Microsoft quietly rolled out two important updates to Windows 365 in recent weeks — one security-focused, one operational. Both deserve your attention if you’re managing Cloud PC deployments.


1. Built-in Administrator Account Disabled During Provisioning

Week of June 8, 2026 — As of June 8, newly provisioned Windows 365 Cloud PCs no longer have the built-in local Administrator account enabled by default. This applies across the board:

  • Windows 365 Enterprise
  • Windows 365 Flex (Dedicated and Shared)
  • Windows 365 Reserve

Why This Matters

The built-in Administrator account is a well-known, fixed-name privileged identity. Having it auto-enabled on every Cloud PC creates an unnecessary attack surface — it’s a target for brute-force attacks, credential stuffing, and any malware that assumes its existence. Most organizations never actively use this account anyway, but its presence adds risk and confusion.

Microsoft’s rationale is straightforward: remove a privileged account that isn’t needed, and force explicit, policy-driven decisions about local admin access.

What Changes for IT Admins

If your workflows assumed a local Administrator account existed on Cloud PCs, they’ll break on newly provisioned machines. Specifically:

  • Support runbooks that say “log in as local admin” will fail
  • Scripts using hardcoded Administrator credentials for remote PowerShell or RDP need to be refactored
  • Third-party tools that require the local Administrator account may error out
  • Break-glass procedures that relied on the built-in admin as a fallback when Entra/Intune access broke no longer work

How to Adapt

The shift is from local-account-driven to identity-and-policy-driven admin access:

  1. Use Intune to manage local admin group membership explicitly. Create device configuration policies that add specific support accounts or admin groups to the local Administrators group on Cloud PCs. This gives you controlled, auditable local admin access without a generic account.

  2. Adopt just-in-time (JIT) local admin models. Instead of permanent local admin rights, use privilege management solutions or LAPS-style patterns to grant time-bound elevation to named accounts.

  3. Leverage Windows 365 remote management. Most admin tasks — restart, reprovision, place on hold, policy changes — can be done through the Intune portal without ever needing local admin logon.

  4. Define break-glass accounts at the Entra level. Use Entra ID roles with MFA and conditional access rather than a local account that bypasses those controls.

  5. Update documentation and training. Remove every reference to the built-in Administrator account from your SOPs, runbooks, and helpdesk training materials.

Existing Cloud PCs

This change applies to newly provisioned Cloud PCs. Existing Cloud PCs may retain previous local admin configurations until they’re re-provisioned or rebuilt. Plan accordingly — don’t assume the change is retroactive.

Combined With PowerShell Hardening

This change doesn’t exist in isolation. Windows 365 is also applying more restrictive PowerShell execution policies by default during provisioning. Together, these two changes signal a clear direction: Cloud PCs are cloud-managed first, and local admin access should be explicit, controlled, and auditable — not assumed.


2. More Flexible Device Naming for Windows 365 Flex Shared Mode

Week of July 6, 2026 — Admins can now create more flexible device naming templates for Windows 365 Flex Cloud PCs in shared mode. The updated rules:

  • Device names: 5–15 characters
  • Prefix: up to 10 characters, with hyphen support
  • Required suffix: random alphanumeric string of at least 5 characters
  • Full hyphen flexibility within the prefix

Context

This builds on the June 1 public preview that introduced flexible naming templates for Flex Shared. The July 6 update appears to be the general availability / expanded version, aligning naming capabilities across all Windows 365 offerings — Enterprise, Flex Dedicated, and Flex Shared.

Why This Matters

Consistent naming conventions are critical for:

  • Asset management and inventory tracking — matching Cloud PC names to physical device naming schemes
  • Downstream tooling compatibility — reporting systems, monitoring tools, and scripts that parse device names
  • Business unit identification — encoding department, location, or role information in the device name
  • Simplified transitions — when users move from physical PCs to Cloud PCs, consistent naming reduces confusion and tooling changes

What to Do

If you’re managing Windows 365 Flex shared deployments and were previously constrained by naming limitations, review your provisioning policies. You can now apply the same naming standards across all your Windows 365 Cloud PC types — no more special-case rules for Flex Shared.


Action Items

  1. Audit your scripts and runbooks for any references to the built-in Administrator account on Cloud PCs — update them before your next provisioning cycle
  2. Create Intune policies for explicit local admin group membership on Cloud PCs if you haven’t already
  3. Review your Flex Shared provisioning policies to take advantage of the expanded naming flexibility
  4. Update helpdesk documentation to reflect the new admin access model
  5. Plan for re-provisioning if you need the security hardening applied to existing Cloud PCs

The Bigger Picture

These updates fit Microsoft’s broader pattern of security-first cloud management:

  • Removing default privileged accounts
  • Restricting PowerShell execution by default
  • Pushing admins toward Entra ID-based identity and Intune-based policy management
  • Reducing the gap between different Windows 365 offerings (Enterprise, Flex, Reserve)

The message is clear: Cloud PCs should be managed through cloud identity and policy — not through legacy local admin patterns. If your organization is still treating Cloud PCs like traditional on-prem machines with local admin fallbacks, these changes are your signal to modernize.


Big Hat Group helps organizations deploy and optimize Windows 365 and Microsoft Intune environments. Need help updating your Cloud PC management strategy? Get in touch.

Follow us on X @bighatgroup for daily Microsoft ecosystem updates.