MC1250927: Windows Deployment Services (WDS): Hands-free deployment hardening (Phase 2)
As announced in January 2026, the unattend.xml file used in hands‑free deployment poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, IT admins should prepare for the second phase of hardening for CVE-2026-0386. These changes will make hands‑free deployment disabled by default to enforce secure behavior. After this update, hands‑free deployment will no longer work unless explicitly overridden with registry settings.When will this happen:Starting with the April 2026 security update, Windows Deployment Services (WDS) will enforce secure‑by‑default behavior by automatically disabling hands‑free deployment.How this will affect your organization:After installing the April 2026 security update, hands‑free deployment will be blocked to prevent unauthenticated access to unattend.xml, enforcing the hardening requirements for CVE-2026-0386. Any workflows that rely on unattend.xml‑based deployment will no longer function unless overridden with registry settings.What you need to do to prepare:Organizations that still require hands‑free deployment after installing the April 2026 security update must explicitly override the secure default by setting the AllowHandsFreeFunctionality registry value to 1, which keeps unattend.xml‑based deployments operational but reintroduces the security risks associated with CVE-2026-0386. When this override is used, devices will log diagnostic messages indicating that they are operating in an insecure mode. Because this configuration is not recommended for long‑term use, IT admins should plan to migrate to alternate deployment solutions and return to secure‑by‑default behavior.Additional information:
- Read the full hardening guidance: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
- Learn more about the related vulnerability: CVE-2026-0386.
- See deployment alternatives: Windows Deployment Services (WDS) boot.wim support.
- Explore cloud-based solutions: Windows Autopilot and Windows Autopilot device preparation documentation.