Geoffrey Sauvageot-Berland
I am an engineer in computer science and cybersecurity with a generalist background. Initially a systems and network administrator, I am currently working as a pentester at Orange Cyberdefense, specializing in offensive security. I also teach as a lecturer at CPE Lyon and occasionally share technical content through my blog “Le Guide du SecOps”.
Session
Windows Deployment Services (WDS) is a partially deprecated Windows role providing PXE boot services for deploying machines over a LAN. Although its usage has declined since the release of Windows 11, it often remains in Active Directory environments because it has been overlooked, leaving even up-to-date networks potentially exposed. Default administrative practices, sometimes masked by Windows behaviors, further increase the attack surface. The recent deprecation of Microsoft Deployment Toolkit (MDT), widely used for image orchestration and customization alongside WDS, accelerates the ecosystem’s retirement while leaving existing deployments exposed and security issues unresolved. This presentation examines the attack vectors that can be exploited against WDS servers in Active Directory environments. Scenarios will include credential leakage, WinPE image extraction, and a supply chain attack, demonstrated through examples from real-world penetration tests on information systems. Practical exploitation paths, common misconfigurations, and residual artifacts left after removal of PXE components will be highlighted. Possible ways to address these risks in enterprise environments will also be discussed.