Microsoft is putting an end to a commonly used method for automatically rolling out Windows installations over the network. The change primarily affects organizations that use Windows Deployment Services (WDS) in combination with Unattend.xml files to perform installations without administrator intervention.
According to Microsoft, this approach poses a security risk. That is why it is now being phased out, writes Neowin. The reason for the change is a vulnerability registered as CVE-2026-0386. This flaw in WDS allows an attacker on the same network to execute unauthorized code.
The problem arises because so-called answer files, including Unattend.xml, can be sent via an unsecured Remote Procedure Call channel. These files contain information used to automatically populate installations, such as configuration settings and sometimes credentials.
When such data is sent via an unauthenticated connection, there is a risk that it could be intercepted by an attacker. According to Microsoft, this could lead to the theft of login credentials or even the remote execution of code on systems within the network.
The company states in supporting documentation that support for automatic deployments via insecure communication channels will be removed by default. With this, Microsoft aims to reduce the risk of sensitive installation data leaking over the network.
The measure is part of a broader security enhancement for Windows Deployment Services. Microsoft began the first phase of these changes back in January. During that period, system administrators were advised to block unauthenticated access to Unattend.xml files and disable automatic installations via a registry key.
Next phase disables automatic installations
The next phase goes beyond mere recommendations. Microsoft is completely disabling the unattended installation method, placing systems in a more secure configuration by default. Organizations that do not make adjustments to their configuration will find that automatic deployments via WDS are automatically blocked after the April 2026 security update.
Microsoft emphasizes that the change does not affect Microsoft Configuration Manager. In that platform, WDS is used exclusively to deliver boot files, such as boot.wim. According to the company, these files are not distributed via the same vulnerable method and are therefore not affected by the security issue.
The change is part of a broader strategy by Microsoft to gradually replace older deployment methods with more modern and secure alternatives. The company is expected to phase out legacy WDS workflows more frequently in the coming period and encourage organizations to switch to more modern deployment techniques.