How to Disable the TFTP Client Safely on Windows (and Eliminate Stray TFTP Services)

TFTP is an insecure file transfer protocol that is still widely used for specific IT administration tasks. Due to its insecure nature, when it’s not actively required, you should disable the TFTP client on Windows PCs. This tutorial explains how to disable the TFTP Client safely on Windows, as well as detect and clean up any stray TFTP services.

What is TFTP and what is the purpose of TFTP?

TFTP (Trivial File Transfer Protocol) is a client-server file transfer protocol that does not include any encryption or authorization mechanisms. This makes it very small and lightweight to run, so it’s primarily used for things like low-power network devices to retrieve configurations for flashing firmware to devices, as well as for network booting using PXE (preboot execution environment).

For example, a device in recovery mode may attempt to locate a TFTP server at a specific IPV4 address to look for a system image to restore from, without requiring the user to take control of it. DHCP can also be used to supply information that devices like VOIP phones can use to locate TFTP servers to load configurations from.

Windows includes a TFTP client that can be enabled using the following DISM command to add the optional (and by default, disabled) TFTP feature:

dism /online /enable-feature /featurename:TFTP /all

The Windows TFTP client can then be used by system administrators to test access to TFTP servers, or upload files. There are also third-party TFTP clients that are standalone executables.

Should TFTP be disabled? Is UDP port 69 secure?

As mentioned, TFTP is not secure and should be considered a security risk. While some devices rely on it to function, firewall rules should be in place to protect TFTP clients and servers, and TFTP should be disabled wherever it is not explicitly needed. If the TFTP Windows client is required for a specific administrative task, it should be disabled afterwards.

TFTP uses UDP port 69, so TFTP traffic can be identified and blocked at the network level.

What you need to disable the TFTP client in Windows

To disable the TFTP client in Windows, you’ll need:

• Administrative access to manage Windows optional features
• Endpoint firewall rules and perimeter ACLs to protect exposed TFTP services
• Endpoint inventory and a list of owners for any network boot or device-imaging workflows to ensure oversight
• Centralized monitoring and logging to verify the functionality and security of TFTP services

How do I disable TFTP on Windows?

Use the following DISM command to disable the optional Windows TFTP client from the Command Prompt or PowerShell:

dism /online /disable-feature /featurename:TFTP

You can also use this PowerShell command:

Disable-WindowsOptionalFeature -Online -FeatureName TFTP

You’ll need to be logged in as an administrator or use an elevated prompt to do this.

You can confirm the TFTP client feature is enabled or disabled with the DISM command:

dism /online /get-features

If you need to enable or disable the TFTP client on multiple devices in a Windows Domain environment, you can add these commands to a script and deploy them using Group Policy. To target a wider range of devices, including those not on a domain, BYOD, or remote devices, you can deploy scripts using your mobile device management (MDM) or remote monitoring and management (RMM) solution.

Monitoring for TFTP usage

TFTP can be exploited by hackers, so you should monitor for TFTP usage across your network as part of your cybersecurity practices. Watch for traffic on UDP port 69 and confirm that only intended devices are actively using TFTP, and that the usage is expected. This also helps identify Windows devices that may be using a third-party TFTP client, or stray TFTP services running on other platforms.

Ensure ownership of devices that have TFTP enabled: devices that use the protocol for boot, imaging, firmware, or configuration push should be documented with the engineer responsible, so there are no gaps in oversight. If these are one-off tasks, TFTP should be disabled after use. Regularly review devices that keep TFTP enabled as part of your IT governance process, and check whether it is possible to discontinue their use or update them to use a more secure protocol.

Limit and block TFTP traffic on endpoints and the perimeter

If TFTP remains enabled on devices, limit traffic to known destinations. Your perimeter firewalls should block TFTP to and from untrusted networks (including the internet). You should also ensure TFTP is blocked on endpoints (for example, by using Windows Firewall), preventing third-party TFTP clients or servers from being used.

Tools like Windows Defender Network Protection can detect suspicious network traffic and automatically block it, including requests to suspicious servers.

Detect and remove stray TFTP server services

TFTP clients and servers can also be installed on Linux, Android, and macOS devices. If unexpected TFTP traffic is detected on your network, use your network monitoring and management tools to find the device and disable it. Wherever possible, replace TFTP with a secure alternative like SFTP or HTTPS, and ensure this is reflected in configuration templates and images so that it does not reappear in the future.

Centrally manage Windows features, monitor TFTP usage, and maintain oversight from one interface

NinjaOne can help you maintain control over and mitigate the risks of legacy features that are still required in production. You can enforce configurations that disable the TFTP client on Windows endpoints and block UDP port 69, and configure alerts or automatic support ticket creation if unexpected TFTP usage is detected. NinjaOne integrates with leading endpoint detection tools for improved monitoring, policy enforcement, and oversight.