check before: 2026-04-01
Product:
Windows
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
As announced in January 2026, the unattend.xml file used in hands‑free deployment poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, the second phase of hardening for CVE-2026-0386 is now in effect. These changes make hands‑free deployment disabled by default to enforce secure behavior. After this update, hands‑free deployment no longer works unless explicitly overridden with registry settings.
When will this happen:
Starting with the April 2026 security update, Windows Deployment Services (WDS) enforces secure‑by‑default behavior by automatically disabling hands‑free deployment.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-04-11
updated:
2026-04-11
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Disruption of Deployment Workflows
Hands-free deployment will be disabled by default, causing existing workflows that rely on unattend.xml to fail unless registry settings are overridden.
- roles: IT Administrators, Deployment Engineers
- references: https://learn.microsoft.com/windows/deployment/wds-boot-support" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support, https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462
" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462
Increased Security Risks
Overriding the default settings to enable hands-free deployment reintroduces security vulnerabilities associated with CVE-2026-0386, potentially exposing sensitive data.
- roles: IT Security Officers, System Administrators
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0386, https://learn.microsoft.com/windows/hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs
User Experience Degradation
Users may experience delays in device provisioning and setup due to the need for manual intervention in deployment processes.
- roles: End Users, IT Support Staff
- references: https://learn.microsoft.com/autopilot/, https://learn.microsoft.com/windows/deployment/wds-boot-support" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support
Need for Migration Planning
Organizations must plan to migrate to alternative deployment solutions, which may require additional resources and training for staff.
- roles: IT Project Managers, Training Coordinators
- references: https://learn.microsoft.com/windows/deployment/wds-boot-support" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support, https://learn.microsoft.com/autopilot/
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/autopilot/
Increased Diagnostic Logging
Devices operating in insecure mode will log diagnostic messages, potentially leading to confusion and increased workload for IT staff.
- roles: IT Administrators, Support Technicians
- references: https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462, https://learn.microsoft.com/windows/deployment/wds-boot-support" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
