Microsoft to Block Windows 11 and Server 2025 Automated Installation After Critical RCE Vulnerability

Automatic installation of Windows 11 and Server 2025 Microsoft has announced a two-phase plan to turn off the hands-free deployment feature in Windows Deployment Services (WDS) after finding a serious remote code execution (RCE) vulnerability known as CVE-2026-0386. The flaw, which is caused by bad access control, lets an attacker who isn't authenticated on a nearby network steal sensitive configuration files and run any code they want during network-based OS deployments. Windows Deployment Services is a server role that lets IT admins install Windows operating systems over a network from a distance, usually by using PXE (Preboot Execution Environment) boot.

Hands-free deployment, which is a key part of this service, uses an Unattend.xml answer file to automate installation screens, such as entering credentials, so that no operator intervention is needed.

This feature is very useful in businesses for quickly setting up large groups of machines. On January 13, 2026, the Windows Deployment Services Vulnerability CVE-2026-0386 was published. It describes an improper access control condition (CWE-284) in WDS that happens when the Unattend.xml file is sent over an RPC channel that isn't authenticated.

An attacker on the same network segment can intercept the answer file, steal embedded credentials, or add harmful code that runs during the deployment process because the answer file is available through the RemoteInstall share without authentication. Security researchers have said that a successful exploit could give SYSTEM-level access, let attackers move laterally across a domain, and even let them poison OS deployment images. This makes it a supply chain-level risk in enterprise data centers.

Microsoft said that the vulnerability has a CVSS v3.1 vector of AV:A/AC:H/PR:N/UI:N and High impact ratings for Confidentiality, Integrity, and Availability. The bug affects Windows Server versions from Server 2008 to Server 2025, including Server 2016, 2019, 2022, and 23H2. The Two-Phase Hardening Timeline Microsoft is putting out fixes in two stages: Phase 1: January 13, 2026: You can still use hands-free deployment, but you can turn it off if you want to.

New Event Log alerts and registry key controls make it possible for administrators to make sure that people act safely by setting HKLM\SYSTEM\AllowHandsFreeFunctionality = 0Unattend is in CurrentControlSet\Services\WdsServer\Providers\WdsImgSrv. Phase 2: April 2026 By default, hands-free deployment will be completely turned off.

After the April security update, administrators who haven't made any changes to the registry between January and April 2026 will find that the feature is automatically blocked. If administrators really need the feature, they can temporarily turn it back on by setting AllowHandsFreeFunctionality = 1. However, Microsoft makes it clear that this is not a safe setting and should only be used as a temporary fix.

Right away, check all WDS settings to see how Unattend.xml is being used. Install the Windows security update from January 13, 2026, or later. To make sure that secure behavior happens before April 2026, set AllowHandsFreeFunctionality to 0. Keep an eye on Event Viewer for alerts about unsafe access to unattend.xml.

Switch to other ways of deploying, like Microsoft Intune, Windows Autopilot, or Microsoft Configuration Manager, which are not affected by this security hole.

Microsoft's KB article 5074952 gives affected organizations all the information they need to fix the problem. Before April 2026, administrators should take action to keep their deployment pipelines running smoothly. LinkedIn and X for daily updates on cybersecurity.

Get in touch with us to have your stories featured.