TL; DR: “Recommended” vs “Required” is subject to debate. Better off implementing the full list, published here.
I’ve been asked to help a few organizations recently that were all running into content issues and network saturation when trying to distribute or install software using Configuration Manager. In every case, the root cause was the same: The organization was using 3rd party antivirus and did not exclude the content library on Distribution Points and/or the client cache.
When Configuration Manager first imports a package from the content source, and when subsequent “Update Distribution Points” actions are performed, it creates a hash of the payload. Before clients execute a package delivered through Configuration Manager, it validates this hash before execution. This process prevents an attacker from modifying the content to inject malicious code that would get executed upon installation under the System context.
The problem is, when antivirus programs scan items in the content library and cache directory, the scan has the potential to change the files just enough to alter the content hash. I don’t remember ever seeing a Defender scan change the hash, but the other common antivirus products seem to be more susceptible.
When clients attempt to use the content to install software, the hash check fails and causes the content to be downloaded from the DP again. If the package has also been modified on the Distribution Point, the client will invalidate the package after downloading it, and try again. This process will repeat until it finds an unmodified package, however because the DP is responding that the content is available, even in environments with multiple content locations available to a device, the client will likely obtain it from the same source.
The recommended firewall exclusions have been published by Microsoft for as long as I’ve been working with the product, and are published here.
If they’re published in the main documentation, why were they not configured during initial implementation? The reason always seems to be similar…these firewall exclusions are published as “Recommended” and not “Required.” As a result, security usually came back with a “try and see” approach to not configure the client-side exclusions, and since it could be months before this issue occurs, the design change was forgotten.
From a security perspective, however, there is no additional value in scanning the content from any location besides the Content Source folder (ie: \\SiteServer\Sources$). Once the payload has been scanned at source, it is imported into Configuration Manager and a hash is generated. As the A/V scanner showed, the smallest change to that content, after it is imported, will cause the hash check to fail and ultimately be purged from the client. This built-in security feature allows the exclusion of content libraries and client caches to be implemented without increasing the vulnerability level of managed devices.
Hope this helps!
É
