Microsoft blocks automated installs, issues emergency hotpatch

Microsoft will roll out the WDS hands‑free deployment hardening in two phases, with initial warnings issued after January updates and full enforcement scheduled for April 2026 (support.microsoft.com). The flaw tracked as CVE‑2026‑0386 involves exposure of Unattend.xml answer files on the RemoteInstall share during native WDS PXE deployments, enabling adjacent‑network interception of credentials or code injection (support.microsoft.com). Microsoft says the change affects only native WDS scenarios that reference an Unattend.xml file and does not impact Configuration Manager deployments, which use WDS only for boot.wim and NBP files (support.microsoft.com). Administrators can still re‑enable hands‑free behavior via a registry override while Microsoft phases in the restriction, and the vendor recommends WinPE‑based alternatives for automatedimageing workflows as long‑term options (4sysops.com). The out‑of‑band hotpatch KB5084597 was released March 13, 2026 and targets Windows 11 version 25H2, 24H2 and LTSC 2024 builds (noted as OS builds 26200.7982 and 26100.7982) to address critical RRAS flaws (support.microsoft.com). KB5084597 delivers a restartless hotpatch for devices enrolled in Microsoft’s hotpatch program and remediates three RRAS vulnerabilities tracked as CVE‑2026‑25172, CVE‑2026‑25173 and CVE‑2026‑26111, which Microsoft classified as high‑risk RCE/networking issues (bleepingcomputer.com).