Microsoft has announced a two-phase plan to disable the hands-free deployment feature in Windows Deployment Services (WDS) following the discovery of a critical remote code execution (RCE) vulnerability tracked as CVE-2026-0386.
The flaw, rooted in improper access control, allows an unauthenticated attacker on an adjacent network to intercept sensitive configuration files and execute arbitrary code during network-based OS deployments.
Windows Deployment Services is a server role that enables IT administrators to deploy Windows operating systems remotely over a network, typically using PXE (Preboot Execution Environment) boot.
A core feature of this service, hands-free deployment, relies on an Unattend.xml answer file to automate installation screens, including credential entry, without requiring manual operator intervention. This feature is widely used in enterprise environments to efficiently provision large fleets of machines.
Windows Deployment Services Vulnerability
CVE-2026-0386, published on January 13, 2026, describes an improper access control condition (CWE-284) in WDS that stems from the Unattend.xml file being transmitted over an unauthenticated RPC channel.
Because the answer file is exposed through the RemoteInstall share without authentication, an attacker positioned on the same network segment can intercept the file, steal embedded credentials, or inject malicious code that executes during the deployment process.
Security researchers have noted that a successful exploit could grant SYSTEM-level privileges, enable lateral movement across a domain, and even allow attackers to poison OS deployment images making this a supply chain-level risk in enterprise data centers.
Microsoft confirmed the vulnerability carries a CVSS v3.1 vector of AV:A/AC:H/PR:N/UI:N with High impact ratings across Confidentiality, Integrity, and Availability.
The flaw affects Windows Server versions ranging from Server 2008 through Server 2025, including Windows Server 2016, 2019, 2022, and version 23H2.
Two-Phase Hardening Timeline
Microsoft is rolling out mitigations in two stages:
Phase 1 — January 13, 2026: Hands-free deployment remains functional but can be explicitly disabled. New Event Log alerts and registry key controls are introduced, allowing administrators to enforce secure behavior by setting AllowHandsFreeFunctionality = 0 under HKLM\SYSTEM\CurrentControlSet\Services\WdsServer\Providers\WdsImgSrv\Unattend.
Phase 2 — April 2026: Hands-free deployment will be fully disabled by default. Administrators who have not applied any registry configuration between January and April 2026 will find the feature automatically blocked following the April security update.
Administrators who absolutely require the feature can temporarily re-enable it by setting AllowHandsFreeFunctionality = 1, but Microsoft explicitly warns this is not a secure configuration and should be treated as a short-term bridge only.
Review all WDS configurations for Unattend.xml usage immediately.
Apply the January 13, 2026, or later Windows security update.
Set AllowHandsFreeFunctionality = 0 to enforce secure behavior before April 2026.
Monitor Event Viewer for warnings about insecure unattend.xml access.
Migrate to alternative deployment methods such as Microsoft Intune, Windows Autopilot, or Microsoft Configuration Manager, which is not affected by this vulnerability.
Microsoft’s KB article 5074952 provides full guidance and registry details for impacted organizations. Administrators are urged to act before April 2026 to avoid disruption to their deployment pipelines.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft to Block Windows 11 and Server 2025 Automated Installation After Critical RCE Vulnerability appeared first on Cyber Security News.
