initial login. Microsoft has designed the system to continuously monitor signals—device health, network IP, sign-in risk from Entra ID Protection—and dynamically adjust redirection capabilities mid-session. If a user starts a Cloud PC session on a compliant device and later moves to an untrusted network, the clipboard and USB access could be revoked in near real-time.

The preview covers four primary redirection types:

  • Clipboard redirection: Controls copy-paste between the local device and the cloud PC. Context allows restricting clipboard to one direction or blocking it entirely based on risk.
  • Client drive redirection: Governs local drives appearing inside File Explorer on the cloud PC. Policies can now hide drives on non-compliant devices.
  • USB redirection: Manages generic USB devices beyond storage, such as smart card readers or printers. Context can whitelist specific device classes.
  • Printer redirection: Determines whether local printers are available for cloud PC print jobs, with the ability to block on unmanaged endpoints.

Microsoft has also indicated that future iterations may extend to microphone, camera, and other peripheral redirections, though these are not included in the initial preview.

Admin Experience and Configuration

Setting up context-based redirections requires a combination of Intune device configuration profiles and Conditional Access policies. Inside the Windows 365 blade, administrators can now select “Context-based redirection (preview)” for Enterprise and Flex dedicated Cloud PCs. This replaces the legacy RDP property-based approach with a policy model tied directly to Entra ID authentication contexts.

A typical workflow goes like this:

  1. Create an authentication context in Entra ID, e.g., “Compliant-Device-Required” or “High-Security-Session.”
  2. Configure a Conditional Access policy that uses that context and enforces the desired grant controls, such as requiring a compliant device or a certain MFA strength.
  3. Define redirection settings within Intune that link to the authentication context—for example, “Allow clipboard redirection only if authentication context ‘Compliant-Device-Required’ is satisfied.”
  4. Assign the policy to the target Cloud PC provisioning profile.

During user sign-in, the Conditional Access engine evaluates the context and passes the result to the redirection module. If conditions are not met, the corresponding redirection is disabled silently, and the user may see a notification explaining why a feature is unavailable. This transparency helps avoid confusion and reduces help desk calls.

Because the system relies on Conditional Access, it inherits all the compliance and risk signals that platform supports—including device compliance status, Entra ID Join or Hybrid Join state, sign-in risk level, and authentication strengths. Organizations can thus reuse their existing Zero Trust infrastructure without deploying additional plugins or agents.

Benefits for Enterprise and Flex Deployments

Context-based redirections address long-standing pain points in virtual desktop security. For enterprises with distributed workforces, the ability to dynamically control data flows reduces the attack surface without resorting to blanket bans that frustrate users. A knowledge worker can copy text from a research website into a Cloud PC-hosted document on a managed laptop, but the same action might be blocked when they log in from an unmanaged airport kiosk.

For Flex dedicated Cloud PC scenarios—where organizations provision a dedicated virtual desktop for a specific user on a flexible basis, perhaps for a contractor or seasonal worker—the feature ensures that the secure enclave remains sealed when accessed from unvetted devices. An administrator can craft a policy that allows printer redirection only during business hours and from known IP ranges, for example, adding a time-based element to the conditional check.

Another key benefit is simplified compliance. Regulated industries like finance and healthcare can audit redirection decisions through Conditional Access sign-in logs and Azure Monitor, demonstrating that data egress from cloud PCs was permitted only under defined secure conditions. The logs show not just that a user accessed a Cloud PC, but precisely which redirection channels were active during the session and why.

Microsoft’s move also aligns with broader industry trends toward context-aware access in endpoint management. Competitors like Citrix and VMware have long offered session-level policy controls, but they typically require proprietary analytics engines or third-party tools. By building the capability directly into Entra ID Conditional Access, Microsoft reduces complexity and leverages an identity fabric that most enterprises already operate.

Practical Considerations and Limitations

As a public preview, the feature comes with some important caveats. First, it only applies to dedicated Cloud PC instances (Enterprise and Flex dedicated), not to Azure Virtual Desktop or Windows 365 Frontline pooled environments. That limits the addressable audience, though Microsoft has signaled plans to expand the capability over time.

Second, continuous evaluation of redirection relies on Conditional Access session controls, which require a supported client with continuous access evaluation (CAE) capabilities. CAE is available in the latest Windows App for Windows and macOS, as well as the web client, but not all legacy Remote Desktop clients support it. Organizations may need to upgrade their client fleet to fully realize the dynamic mid-session adjustments.

Third, while the UI in Intune and Entra ID provides a wizard-driven experience, crafting effective policies demands a mature understanding of Conditional Access. Administrators must carefully test policies to avoid “redirection gaps” where a user might gain unintended access, or productivity killers where legitimate workflows break. Microsoft recommends using report-only mode first to simulate policy effects before enforcement.

Additionally, context-based controls introduce a dependency on real-time signal fidelity. If a device temporarily loses its compliance status due to a delayed Intune sync, redirections could be blocked unexpectedly, causing user friction. Microsoft is aware of these edge cases and is working on caching mechanisms and grace periods to smooth the experience, but the preview period will be crucial for ironing out such kinks.

What’s Next for Cloud PC Security

The introduction of context-based redirections is a clear signal that Microsoft sees Windows 365 not just as a productivity tool but as a secure compute envelope where identity and access governance must extend to every data channel. The strategy complements other recent security enhancements, such as watermarking for screen capture protection, application-based clipboard restrictions, and integration with Microsoft Purview for sensitivity labeling inside cloud desktops.

Industry analysts expect Microsoft to eventually bundle these context-aware policies with broader Secure Access Service Edge (SASE) capabilities, potentially linking redirection controls to Microsoft Entra Internet Access or Private Access. The goal is a unified policy plane that spans cloud PC, SaaS, and on-premises resources—a cornerstone of the Zero Trust architecture Microsoft has championed.

For IT teams, the preview offers an immediate opportunity to reduce data loss risk without sacrificing usability. Early adopters can begin testing with a subset of users, define granular policies for known high-risk scenarios, and provide feedback through the Windows 365 Tech Community. While general availability hasn’t been announced, Microsoft’s cadence suggests a full release within six to twelve months, likely coinciding with the next major Windows 365 feature update.

The rise of hybrid work has forced organizations to rethink desktop security from the ground up. With context-based redirections, Microsoft is giving administrators a lever to dial security up or down based on live conditions, rather than treating every connection the same way. It’s a pragmatic step toward making cloud PCs safe for the unpredictable, multi-device reality of modern work.