Microsoft Plans to Disable Hands‑Free Automated Installation for Windows 11 and Server 2025 After Critical RCE Flaw

Microsoft has announced a hardening plan for Windows Deployment Services (WDS) after the discovery of a critical remote code execution vulnerability, CVE-2026-0386, that compromises hands‑free automated installations. The vulnerability exposes Unattend.xml answer files over an unauthenticated channel, allowing an attacker on the same network segment to intercept or tamper with deployment configurations. For organizations that depend on network-based provisioning to deploy Windows at scale, this presents a significant operational and supply-chain risk that requires immediate mitigation.

Why this matters

Hands‑free deployment is designed to save time and reduce manual effort during OS provisioning by automating installation prompts and credential entry. That convenience, however, becomes a liability if the files that instruct the installer are transmitted without proper authentication and access controls. The Unattend.xml answer file can contain sensitive data and instructions that, if intercepted or modified, may allow an attacker to gain SYSTEM privileges during setup, poison deployment images, or harvest credentials used during provisioning. Because WDS is often used across many systems, an exploited deployment server could enable broad lateral movement and persistent compromise across an enterprise.

Technical overview

Component affected: Windows Deployment Services (WDS), specifically the hands‑free deployment flow that uses Unattend.xml files.
Root cause: Improper access control (CWE-284) that permits Unattend.xml to be accessed via an unauthenticated RPC channel exposed through the RemoteInstall share.
Attack vector: A remote, unauthenticated attacker on an adjacent network segment can read or modify unattended installation files.
Impact: Credential theft, arbitrary code execution as SYSTEM during installation, image poisoning, lateral movement across a domain, and potential supply‑chain impact within data centers and deployment pipelines.
Severity: Microsoft reports a CVSS v3.1 vector of AV:A/AC:H/PR:N/UI:N, with high impact to confidentiality, integrity, and availability.
Affected platforms: Windows Server editions from Server 2008 through Server 2025 (including Server 2016, 2019, 2022 and 23H2). Windows 11 can be indirectly impacted when deployed through affected WDS servers.

Microsoft’s mitigation approach

To reduce risk while allowing administrators time to adapt, Microsoft issued a two‑phase plan:

Phase 1 (January 13, 2026): Hands‑free deployment remained functional but administrators were provided registry controls and event logging to disable or monitor the feature. The key introduced is AllowHandsFreeFunctionality under HKLMSYSTEMCurrentControlSetServicesWdsServerProvidersWdsImgSrvUnattend; setting this to 0 disables hands‑free installs.
Phase 2 (April 2026): Hands‑free deployment is disabled by default via an update. Systems that did not apply the registry control between January and April 2026 will find the feature blocked after the April security update. Organizations that must temporarily re‑enable the feature can set AllowHandsFreeFunctionality = 1, but Microsoft warns this is insecure and recommends treating it only as a short‑term bridge.

Practical steps for administrators

Inventory WDS usage: Identify all WDS servers and workflows that rely on Unattend.xml for automated provisioning to understand exposure and operational impact.
Patch and configure: Apply the January 13, 2026 or later security updates and proactively set AllowHandsFreeFunctionality = 0 to disable hands‑free deployment where feasible.
Monitor for indicators: Enable and review the new Event Viewer logs related to Unattend.xml access to detect potential attempts to read or modify deployment files.
Validate images and credentials: Inspect OS images and Unattend files for unauthorized changes. If there is any suspicion of compromise, rebuild images from known‑good sources and rotate any embedded credentials.
Migrate to secure provisioning: Where possible, adopt deployment platforms such as Microsoft Intune, Windows Autopilot, or Microsoft Configuration Manager, which are not affected by this issue and offer stronger authentication and integrity protections.
Restrict network exposure: Limit access to WDS and PXE services to trusted management and imaging networks to reduce the chance of an adjacent attacker accessing the RemoteInstall share.

Operational and risk considerations

Short‑term re‑enablement risks: Re‑enabling hands‑free deployment to avoid disruption should be a temporary measure only. Compensating controls include strict network segmentation, enhanced logging and monitoring, and minimizing or eliminating credentials in answer files.
Supply‑chain implications: A compromised deployment server or poisoned image can propagate across many machines. Treat any suspected compromise as a supply‑chain incident and follow forensic and remediation procedures, including image revalidation and credential rotation.
Long‑term posture: Reduce reliance on unauthenticated legacy provisioning mechanisms. Favor automation tools and workflows that provide built‑in authentication, encryption, and integrity guarantees.

Conclusion

CVE-2026-0386 underscores the danger when automation conveniences lack robust access controls. Administrators should act promptly to apply updates, disable hands‑free deployment where possible, and transition to more secure provisioning solutions. Any temporary workaround must be paired with strict network controls, vigilant monitoring, and strong credential hygiene to limit exposure while longer‑term mitigations are implemented.