Prepare for a two-phase hardening change related to CVE-2026-0386. The Unattend.xml file that underlies the hands-free deployment feature of Windows Deployment Services (WDS) poses a vulnerability when it’s transmitted over an unauthenticated RPC channel. Starting with the January 2026 security update, you can explicitly disable it with the help of new Event Log alerts and registry key options. In April 2026, hands-free deployment will be disabled by default. After that date, it will no longer work unless explicitly overridden with registry settings.
When will this happen:
- January 2026 security update: Phase 1 of hardening begins. Hands-free deployment continues to be supported and can be explicitly disabled to enhance security. Use the new Event Log alerts and registry key options.
- April 2026 security update: Phase 2 of hardening follows. Hands-free deployment will be disabled by default but can be re-enabled, if necessary, with an understanding of the associated security risks.
How this will affect your organization:
These hardening measures are meant to enhance security. If no action is taken (no registry key added) between January-April 2026, hands-free deployment will be blocked after the April 2026 security update.
What you need to do to prepare:
Apply the Windows update released on or after January 13, 2026 to enable the mitigation and ensure that devices are secure. When ready to disable hands-free deployment, apply the following registry setting:
- Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdsServer\Providers\WdsImgSrv\Unattend
- DWORD name: AllowHandsFreeFunctionality
- Value data: 00000000
Additional information:
- Read the full hardening guidance: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance related to CVE-2026-0386.
- Learn more about the related vulnerability: CVE-2026-0386.
- See deployment alternatives: Windows Deployment Services (WDS) boot.wim support.
- Explore cloud-based solutions: Windows Autopilot and Windows Autopilot device preparation documentation.