Windows Deployment Services (WDS): Hands-free deployment hardening (Phase 2)

As announced in January 2026, the unattend.xml file used in hands‑free deployment poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April 2026 security update, IT admins should prepare for the second phase of hardening for CVE-2026-0386. These changes will make hands‑free deployment disabled by default to enforce secure behavior. After this update, hands‑free deployment will no longer work unless explicitly overridden with registry settings.

Starting with the April 2026 security update, Windows Deployment Services (WDS) will enforce secure‑by‑default behavior by automatically disabling hands‑free deployment.

After installing the April 2026 security update, hands‑free deployment will be blocked to prevent unauthenticated access to unattend.xml, enforcing the hardening requirements for CVE-2026-0386. Any workflows that rely on unattend.xml‑based deployment will no longer function unless overridden with registry settings.

Organizations that still require hands‑free deployment after installing the April 2026 security update must explicitly override the secure default by setting the AllowHandsFreeFunctionality registry value to 1, which keeps unattend.xml‑based deployments operational but reintroduces the security risks associated with CVE-2026-0386. When this override is used, devices will log diagnostic messages indicating that they are operating in an insecure mode. Because this configuration is not recommended for long‑term use, IT admins should plan to migrate to alternate deployment solutions and return to secure‑by‑default behavior.