MC1250927 – Windows Deployment Services (WDS): Hands-free deployment hardening (Phase 2)

Product:

Windows

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

As announced in January 2026, the unattend.xml file used in hands-free deployment poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, IT admins should prepare for the second phase of hardening for CVE-2026-0386. These changes will make hands-free deployment disabled by default to enforce secure behavior. After this update, hands-free deployment will no longer work unless explicitly overridden with registry settings.


When will this happen:
Starting with the April 2026 security update, Windows Deployment Services (WDS) will enforce secure-by-default behavior by automatically disabling hands-free deployment.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2026-03-17

updated:
2026-04-17

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Disruption of Deployment Workflows
Hands-free deployment will be disabled by default, causing existing workflows that rely on unattend.xml to fail.
   - roles: IT Admin, Deployment Engineer
   - references: https://learn.microsoft.com/windows/deployment/wds-boot-support, https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462

Increased Security Risks
Overriding the secure default to enable hands-free deployment reintroduces vulnerabilities associated with CVE-2026-0386.
   - roles: IT Admin, Security Officer
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0386, https://learn.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs

Need for Migration to Alternative Solutions
Organizations must plan to migrate to alternative deployment solutions, which may require additional resources and training.
   - roles: IT Admin, Project Manager
   - references: https://learn.microsoft.com/autopilot/, https://learn.microsoft.com/windows/deployment/wds-boot-support " target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support

User Experience Degradation
Users may experience delays in device provisioning and setup due to the need for manual intervention in deployment processes.
   - roles: End User, Help Desk Support
   - references: https://learn.microsoft.com/windows/deployment/wds-boot-support, https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462

Increased Diagnostic Logging
Devices operating in insecure mode will log diagnostic messages, potentially leading to confusion and increased support requests.
   - roles: IT Admin, Help Desk Support
   - references: https://learn.microsoft.com/windows/deployment/wds-boot-support, https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only