Microsoft Disables Hands-Free Deployment in Windows Deployment Services Due to Critical RCE Flaw
Microsoft has unveiled a two-phase plan to disable the hands-free deployment feature in Windows Deployment Services (WDS) after discovering a critical remote code execution (RCE) vulnerability (CVE-2026-0386). The flaw, disclosed on January 13, 2026, stems from improper access control in WDS, allowing unauthenticated attackers on an adjacent network to intercept sensitive Unattend.xml configuration files and execute arbitrary code during OS deployments.
WDS is a server role used by IT administrators to remotely deploy Windows operating systems via PXE (Preboot Execution Environment) boot, with hands-free deployment automating installations using the Unattend.xml file eliminating manual input for credentials and setup steps. The vulnerability exposes this file over an unauthenticated RPC channel, enabling attackers to steal embedded credentials, inject malicious code, or compromise deployment images. Successful exploitation could grant SYSTEM-level privileges, facilitate lateral movement, and pose a supply chain risk in enterprise environments.
The flaw affects Windows Server versions from 2008 through 2025, including 2016, 2019, 2022, and 23H2, and carries a CVSS v3.1 score of 7.5 (High) due to its impact on confidentiality, integrity, and availability.
Mitigation Timeline
Microsoft’s response is split into two phases:
- Phase 1 (January 13, 2026): Hands-free deployment remains functional but can be disabled via a new registry key (
AllowHandsFreeFunctionality = 0). Event Log alerts will warn administrators of insecure configurations. - Phase 2 (April 2026): The feature will be disabled by default in the April security update. Administrators who have not applied registry changes will lose access unless they manually re-enable it (though Microsoft warns this is insecure and temporary).
Microsoft recommends migrating to alternative deployment methods like Microsoft Intune, Windows Autopilot, or Configuration Manager, which are unaffected. Full guidance is available in KB article 5074952. Organizations are advised to review WDS configurations and apply updates before April 2026 to prevent deployment disruptions.
Source: https://cybersecuritynews.com/windows-11-and-server-2025-automated-installation/
Microsoft Windows cybersecurity rating report: https://www.rankiteo.com/company/microsoft-windows
"id": "MIC1773649573",
"linkid": "microsoft-windows",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'IT administrators and '
'enterprises using Windows '
'Deployment Services (WDS)',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large Enterprise',
'type': 'Technology Company'}],
'attack_vector': 'Adjacent Network',
'customer_advisories': 'Guidance provided in KB article 5074952 for IT '
'administrators and enterprises using WDS.',
'data_breach': {'data_exfiltration': 'Possible (interception of Unattend.xml '
'files)',
'file_types_exposed': ['Unattend.xml'],
'sensitivity_of_data': 'High (embedded credentials, setup '
'steps)',
'type_of_data_compromised': 'Configuration files '
'(Unattend.xml)'},
'date_publicly_disclosed': '2026-01-13',
'description': 'Microsoft has unveiled a two-phase plan to disable the '
'hands-free deployment feature in Windows Deployment Services '
'(WDS) after discovering a critical remote code execution '
'(RCE) vulnerability (CVE-2026-0386). The flaw stems from '
'improper access control in WDS, allowing unauthenticated '
'attackers on an adjacent network to intercept sensitive '
'Unattend.xml configuration files and execute arbitrary code '
'during OS deployments. Successful exploitation could grant '
'SYSTEM-level privileges, facilitate lateral movement, and '
'pose a supply chain risk in enterprise environments.',
'impact': {'data_compromised': 'Unattend.xml configuration files '
'(credentials, setup steps)',
'operational_impact': 'Potential disruption in OS deployment '
'workflows, supply chain risk',
'systems_affected': 'Windows Deployment Services (WDS) on Windows '
'Server versions 2008 through 2025'},
'post_incident_analysis': {'corrective_actions': 'Disabling hands-free '
'deployment by default, '
'providing registry-based '
'mitigation, and '
'recommending migration to '
'alternative deployment '
'methods',
'root_causes': 'Improper access control in WDS '
'allowing unauthenticated RPC '
'channel access to Unattend.xml '
'files'},
'recommendations': 'Apply registry changes to disable hands-free deployment, '
'migrate to alternative deployment methods (Microsoft '
'Intune, Windows Autopilot, Configuration Manager), review '
'WDS configurations, and apply updates before April 2026.',
'references': [{'source': 'Microsoft KB Article',
'url': 'https://support.microsoft.com/en-us/topic/kb5074952'}],
'response': {'communication_strategy': 'KB article 5074952, security update '
'guidance',
'containment_measures': 'Disabling hands-free deployment via '
'registry key '
'(AllowHandsFreeFunctionality = 0), '
'Event Log alerts for insecure '
'configurations',
'remediation_measures': 'Migration to alternative deployment '
'methods (Microsoft Intune, Windows '
'Autopilot, Configuration Manager)'},
'title': 'Microsoft Disables Hands-Free Deployment in Windows Deployment '
'Services Due to Critical RCE Flaw',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Improper access control in WDS (CVE-2026-0386)'}