top of page
Blog: Blog2

How to disable WUDO

I recently installed Security Onion in my home lab and one of the things that immediately jumped out to me was an alarming amount of traffic on TCP port 7680 between 2 individual hosts inside the network

When I exported this traffic into a pcap and analysed it with Wireshark, the traffic is presented as the “Swarm Protocol

The Swarm protocol is a distributed storage platform and content distribution service The objective is a peer-to-peer storage and serving solution in this case because these are Windows 10 computers this is specifically being used by Window Update Delivery Optimization (WUDO). WUDO is designed to enable Windows computers to share downloaded updates with other Windows computers on their local network and even out on the Internet. It uses a service called Delivery Optimization (DoSvc) which is responsible for the delivery optimization of updates as well as the various firewall exceptions that are required for it to work.

This feature is enabled by default on Windows 10 and in a home network this might be perfectly fine to use. However in a corporate environment this may be something you want to turn off. If one of the computers were to get compromised and someone could figure out how to modify the cached updates, they could potentially use this to distribute malicious updates or even cause a DoS (Denial of Service) by distributing a corrupted update that may cause computers to blue screen or even not boot at all.

So how do you disable this feature?

You can disable it on individual machines by clicking on Start > Settings > Updates & Security > Windows Update > Advanced Options > Delivery Optimization > Change On to Off

Alternatively you can disable WUDO by GPO (Group Policy Object) If you are in and Active Directory environment.

  • Open Group Policy Management either on a domain controller or by using RSAT on a workstation

  • Create and link a new policy

  • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Delivery Optimization > Download Mode

  • Change from Not Configured to Enabled

  • Change Download Mode to Bypass (100)

Once you apply this GPO to your workstations you can either open a command prompt and run gpupdate /force from each client, reboot each client or just let each client update the GPO on it’s own schedule which is every 90 minutes by default

Once the GPO has been applied, WUDO will then be disabled

Recent Posts

See All

Packet sniffing on Windows 10

A packet sniffer is a program that monitors the network activity on a computer down to an individual packet level. This is often used by network administrators for monitoring network traffic and troub

Data Exfiltration with Hping3

Many organizations do a great job of filtering inbound traffic but will often leave the outbound traffic unfiltered or at least have some sort of application aware filtering on the egress. ICMP is one


bottom of page