Microsoft Disables Hands-Free Deployment in Windows Deployment Services Due to Critical RCE Flaw Microsoft has unveiled a two-phase plan to disable the hands-free deployment feature in Windows Deployment Services (WDS) after discovering a critical remote code execution (RCE) vulnerability (CVE-2026-0386). The flaw, disclosed on January 13, 2026, stems from improper access control in WDS, allowing unauthenticated attackers on an adjacent network to intercept sensitive Unattend.xml configuration files and execute arbitrary code during OS deployments. WDS is a server role used by IT administrators to remotely deploy Windows operating systems via PXE (Preboot Execution Environment) boot, with hands-free deployment automating installations using the Unattend.xml file eliminating manual input for credentials and setup steps. The vulnerability exposes this file over an unauthenticated RPC channel, enabling attackers to steal embedded credentials, inject malicious code, or compromise deployment images. Successful exploitation could grant SYSTEM-level privileges, facilitate lateral movement, and pose a supply chain risk in enterprise environments. The flaw affects Windows Server versions from 2008 through 2025, including 2016, 2019, 2022, and 23H2, and carries a CVSS v3.1 score of 7.5 (High) due to its impact on confidentiality, integrity, and availability. ### Mitigation Timeline Microsoft’s response is split into two phases: - Phase 1 (January 13, 2026): Hands-free deployment remains functional but can be disabled via a new registry key (`AllowHandsFreeFunctionality = 0`). Event Log alerts will warn administrators of insecure configurations. - Phase 2 (April 2026): The feature will be disabled by default in the April security update. Administrators who have not applied registry changes will lose access unless they manually re-enable it (though Microsoft warns this is insecure and temporary). Microsoft recommends migrating to alternative deployment methods like Microsoft Intune, Windows Autopilot, or Configuration Manager, which are unaffected. Full guidance is available in KB article 5074952. Organizations are advised to review WDS configurations and apply updates before April 2026 to prevent deployment disruptions.