{"id":15866,"date":"2026-04-11T03:01:03","date_gmt":"2026-04-10T18:01:03","guid":{"rendered":"https:\/\/m365jp.net\/?p=15866"},"modified":"2026-04-11T03:01:34","modified_gmt":"2026-04-10T18:01:34","slug":"mc1276259-windows-deployment-services-wds-hands-free-deployment-hardening-phase-2","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2026-04-11-mc1276259-windows-deployment-services-wds-hands-free-deployment-hardening-phase-2","title":{"rendered":"MC1276259 | Windows Deployment Services (WDS): Hands-free deployment hardening (Phase 2)"},"content":{"rendered":"
\n
\n
\n\n\n\n
MC1276259 | Windows Deployment Services (WDS): Hands-free deployment hardening (Phase 2)<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\n\n\n\n\n\n\n\n
Classification<\/th>\nstayInformed<\/td>\n<\/tr>\n
Last Updated<\/th>\n04\/10\/2026 17:13:01<\/td>\n<\/tr>\n
Start Time<\/th>\n04\/10\/2026 17:12:59<\/td>\n<\/tr>\n
End Time<\/th>\n04\/10\/2027 17:12:59<\/td>\n<\/tr>\n
Message Content<\/th>\n\n
As announced in January\u202f2026, the unattend.xml<\/a> file used in hands\u2011free deployment poses a vulnerability when transmitted over an unauthenticated RPC channel. Beginning with the April\u202f2026 security update, the second phase of hardening<\/a> for CVE-2026-0386<\/a> is now in effect. These changes make hands\u2011free deployment disabled by default<\/b> to enforce secure behavior. After this update, hands\u2011free deployment no longer works unless explicitly overridden with registry settings.<\/div>\n
<\/div>\n
When will this happen:<\/b><\/div>\n
Starting with the April\u202f2026 security update, Windows Deployment Services (WDS) enforces secure\u2011by\u2011default behavior by automatically disabling hands\u2011free deployment.<\/div>\n
<\/div>\n
How this will affect your organization:<\/b><\/div>\n
After installing the April\u202f2026 security update, hands\u2011free deployment is blocked to prevent unauthenticated access to unattend.xml, enforcing the hardening requirements for CVE-2026-0386<\/a>. Any workflows that rely on unattend.xml\u2011based deployment will no longer function unless overridden with registry settings.<\/div>\n
<\/div>\n
What you need to do to prepare:<\/b><\/div>\n
Organizations that still require hands\u2011free deployment after installing the April\u202f2026 security update must explicitly override the secure default by setting the AllowHandsFreeFunctionality<\/em> registry value to 1<\/b>, which keeps unattend.xml\u2011based deployments operational but reintroduces the security risks associated with CVE-2026-0386<\/a>. When this override is used, devices will log diagnostic messages indicating that they are operating in an insecure mode. Because this configuration is not recommended for long\u2011term use, IT admins should plan to migrate to alternate deployment solutions and return to secure\u2011by\u2011default behavior.<\/div>\n
Machine Translation<\/th>\n\n
2026\u5e741\u6708?\u306b\u767a\u8868\u3055\u308c\u305f\u3088\u3046\u306b\u3001\u30cf\u30f3\u30ba\u30d5\u30ea\u30fc\u5c55\u958b\u3067\u4f7f\u7528\u3055\u308c\u308bunattend.xml<\/a>\u30d5\u30a1\u30a4\u30eb\u306f\u8a8d\u8a3c\u3055\u308c\u3066\u3044\u306a\u3044RPC\u30c1\u30e3\u30cd\u30eb\u7d4c\u7531\u3067\u9001\u4fe1\u3055\u308c\u308b\u3068\u8106\u5f31\u6027\u3092\u62b1\u3048\u3066\u3044\u307e\u3059\u30022026\u5e744\u6708?