check before: 2026-04-01
Product:
Windows
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
As announced in January 2026, the unattend.xml file used in hands-free deployment poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, the second phase of hardening for CVE-2026-0386 is now in effect. These changes make hands-free deployment disabled by default to enforce secure behavior. After this update, hands-free deployment no longer works unless explicitly overridden with registry settings.
When will this happen:
Starting with the April 2026 security update, Windows Deployment Services (WDS) enforces secure-by-default behavior by automatically disabling hands-free deployment.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-04-11
updated:
2026-04-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Disruption of Deployment Workflows
Hands-free deployment will be disabled by default, causing any existing workflows that rely on unattend.xml to fail without prior preparation.
- roles: IT Administrators, Deployment Engineers
- references: https://learn.microsoft.com/windows/deployment/wds-boot-support, https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462
" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462
Increased Security Risks
If organizations override the default settings to maintain hands-free deployment, they will reintroduce vulnerabilities associated with CVE-2026-0386, compromising system security.
- roles: IT Security Officers, System Administrators
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0386, https://learn.microsoft.com/windows/hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs
User Experience Degradation
Users may experience delays and issues in device provisioning as hands-free deployment fails, leading to increased support requests and dissatisfaction.
- roles: End Users, Help Desk Support
- references: https://learn.microsoft.com/autopilot/, https://learn.microsoft.com/windows/deployment/wds-boot-support
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support
Need for Alternative Solutions
Organizations will need to explore and implement alternative deployment solutions, such as Windows Autopilot, which may require additional training and resources.
- roles: IT Administrators, Project Managers
- references: https://learn.microsoft.com/autopilot/, https://learn.microsoft.com/windows/deployment/wds-boot-support
" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/windows/deployment/wds-boot-support
Increased Administrative Overhead
IT teams will face increased workload to manage registry settings and ensure compliance with security policies, leading to potential resource strain.
- roles: IT Administrators, Compliance Officers
- references: https://support.microsoft.com/topic/windows-deployment-services-wds-hands-free-deployment-hardening-guidance-related-to-cve-2026-0386-0daa3a3c-f3cd-4291-9147-a459c290c462, https://learn.microsoft.com/windows/hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 month ago ago
