Skip to content
Naked Security Naked Security

Windows 10 spreads the love with updates on the side

"Windows Update Delivery Optimization" works P2P-style to speed up updates. But it could cost you money - and it's opt-out, so be aware!

Have you made the move to Windows 10 already?

If so, and you live in a part of the world where internet connectivity isn’t merely “on” or “off”, but can be somewhere in between – in other words, if you have to keep your usage inside a data cap – then you need to know about WUDO.

WUDO is short for Windows Update Delivery Optimization, and it’s a great feature that may very well make updates on your home network much slicker.

But it could cost you money, and it’s opt-out, not opt-in, so you need to be aware of it.

→ A data cap, for those fortunates who have never experienced one, is a data transfer ceiling above which you typically either pay more, or endure a slowdown, until the end of the month. Excess data charges are often very high (you might prefer the word extortionate), and throttled data rates may be turgidly slow (you might prefer the word unusable). Caps typically kick in after anywhere from hundreds of megabytes to tens of gigabytes, depending on your country, your ISP and your internet plan. Some caps count downloaded data only; others add up all your network traffic, both in and out.

Like torrenting, only different

The easiest way to explain WUDO is to say that it’s just like Bittorrent, or any similar peer-to-peer (P2P) file sharing network, only different.

Your PC connects to Microsoft, downloads a trusted list of files that it needs for the update, and then asks around on the network to see if anyone else nearby has any of those files handy.

At worst, your PC will end up downloading the latest patches all the way from Microsoft; at best, it will get the files straight from another computer on your home network that already fetched the update.

This means that if you have three PCs to update, and each needs 1GB of updates, and 1GB takes three hours to download on your 1Mbit/sec internet link, you don’t have to wait nine hours for the update to come down the line three times.

If you’re lucky, only one PC will need to visit the outside world, whereafter the other two will simply grab the matching files from their neighbours on your home network, typically 10 to 100 times faster.

In fact, WUDO not only looks for other computers on your own internal network – it also tries, just like Bittorrent, to find other computers on the internet that can help you out.

That not only spreads the load beyond Microsoft’s core servers, which is good for resilience, but also lets your PC choose update sources that are nearby, which is good for throughput.

But it raises three important issues:

  • Is it safe to get trusted updates from untrusted computers?
  • Do you have to give to receive?
  • Is this the default setting?

The answers are, “Yes,” “Yes,” and “Yes.”

Trusted data over untrusted links

As long as your PC downloads a list of the files it needs – a so-called manifest, or cryptographically-signed catalog – directly from an official Microsoft server first, you’re safe.

Your PC can validate cryptographically that it received the same file that it would have acquired directly from Microsoft, even if the download came from one or more unknown third parties.

If any downloaded components are damaged or modified, whether by accident or design, they can be discarded and fetched again.

Giving to receive

The “giving to receive” issue could be a problem if you have a capped or metered data plan.

If you have multiple PCs, you’re always likely to save bandwidth, provided that WUDO doesn’t let other people upload from you more than you download in total.

But if you have just one Windows 10 computer and a metered connection, WUDO might end up costing you money.

After all, you’ll always have to download the entire update from the outside at least once.

So if you only get to make use of it once, anything you later upload to others, no matter how helpful to them, is additional update traffic for you.

On by default

In other words, if you have a metered conection, you need to know that full-blown WUDO is on by default in Windows 10.

Fortunately, it’s easy to change…

…once you know how.

Go to the not-actually-very-obvious Settings Updates and Security Advanced options Choose how you download updates Get updates from more than one place.

Your choices are:

  1. Off. Your computer calls home to Microsoft, and gets updates only from there.
  2. PCs on my local network. WUDO will “torrent-share” files, but only between computers on your own LAN.
  3. PCs on my local network and on the internet. You’ll potentially get files from, and offer file uploads to, computers anywhere in the world.

If you have more than one PC on your own LAN, the middle option sounds like a good one, as you won’t incur any additional upload charges, but you will probably reduce your total internet download quota.

That’s good for you, helpful to Microsoft, and beneficial to everyone else.

If you can afford the altruism of torrent-style uploads for other people, go for option 3 and you’ll be doing the world a modest favour, as well as speeding up your own updates, especially if you have multiple PCs to patch.

