For Organizations Which Utilize Microsoft Products
Microsoft has a default peer-to-peer update feature that allows an endpoint to download the needed update files from a different endpoint on the same network. By default, this is done through Port 7680.
From the Microsoft Learn Website:
No deployment package: Starting in version 1806, deploy software updates to devices without first downloading and distributing content to distribution points. This setting is beneficial when dealing with extremely large update content. Also use it when you always want clients to get content from the Microsoft Update cloud service. Clients in this scenario can also download content from peers that already have the necessary content. The Configuration Manager client continues to manage the content download, thus can utilize the Configuration Manager peer cache feature, or other technologies such as Delivery Optimization. This feature supports any update type supported by Configuration Manager software updates management, including Windows and Office updates. (Number 11)
The Issue
The issue with allowing peer-to-peer updates is that it leaves anyone on the updating machine’s network with access to an open port to all endpoints providing the updates AND your entire network.
ThreatLocker Recommendations*
IF: If your organization has high bandwidth available, there is no benefit to utilizing the peer-to-peer option. This setting should be disabled in the enterprise settings for your Microsoft account. By default, Microsoft will always use Port 7680 to allow peer-to-peer updates. ThreatLocker’s Network Access Controls (NAC) allow you to block and limit port use, as well as view any attempts to connect to your company’s network in the Unified Audit.
IF: If your organization struggles with bandwidth and/or updating Microsoft products directly from Microsoft servers would impact daily business, then peer-to-peer updates can be used. However, updates should be scheduled when network traffic can be monitored and endpoints on the network can be tracked.
*ThreatLocker does not make formal recommendations around the configuration of Microsoft products. The above information is made available to ensure your network is as secure as possible. Please speak to your Microsoft Account Representative or your Network Administrator before making changes that may impact your security. Contact a Cyber Hero for more information.
Additional Microsoft Information
Optimize Windows update delivery - Configuration Manager | Microsoft Learn
Automatically deploy software updates - Configuration Manager | Microsoft Learn