{"id":39129,"date":"2025-09-01T00:02:59","date_gmt":"2025-08-31T22:02:59","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=39129"},"modified":"2025-08-31T23:05:16","modified_gmt":"2025-08-31T21:05:16","slug":"windows-11-24h2-security-issue-caused-by-unattend-xml","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/09\/01\/windows-11-24h2-security-issue-caused-by-unattend-xml\/","title":{"rendered":"Windows 11 24H2: Security issue caused by unattend.xml"},"content":{"rendered":"

\"Windows\"[German<\/a>]Administrators use an unattend.xml<\/em> file to install and set up Windows. The unattend.xml<\/em> file can be created using a generator. A blog reader already pointed out to me in July 2025 that using an unattend.xml<\/em> file in Windows 11 24H2 causes a security issue. Here is an overview about that topics.<\/p>\n

<\/p>\n

What are answer files (unattend.xml)?<\/h2>\n

\"\"Windows can be installed unattended and configured in the default settings using answer files<\/a> (unattend.xml). These are .xml files that contain instructions for unattended installation. Windows Setup automatically searches<\/a> for answer files in specific locations, or administrators can specify a file to use for unattended installation by using the \/unattend: option when running Windows Setup (setup.exe)<\/a>.<\/p>\n

For a complete list of response file settings (also known as unattended installation settings), see the Windows Unattended Installation Reference<\/a>.<\/p>\n

An unattend.xml<\/em> generator<\/h2>\n

Christoph Schneegans has provided a generator for creating unattend.xml files on the Internet at site Generate autounattend.xml files for Windows 10\/11<\/a>.<\/p>\n

\"Generator<\/a><\/p>\n

There, you can interactively select the desired parameters for the Windows installation in forms and generate the unattend.xml<\/em> file.<\/p>\n

Windows 11 24H2: Security issue caused by unattend.xml<\/h2>\n

A blog reader contacted me by email in mid-July 2025 and pointed out a security issue with unattend.xml in Windows 11 24H2 that he had encountered. He wrote to me: \"I am contacting you to draw your attention (if you are not already aware) to what I believe to be a critical issue that primarily affects businesses.\"<\/p>\n

It concerns the behavior of a Windows 11 24H2 installation when it is performed via unattend.xml, i.e., automatically using the XYZ deployment tool. Since Windows 11 24H2, after installation the folder<\/p>\n

C:\\Windows\\Panther\\<\/p>\n

two copies of this unattend.xml<\/em> file are stored. The problem is that the \"unattend.xml\" file contains the administrator username created during installation in plain text (which, according to the reader, is bad enough, as administrator rights are not required to read this file).<\/p>\n

The reader wrote that during installation, the \"built-in\" administrator is often disabled by an unattend.xml<\/em> file in accordance with MS best practice. At the same time, an account for a local administrator is created.<\/p>\n

The name of this administrator account then appears in the unattend.xml file. Furthermore, the second saved \"unattend-original.xml<\/em>\" file contains not only the local administrator name but also their password in plain text.<\/p>\n

This means that companies that automatically set up clients with Windows 11 24H2 and do NOT change or customize the local administrator password, e.g., via LAPS, have a blueprint for the spread of a worm or worse located at C:\\Windows\\Panther\\<\/em>.<\/p>\n

The obvious solution at this point is to delete these two files using a software distribution tool\/GPO. The reader wrote: If you search the internet for \"unattend-original.xml<\/em>,\" you will currently find very little material, so I am not sure how critical this topic is. I have therefore posted the information here in the blog\u2014thanks to the reader for the tip.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Administrators use an unattend.xml file to install and set up Windows. The unattend.xml file can be created using a generator. A blog reader already pointed out to me in July 2025 that using an unattend.xml file in Windows 11 24H2 … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1319,580,2],"tags":[69,2860],"class_list":["post-39129","post","type-post","status-publish","format-standard","hentry","category-general","category-security","category-windows","tag-security","tag-windows-11-24h2"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=39129"}],"version-history":[{"count":5,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39129\/revisions"}],"predecessor-version":[{"id":39134,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/39129\/revisions\/39134"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=39129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=39129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=39129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}