Microsoft recently issued a security fix for a critical network-based vulnerability with a new hotpatch update KB5084597. Aside from this the company also informed this week that it will soon be entering phase two of security hardening of WDS.
For the uninitiated, Microsoft announced in January that it is tightening security around Windows Deployment Services (WDS), a long-standing tool used for network-based operating system deployments. The company confirmed that hands-free deployment workflows relying on Unattend.xml files are being phased out to protect against a security vulnerability tracked under ID CVE-2026-0386. The vulnerability description says: "Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network."
Microsoft says that the issue stems from how Unattend.xml or an answer file is transmitted. These are used to automate installation screens including credentials, and when sent over an unauthenticated Remote Procedure Call (RPC) channel, the file can expose sensitive data. An attacker on the same network could intercept it, leading to credential theft or remote code execution (RCE).
In a support article covering the topic, Microsoft says: “To mitigate this vulnerability and harden security, support for hands-free deployment over insecure channels will be removed by default.”
Here the company has clarified that the vulnerability does not affect Microsoft Configuration Manager. Unlike native WDS scenarios, Configuration Manager uses WDS only to provide boot.wim and network bootstrap files, which are not exposed through the same mechanism.
Speaking of which, in a separate documentation, Microsoft has detailed how Windows installation deployments that rely on boot.wim and Windows Setup running in WDS mode are no longer supported. The company has published a table to better explain the change:
| Windows Version being deployed | Boot.wim from Windows 10 | Boot.wim from Windows Server 2016 | Boot.wim from Windows Server 2019 | Boot.wim from Windows Server 2022 | Boot.wim from Windows 11 |
|---|---|---|---|---|---|
| Win 11 | Not supported, blocked. | Not supported, blocked. | Not supported, blocked. | Not supported, blocked. | Not supported, blocked. |
| Win 10 | Supported, using a boot image from matching or newer version. | Supported, using a boot image from a currently supported version of Windows 10. | Supported, using a boot image from a currently supported version of Windows 10. | Not supported. | Not supported. |
| Server 2025 | Not supported. | Not supported. | Not supported. | Not supported. | Not supported. |
| Server 2022 | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Not supported. |
| Server 2019 | Supported, using a boot image from a currently supported version of Windows 10. | Supported. | Supported. | Not supported. | Not supported. |
| Server 2016 | Supported, using a boot image from a currently supported version of Windows 10. | Supported. | Not supported. | Not supported. | Not supported. |
In phase 1 of WDS hardening that started in January, admins were advised to block unauthenticated access to unattend.xml and disable hands-free deployment on WDS configurations via a Registry entry. In the upcoming Phase 2, hands-free deployment is going to be fully disabled and it will enter a "secure by default" status.
Going forward, Microsoft is expected to continue phasing out legacy WDS workflows in favor of more secure ways. The company has added that "if no action is taken (no registry key added) between January to April 2026, hands-free deployment will be blocked after the April 2026 security update" automatically.
2 Comments
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.