Microsoft Warns of Insecure WDS Deployments After KB5074109 Update

A recent Microsoft KB5074109 update delivers several security-focused changes, including an update for Secure Boot certificates on Windows 11. The update also quietly tightens protections around Windows Server deployments, following new vulnerability disclosures.

Windows Server deployments face a security shift after the KB5074109 update

According to Neowin, the update includes a notice about hardening Windows Deployment Services (WDS), specifically its hands-free deployment feature used by IT administrators. This feature relies on an Unattend.xml answer file to automate Windows installations across networks.

The answer file often stores credentials and sensitive configuration data. A newly disclosed vulnerability, CVE-2026-0386, shows that attackers can exploit this file if they intercept it over an insecure connection. Such an attack could lead to remote code execution (RCE) or credential theft during deployment.

Microsoft warns admins to move away from insecure WDS hands-free installations before April 2026

To reduce risk, Microsoft has started phasing out hands-free WDS deployments over insecure channels. As of the January 13 Patch Tuesday update, the feature remains available but deprecated. IT administrators can already disable it through new registry keys.

Microsoft advises organizations to migrate to alternative deployment methods before enforcement begins. After April 2026, Windows will block hands-free WDS deployments by default. Administrators will still retain the option to re-enable the feature using the AllowHandsFreeFunctionality registry key, although Microsoft explicitly warns that doing so will create an insecure configuration.

The company is also adding enhanced event logging to help administrators track deployment behavior and configuration changes. Until April 2026, systems without the new registry settings will continue to function, but Windows will automatically block hands-free deployments once the deadline passes.

Microsoft has published a dedicated KB support article outlining the changes and recommended actions, and IT admins should review it carefully.

It’s also worth noting that KB5074109 has caused Azure Virtual Desktop connection issues for some users. A workaround exists, and Microsoft continues to monitor reports related to that separate problem.