Microsoft is enacting a phased strategy to disable automated installations in Windows Deployment Services (WDS) after identifying a critical remote code execution (RCE) vulnerability, known as CVE-2026-0386. This decision impacts Windows 11 and Server 2025 deployments.
Understanding the Vulnerability
The vulnerability stems from inadequate access control, allowing attackers on nearby networks to intercept sensitive files and execute unauthorized code during network-based operating system installs. WDS, a server role, facilitates remote deployment of Windows OS, typically using PXE boot protocols.
The hands-free deployment feature, crucial for enterprises deploying large numbers of machines, uses an Unattend.xml file for automated installation, bypassing manual input. The flaw in this system exposes the file over an unauthenticated channel, posing significant risks.
Implications of CVE-2026-0386
Published on January 13, 2026, this vulnerability allows attackers to gain SYSTEM-level access, move laterally within networks, and potentially corrupt OS deployment images. This presents a supply chain risk, especially in enterprise environments, as confirmed by Microsoft.
The flaw affects various Windows Server versions from 2008 to 2025, including 2016, 2019, 2022, and 23H2, with a CVSS v3.1 score indicating high impact on confidentiality, integrity, and availability.
Mitigation Timeline and Recommendations
Microsoft’s mitigation plan unfolds in two phases. Initially, hands-free deployment will remain active, but administrators can disable it using new registry controls. By April 2026, this feature will be disabled by default unless previously configured.
Administrators are advised to review WDS settings for Unattend.xml usage, apply the latest security updates, and consider alternative deployment methods like Microsoft Intune or Windows Autopilot, which remain unaffected by this flaw.
To ensure security, Microsoft recommends setting the registry to disallow hands-free functionality and monitoring logs for any security warnings. Further details and guidance can be found in Microsoft’s KB article 5074952.
For ongoing updates in cybersecurity, follow Microsoft on platforms like Google News, LinkedIn, and X, and consider integrating new stories into your security protocols.
