Applies To
Windows Server 2008 Premium Assurance Windows Server 2008 R2 Premium Assurance Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server, version 23H2 Windows Server 2025

Original publish date: January 13, 2026

KB ID: 5074952

In this article

Introduction

Windows Deployment Services (WDS) supports network-based deployment of Windows operating systems. A commonly used feature—hands-free deployment—relies on an Unattend.xml file (also known as an Answer file) to automate installation screens, including credentials.

Summary

The unattend.xml file poses a vulnerability when it is transmitted over an unauthenticated RPC channel. This vulnerability might expose sensitive data and creates a risk of credential theft or remote code execution.

An attacker on the same network could intercept the file, potentially compromising credentials or executing malicious code.

To mitigate this vulnerability and harden security, Microsoft will be removing support for hands-free deployment over insecure channels by default.

For more information about the vulnerbility, see CVE-2026-0386.

Timeline of changes

Microsoft will roll out the hardening changes in two phases.

Phase 1 (January 13, 2026): Hands-free deployment continues to be supported and can be explicitly disabled to enhance security.

  • Event Log alerts introduced.

  • Registry key options available to choose secure or insecure mode.

Phase 2 (April 2026): Hands-free deployment is disabled by default but can be re-enabled, if necessary, with an understanding of the associated security risks

  • Default behavior changes to secure-by-default.

  • Hands-free deployment will no longer work unless explicitly overridden with registry settings.

Take action

IMPORTANT: If no action is taken (no registry key added) between January–April 2026, hands-free deployment will be blocked after the April 2026 security update.

In this section:

Phase 1 (January 13, 2026): Hands-free deployment is being phased out and administrators must proactively disable it to enhance security.

To enable the mitigation and ensure your device is secure, apply the Windows update released on or after January 13, 2026.

If your WDS configuration uses unattend.xml for automated deployments, apply the following registry setting to enforce secure behavior.

Registry location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdsServer\ ​​​​​​​Providers\WdsImgSrv\Unattend

DWORD name

AllowHandsFreeFunctionality

Value data

00000000

  • Blocks unauthenticated access to unattend.xml.

  • ​​​​​​​Disables hands-free deployment.

Notes

  • Please note that this will disable hands-free deployment using WDS. You must switch to alternate options mentioned in https://aka.ms/wdssupport. Alternatively, explore cloud-based solutions such as https://learn.microsoft.com/mem/autopilot.

  • In future releases after April 2026, the default will enforce secure mode unless overridden.

Phase 2 (April 2026): Hands-free deployment is fully disabled to a secure-by-default configuration. Administrators can override the configuration with an understanding of the associated security risks.

During this phase, the default behavior changes to secure-by-default.

If you need to continue using hands-free deployment, set the registry key value to 1.

Registry location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdsServer\ ​​​​​​​Providers\WdsImgSrv\Unattend

DWORD name

AllowHandsFreeFunctionality

Value data

00000001

  • Does not block unauthenticated access to unattend.xml.

  • Hands-free deployment will continue to work.

  • Error messages will be logged in the event log.

Comments

This is not a secure configuration. You must plan to migrate to alternate options and disable hands-free deployment (AllowHandsFreeFunctionality = 0) to enhance security.

Event logging

New events are added to help administrators monitor deployment behavior.

The following events will be logged in the Microsoft-Windows-Deployment-Services-Diagnostics/Debug log:

Secure mode

Warning: Unattend file request was made over an insecure connection. Windows Deployment Services has blocked the request to keep the system secure. For more information, see: https://go.microsoft.com/fwlink/?linkid=2344403

 Note This warning is triggered when the unattend.xml is requested without a secure channel. 

Insecure mode

Error: This system is using insecure settings for Windows Deployment Services. This may expose sensitive configuration files to interception. Apply Microsoft’s- recommended security settings to protect your deployment. Learn more at: https://go.microsoft.com/fwlink/?linkid=2344403

This error is triggered when the unattend.xml is queried insecurely or when WDS starts.

Summary of action steps (January – April 2026) 

  • Review your WDS configuration and identify unattend.xml usage.

  • Apply the recommended registry key (AllowHandsFreeDeployment=0) to enforce secure deployment.

  • Monitor Event Viewer for warnings or errors related to unattend.xml access.

  • Prepare for releases following the April 2026 security update by removing reliance on hands-free deployment.

  • Administrators can override secure-by-default configuration for hands-free deployments to continue to work but it is not recommended. We recommend keeping this feature disabled to maintain a secure configuration and migrating to alternative methods.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center