Windows 10 Delivers Updates From Your PC To Strangers

„Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. And if you own more than one PC, it can reduce the amount of Internet bandwidth needed to keep all of your PCs up-to-date. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet.

Delivery Optimization is turned on by default in Windows 10.“

Microsoft doesn’t hide any details in the official WUDO FAQ. But, it also doesn’t ask your approval when you install the operating system.

The idea itself is very good if you have more than one PC running Windows 10. But, if you read on, that’s where things start to get interesting:

„Windows uses the same process as when getting updates and apps from PCs on your local network, and also looks for PCs on the Internet that can be used as a source to download parts of updates and apps.

When Delivery Optimization is turned on, your PC sends parts of apps or updates that you’ve downloaded using Delivery Optimization to other PCs on your local network, or on the Internet, depending on your settings.”

Stop Windows 10 to deliver updates from your PC to complete strangers

Go to  Settings > Update & Security > Windows Update > Advanced Options

Click on „Choose How Updates are Delivered“:

w10-delivered
 

If you have more than one computer, let the feature activated and select the first option: „PCs on my local network“.

If you feel like wanting to help the community, you can leave the second one activated.

Note that this might cause your ISP to throttle your Internet connection or even to send you a written warning for breaching the contract’s „acceptable usage“.

If you have just one computer with Windows 10, then you can safely deactivate the feature.

While this is not a security vulnerability, it is also not very nice since there is no mention anywhere that this feature is turned on by default.

The WUDO works just like the good old Windows Update, so one can be safe in assuming that it is secure. Microsoft also guarantees that no personal files are touched.

Why is Microsoft hiding this?

They are not hiding it; they are just not mentioning actively that this feature exists.

Microsoft assumes that no harm (or costs) is done because the Windows Update and WUDO will not download/upload updates or apps if it detects that your PC is using a metered connection.

What is a metered connection?

A metered connection is any Internet connection which has a limited data plan.

If you use a Wi‑Fi or 3G/4G connection that is metered or capped, make sure you identify it as a metered connection.

Here’s how:

  • Go to Settings > Network & Internet > Wi‑Fi > Advanced options.
  • Use the toggle under Set as metered connection to set your Wi‑Fi connection as metered.

w10-metered
 

Did you also notice the first control? It will make your computer visible on any network. Better leave this feature turned off if you have a mobile computer. It’s safe to turn it on when you at home though.

 

Thanks a lot to Sorin Mustaca who contributed this blog article!

This post is also available in: GermanFrenchItalian

IT Security Expert, CSSLP, Security+, Project+