Headline
CVE-2026-0386: Windows Deployment Services Remote Code Execution Vulnerability
Are there additional steps I need to take to be protected from this vulnerability?
Admins should take the following steps to be protected from CVE-2026-0386:
- Audit existing WDS usage and identify hands-free deployments.
- Opt in for protection by configuring the registry settings described in: Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance. This will provide immediate protection.
This security protection will be enabled by default in a future security update release and no additional administrator action will be required.
How is Microsoft addressing this vulnerability?
To address this vulnerability, by default the hands-free deployment feature will not be supported beginning with a security update in a future release in mid-2026.
Why is the WDS Unattended Installation feature being deprecated?
The legacy WDS workflow transmits unattend.xml over unauthenticated RPC, exposing sensitive credentials during PXE boot. This creates a security risk, including potential machine-in-the-middle (MITM) attacks. To strengthen security posture, Microsoft is enforcing authenticated RPC by default and removing the insecure workflow.
Isn’t using WDS within a network-isolated environment sufficient to mitigate this vulnerability?
Even in isolated networks, unauthenticated RPC introduces attack surfaces that can be exploited internally. Security best practices require eliminating unencrypted credential transmission and enforcing authenticated channels.
What is the impact of this change?
Hands-free deployments that rely on unauthenticated RPC will no longer work by default. Administrators can override this behavior via a registry key (See Windows Deployment Services (WDS) Hands-Free Deployment Hardening Guidance, but this is not recommended for production environments.
Are there any recommended alternative solutions?
Please see Windows Deployment Services (WDS) boot.wim support for alternate recommendations by Microsoft.