Microsoft to disable insecure WDS hands-free deployments after CVE-2026-0386

Microsoft is moving to block insecure hands-free deployments in Windows Deployment Services after disclosing CVE-2026-0386, a high-severity remote code execution vulnerability. The issue affects the way WDS handles Unattend.xml during automated network deployments, and Microsoft says attackers on the same network could intercept sensitive data or use the weakness to run code.

The change matters for organizations that use WDS to deploy Windows 11 and Windows Server images at scale. It does not mean Microsoft is blocking Windows 11 installations themselves. Instead, Microsoft is hardening the Windows Server-side deployment workflow that many IT teams use to roll out operating systems over PXE.

Microsoft says the vulnerable scenario involves Unattend.xml being sent over an unauthenticated RPC channel and exposed through the RemoteInstall share. If that happens, an attacker on an adjacent network may be able to capture credentials from the answer file or interfere with the deployment process. Microsoft rates the flaw at CVSS 7.5 and classifies it as improper access control.

The company has already started a two-phase hardening plan. Phase 1 began on January 13, 2026, when Microsoft introduced logging and registry controls so administrators could disable the insecure behavior themselves. Phase 2 arrives with the April 2026 security update, when hands-free deployment becomes disabled by default unless admins explicitly turn it back on.

That default block could disrupt existing deployment pipelines if admins do nothing. Microsoft warns that organizations that take no action between January and April 2026 will find hands-free deployment blocked after the April update. For many IT teams, that means now is the time to audit WDS, check for Unattend.xml usage, and move to a safer deployment method if they still rely on this workflow.

One important detail often gets lost in summaries of this issue. Microsoft says Configuration Manager is not affected. According to the company, ConfigMgr uses WDS only for boot.wim and network bootstrap files, not for the insecure Unattend.xml mechanism behind CVE-2026-0386. That narrows the impact, but native WDS users still face a real security and operations problem.

What Microsoft is changing

Affected platforms

• Windows Server 2016
• Windows Server 2019
• Windows Server 2022
• Windows Server, version 23H2
• Windows Server 2025
• Older supported server releases listed in Microsoft and NVD guidance, including legacy Server 2008 and 2012 lines under special support paths

What admins should do now

• Apply a Windows security update released on or after January 13, 2026.
• Check whether your WDS environment uses Unattend.xml for hands-free deployments.
• Set AllowHandsFreeFunctionality=0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdsServer\Providers\WdsImgSrv\Unattend to enforce secure behavior.
• Monitor the Microsoft-Windows-Deployment-Services-Diagnostics/Debug log for warnings and errors tied to insecure unattend requests.
• Plan a migration to supported alternatives, such as Windows Autopilot or other modern deployment methods, instead of depending on insecure WDS automation.

Why this vulnerability matters

The security risk goes beyond a failed deployment. In Microsoft’s description, the flaw can expose sensitive setup data and create a path to credential theft or remote code execution from an adjacent network. In enterprise environments, deployment systems often sit close to core infrastructure, so even a niche weakness can become serious if it touches credentials or trusted imaging workflows.

The April change also puts pressure on organizations that still depend on older deployment habits. Microsoft is allowing a temporary override by setting AllowHandsFreeFunctionality=1, but the company clearly says that this is not a secure configuration. Admins can use it as a short bridge, but Microsoft wants customers to phase out this workflow rather than keep it in place long term.

FAQ