\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u304b\u3089\u3001CVE-2026-0386<\/a>\u306e\u7b2c2\u6bb5\u968e\u306e\u30cf\u30fc\u30c9\u30a8\u30f3\u30c7\u30a3\u30f3\u30b0<\/a>\u304c\u5b9f\u65bd\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u5909\u66f4\u306b\u3088\u308a\u3001\u30cf\u30f3\u30ba\u30d5\u30ea\u30fc\u5c55\u958b\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u7121\u52b9<\/b>\u5316\u3055\u308c\u3001\u5b89\u5168\u306a\u52d5\u4f5c\u3092\u5f37\u5236\u3057\u307e\u3059\u3002\u3053\u306e\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u4ee5\u964d\u3001\u30cf\u30f3\u30ba\u30d5\u30ea\u30fc\u5c55\u958b\u306f\u30ec\u30b8\u30b9\u30c8\u30ea\u8a2d\u5b9a\u3067\u660e\u793a\u7684\u306b\u4e0a\u66f8\u304d\u3057\u306a\u3044\u9650\u308a\u6a5f\u80fd\u3057\u306a\u304f\u306a\u308a\u307e\u3057\u305f\u3002<\/div>\n
<\/div>\n
\u3053\u308c\u306f\u3044\u3064\u5b9f\u73fe\u3057\u307e\u3059\u304b:<\/b><\/div>\n
2026\u5e744\u6708?\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u304b\u3089\u3001Windows Deployment Services(WDS)\u306f\u30cf\u30f3\u30ba\u30d5\u30ea\u30fc\u5c55\u958b\u3092\u81ea\u52d5\u7684\u306b\u7121\u52b9\u5316\u3057\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52d5\u4f5c\u3092\u5f37\u5236\u3057\u307e\u3059\u3002<\/div>\n
<\/div>\n
\u3053\u308c\u304c\u3042\u306a\u305f\u306e\u7d44\u7e54\u306b\u3069\u306e\u3088\u3046\u306a\u5f71\u97ff\u3092\u4e0e\u3048\u308b\u304b:<\/b><\/div>\n
2026\u5e744\u6708\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u5f8c\u306f\u3001unattend.xml\u3078\u306e\u8a8d\u8a3c\u3055\u308c\u3066\u3044\u306a\u3044\u30a2\u30af\u30bb\u30b9\u3092\u9632\u3050\u305f\u3081\u306b\u30cf\u30f3\u30ba\u30d5\u30ea\u30fc\u5c55\u958b\u304c\u30d6\u30ed\u30c3\u30af\u3055\u308c\u3001 CVE-2026-0386<\/a>\u306e\u5f37\u5316\u8981\u4ef6\u304c\u5f37\u5236\u3055\u308c\u307e\u3059\u3002unattend.xml\u30d9\u30fc\u30b9\u306e\u30c7\u30d7\u30ed\u30a4\u30e1\u30f3\u30c8\u306b\u4f9d\u5b58\u3059\u308b\u30ef\u30fc\u30af\u30d5\u30ed\u30fc\u306f\u3001\u30ec\u30b8\u30b9\u30c8\u30ea\u8a2d\u5b9a\u3092\u4e0a\u66f8\u304d\u3057\u306a\u3044\u9650\u308a\u6a5f\u80fd\u3057\u307e\u305b\u3093\u3002<\/div>\n
<\/div>\n
\u6e96\u5099\u306e\u305f\u3081\u306b\u3084\u308b\u3079\u304d\u3053\u3068:<\/b><\/div>\n
2026\u5e744\u6708\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u305f\u5f8c\u3082\u30cf\u30f3\u30ba\u30d5\u30ea\u30fc\u5c55\u958b\u304c\u5fc5\u8981\u306a\u7d44\u7e54\u306f\u3001 AllowHandsFreeFunctionality<\/em> \u30ec\u30b8\u30b9\u30c8\u30ea\u5024\u3092 1<\/b>\u306b\u8a2d\u5b9a\u3057\u3066\u30bb\u30ad\u30e5\u30a2\u30c7\u30d5\u30a9\u30eb\u30c8\u3092\u660e\u793a\u7684\u306b\u4e0a\u66f8\u304d\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u308aunattend.xml\u30d9\u30fc\u30b9\u306e\u30c7\u30d7\u30ed\u30a4\u30e1\u30f3\u30c8\u306f\u904b\u7528\u3092\u7d99\u7d9a\u3057\u307e\u3059\u304c\u3001 CVE-2026-0386<\/a>\u306b\u95a2\u9023\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ea\u30b9\u30af\u304c\u518d\u3073\u5c0e\u5165\u3055\u308c\u307e\u3059.\u3053\u306e\u30aa\u30fc\u30d0\u30fc\u30e9\u30a4\u30c9\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u30c7\u30d0\u30a4\u30b9\u306f\u975e\u5b89\u5168\u30e2\u30fc\u30c9\u3067\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3059\u8a3a\u65ad\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u8a18\u9332\u3057\u307e\u3059\u3002\u3053\u306e\u69cb\u6210\u306f\u9577\u671f\u4f7f\u7528\u306b\u306f\u63a8\u5968\u3055\u308c\u3066\u3044\u306a\u3044\u305f\u3081\u3001IT\u7ba1\u7406\u8005\u306f\u4ee3\u66ff\u306e\u5c55\u958b\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u3078\u306e\u79fb\u884c\u3092\u8a08\u753b\u3057\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u52d5\u4f5c\u306b\u623b\u308b\u3079\u304d\u3067\u3059\u3002<\/div>\n
<\/div>\n
\u8ffd\u52a0\u60c5\u5831:<\/b><\/div>\n