Microsoft Begins Phase Two of Windows Deployment Services Security Hardening

Microsoft has announced that it will soon begin phase two of security hardening for Windows Deployment Services (WDS), a network-based tool widely used by administrators to deploy Windows across multiple systems in enterprise environments.

The company first warned about upcoming changes in January 2026 after identifying a vulnerability tracked as CVE-2026-0386. The issue is related to how automated Windows deployments transmit configuration files during installation.

Vulnerability Linked to Unattend.xml Files

The vulnerability stems from the way Unattend.xml files, commonly known as answer files, are transmitted during automated deployments.

These files can include sensitive data such as administrator credentials and deployment configuration details. In certain environments, the files may be transmitted over unauthenticated Remote Procedure Call (RPC) channels.

If an attacker is present on the same network, they could intercept these transmissions. In some cases, this could expose credentials or potentially allow remote code execution on targeted systems.

Because of this risk, Microsoft has started tightening security controls around Windows Deployment Services.

Phase Two Will Disable Hands-Free Deployments

Microsoft plans to remove support for hands-free deployments that rely on insecure communication channels. This change is part of the second phase of the company’s WDS hardening rollout.

During phase one, introduced in January 2026, administrators were advised to block unauthenticated access to Unattend.xml files and disable hands-free deployment through a registry setting.

With phase two, hands-free deployment will be fully disabled, and WDS will operate in a secure-by-default configuration.

Microsoft says that administrators who do not make changes between January and April 2026 will see hands-free deployment automatically blocked after the April 2026 security update is installed.

Configuration Manager Deployments Not Affected

Microsoft confirmed that the vulnerability does not impact Microsoft Configuration Manager environments.

Configuration Manager only uses WDS to deliver boot.wim files and network bootstrap components. It does not rely on the vulnerable Unattend.xml deployment workflow.

The company also confirmed that Windows installation methods relying on boot.wim combined with Windows Setup running directly in WDS mode are no longer supported.

Microsoft says it plans to gradually phase out legacy Windows Deployment Services workflows in favor of more secure deployment technologies.

Other Recent Windows Issues

In other recent developments, Microsoft confirmed that the Galaxy Connect application was responsible for a bug that prevented some Windows 11 users from accessing the C: drive on certain Samsung devices.

The company has also received reports that the recent Windows update KB5079473 caused installation failures and system crashes for some users.

Microsoft says it continues to investigate these issues while working with partners to resolve compatibility problems.

Via Neowin