The thing to bear in mind: whether you’re willing or able to go for option 3, it’s the default, and you have to opt out if it doesn’t suit you.

18 Comments

Thanks for pointing these little details out! Another thing to think about, even if you’re feeling generous and want to share updates with the world, is that some connections are asymmetric, meaning upload speed is much slower than download speed. If one of your computers is helpfully sharing windows updates, it could slow down all the web requests your other computers are making.

It’s kind of a low blow considering they didn’t mention it initially, but does it respect the data usage limits and does it only upload while your downloading?

If it’s only uploading while your downloading then it’s probably a minimal difference in your bandwidth. Most internet connection upload speeds are 1/10th or less of the download, and you more than likely won’t be maxing out your upload speed.

…as an added bonus, when they figure out how to deliver malware via this mechanism, all the PCs on your network will be infected automatically without you even having to click on those pesky phishing links!

That’s why it uses a cryptographically-signed catalog. If the file you downloaded from your neighbor doesn’t match the hash that MS said it should have, it’s not installed. It would be difficult for hackers to spread malware this way unless they somehow changed the manifest coming from Microsoft Update in the first place – and if they could do that, they could just spread it through Microsoft Update anyways. In short, not a real threat.

Never a MS-certificate was stolen Never a MS-Facility was hacked. MS never had securiy issues and updates are not necessary to increase security and to close vulnerabilities.

I’m not aware of a Microsoft certificate ever having been stolen…though if one had been, that would affect Windows updates whether you downloaded them directly or indirectly, which was Chris’s point.

In Windows 8.1 and Windows 10 it’ll detect when you are on a metered connection. If it doesn’t, you can set your connection to a metered one. This will tell Windows to block things from eating up your connection such as updates.

Does anybody know if Windows 10 will continue to upload updates to other computers after it has updated itself? What is the download:upload ratio until it stops?

BTW, there is a way to completely shut off Windows Updates if you wish, even in Windows 10 Home edition.

Will it install updates when IT wants to? Or can you pick the time? Can you load to an old HD without an activation number?

So far I am extremely happy with what Microsoft has done with Windows 10.0. The amazing texture and feel of this update has satisfied my needs at this point. But now we seem to be getting an update so early in this process, hopefully it’s a good update and nothing to worry about. I’m seriously concerned about the Firmware Vulnerabilities with PCs and Macs I’ve been reading around.

I’ll like to ask if your are part of the Microsoft Marketing Team.
There are a lot of things which are not so cool as all brainwashed MS-followers tell us: For instance if a Hotel offers free WIFI to their guests, the Owner of the Network do not want that the Bandwith is used by Computers outside of the Hotel. There is no possibility to stopp such traffic because the Administrator has no Chance to Change the win10 activity. In a Sophos blog I would like to see a more reflected sight on security-issues. Where are Infos about how to block such unwanted traffice on a Sophos-UTM

If you had searched Naked Security for “Windows 10 Wi-Fi” or for “Wi-Fi Sense”, you would have found these, which might have answered some of your questions, notably how to request Windows 10 clients to leave your Wi-Fi alone. (We don’t much like the opt-out approach, and we keep saying so. I think that should answer your question of whether we are part of Microsoft Marketing :-)

https://nakedsecurity.sophos.com/2015/07/01/windows-10-wi-fi-sense-feature-shares-your-wi-fi-network-with-your-friends/
https://nakedsecurity.sophos.com/2015/07/09/sscc-206-who-gave-you-permission-to-use-my-wi-fi-podcast/

Sorry! It’s not a question of WIFI, it’s a Problem with the UPDATE Strategy of Win 10. If you are the owner of the Network but not the owner of the win10-devices which use this infrastructure and the device has not deactivated P2P Updates, you should be possible to block upload-traffic. You seem to be happy with this new strategy, but It’s bad for providers of costfree, public Internet.

If we like ‘delivery optimization’, do we have to make changes to the Sophos End. Sec & Con. Firewall config to allow it to work? We have a number of VLANs and the general use computer rooms are classified as ‘not trusted’ within firewall settings. I’m wondering how much trouble we’d have trying to allow them to peer large windows 10 updates.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?