Microsoft to Disable Hands-Free Deployment Due to Critical RCE Vulnerability

Microsoft to Disable Hands-Free Deployment Due to Critical RCE Vulnerability

First seen 16 Mar 2026, 06:30 UTC NeowinCybersecuritynews 88% similarity 72.6

Article Content

Browse articles
ThreatCluster

Microsoft is implementing a two-phase plan to disable the hands-free deployment feature in Windows Deployment Services (WDS) due to a critical remote code execution (RCE) vulnerability, CVE-2026-0386, published on January 13, 2026. This vulnerability allows unauthorized attackers on adjacent networks to intercept sensitive configuration files, leading to potential credential theft and arbitrary code execution. The first phase began in January 2026, advising administrators to block unauthenticated access to Unattend.xml files. In the upcoming second phase, hands-free deployment will be fully disabled by default. The change affects Windows 11 and Server 2025 installations that utilize WDS for automated deployments. Microsoft has clarified that Microsoft Configuration Manager is not impacted by this vulnerability. If no action is taken by April 2026, the hands-free deployment feature will be blocked automatically in the April security update. This move is part of Microsoft's broader efforts to enhance security in their deployment workflows.

Key Points: • Microsoft is disabling hands-free deployment in WDS due to CVE-2026-0386. • The vulnerability allows RCE via intercepted Unattend.xml files on adjacent networks. • Phase 2 of the security hardening will fully disable hands-free deployment by default.

ThreatCluster AI

Timeline

2026-01-05
Phase 1 of WDS hardening begins
2026-01-13
CVE-2026-0386 published
2026-04-01
Automatic blocking of hands-free deployment if no action taken

Community

Browse all →