Original publish date: January 13, 2026
KB ID:Â 5074952
In this article
Introduction
Windows Deployment Services (WDS) supports network-based deployment of Windows operating systems. A commonly used feature—hands-free deployment—relies on an Answer file (also known as an Unattend.xml file) to automate installation screens, including credentials.
SECURITY RISK:Â When an unattend.xml file is transmitted over an unauthenticated (insecure) RPC channel, it might expose sensitive data and create a potential risk for credential theft or remote code execution. Attackers on the same network can intercept this file, leading to credential compromise or remote code execution.
To harden security, Microsoft is removing support for hands-free deployment over insecure channels. This change will roll out in two phases.
Summary
To mitigate a potential vulnerability and security risk, and to harden security, Microsoft is removing support for hands-free deployment over insecure channels by default.
For more information about the vulnerability, see CVE-2026-0386.
IMPORTANT: This vulnerability does not impact Microsoft Configuration Manager. The issue applies only to native Windows Deployment Services (WDS) scenarios where an Unattend.xml file is referenced and exposed through the RemoteInstall share. Configuration Manager does not rely on this mechanism; it uses WDS solely to provide boot.wim and network bootstrap (NBP) files, which are not affected.
Timeline of changes
Microsoft will roll out the hardening changes in two phases.
Phase 1 (January 13, 2026): Hands-free deployment continues to be supported and can be explicitly disabled to enhance security.
-
Event Log alerts introduced.
-
Registry key options available to choose secure or insecure mode.
Phase 2 (April 14, 2026): Hands-free deployment is disabled by default but can be re-enabled, if necessary, with an understanding of the associated security risks
-
Default behavior changes to secure-by-default.
-
Hands-free deployment will no longer work unless explicitly overridden with registry settings.
Take action!
IMPORTANT: If no action is taken (no registry key added) between January–April 2026, hands-free deployment will be blocked after the April 2026 security update.
In this section:
Phase 1 (January 13, 2026)
Option 1: Enable secure behavior (Recommended)
To enable the mitigation for the vulnerability as described in CVE-2026-0386 and ensure your device is secure, apply the Windows update released on or after January 13, 2026. Then, apply the following registry setting to enforce secure behavior.
|
Registry location |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdsServer\ ​​​​​​​Providers\WdsImgSrv\Unattend |
|
DWORD name |
AllowHandsFreeFunctionality |
|
Value data |
00000000
|
|
Notes |
|
Option 2:Â Continue hands-free deployment (Insecure) (Not recommended)
If you want to continue using hands-free deployment, set the registry key value to 1:
|
Registry location |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdsServer\ ​​​​​​​Providers\WdsImgSrv\Unattend |
|
DWORD name |
AllowHandsFreeFunctionality |
|
Value data |
00000001
|
|
Note |
If no action is taken (no registry key added) during January–April, after the April Security Update, hands-free deployment will be blocked. |
Registry key options and behavior
The following table explains the behavior of setting the AllowHandsFreeFunctionality value in the registry.
|
Registry Value |
Mode |
Behaviour |
Future Impact |
|
Absent (Default) |
Insecure |
Hands-free works, but insecure. Event log messages issued |
Will break hands-free in future release |
|
dword:00000000 |
Secure |
Blocks unauthenticated access, hands-free deployment will be disabled |
No change -Unauthenticated access will continue to be blocked and hands-free deployment will stay disabled |
|
dword:00000001 |
Insecure |
Hands-free preserved, but insecure |
No change - Hands-free deployment will stay enabled, but insecure. |
NOTE In future Windows updates, the default AllowHandsFreeFunctionality value will enforce secure mode unless overridden.Â
Phase 2 (April 14, 2026)
Hands-free deployment is fully disabled to a secure-by-default configuration. Administrators can override the configuration with an understanding of the associated security risks.
UPDATE The aforementioned changes have been rolled out via Windows Updates released on and after April 14, 2026. Following this update, hands‑free deployment scenarios using WDS are no longer supported. While an alternative approach for hands‑free deployment is documented, it involves known security risks and is therefore not recommended.
During this phase, the default behavior changes to secure-by-default.
If you need to continue using hands-free deployment, see Phase 1, Option 2Â (Not recommended).
Event logging
New events are added to help administrators monitor deployment behavior.
The following events will be logged in the Microsoft-Windows-Deployment-Services-Diagnostics/Debug log:
Secure mode
Warning: Unattend file request was made over an insecure connection. Windows Deployment Services has blocked the request to keep the system secure. For more information, see:Â https://go.microsoft.com/fwlink/?linkid=2344403
 Note This warning is triggered when the unattend.xml is requested without a secure channel.Â
Insecure mode
Error: This system is using insecure settings for Windows Deployment Services. This may expose sensitive configuration files to interception. Apply Microsoft’s- recommended security settings to protect your deployment. Learn more at: https://go.microsoft.com/fwlink/?linkid=2344403
This error is triggered when the unattend.xml is queried insecurely or when WDS starts.
Summary of action steps (January – April 2026)Â
-
Review your WDS configuration and identify unattend.xml usage.
-
Apply the recommended registry key (AllowHandsFreeDeployment=0) to enforce secure deployment.
-
Monitor Event Viewer for warnings or errors related to unattend.xml access.
-
Prepare for releases following the April 2026 security update by removing reliance on hands-free deployment.
-
After installing Windows Updates released on or after April 14, 2026, hands‑free deployment scenarios using WDS are disabled by default and are no longer supported.
-
Administrators can override secure-by-default configuration for hands-free deployments to continue to work but it is not recommended. We recommend keeping this feature disabled to maintain a secure configuration and migrating to alternative methods.
Change log
|
Change date |
Change description |
|
April 14, 2026 |
|
