By Guru Baran
Publication Date: 2026-03-16 03:44:00
Microsoft has announced a two-phase plan to disable the hands-free deployment feature in Windows Deployment Services (WDS) following the discovery of a critical remote code execution (RCE) vulnerability tracked as CVE-2026-0386.
The flaw, rooted in improper access control, allows an unauthenticated attacker on an adjacent network to intercept sensitive configuration files and execute arbitrary code during network-based OS deployments.
Windows Deployment Services is a server role that enables IT administrators to deploy Windows operating systems remotely over a network, typically using PXE (Preboot Execution Environment) boot.
A core feature of this service, hands-free deployment, relies on an Unattend.xml answer file to automate installation screens, including credential entry, without requiring manual operator intervention. This feature is widely used in enterprise environments to efficiently…




