Thinking About Windows 10 Delivery Optimization

Posted on September 4, 2016 by Paul Thurrott in Windows 10 with 0 Comments

Thinking About Windows 10 Delivery Optimization

When Microsoft released Windows 10 build 14915 to Windows Insiders on the Fast ring last week, it was billed as having no new features. But this build did include a fairly major change to how an existing feature called Delivery Optimization works. And if the past is any guide, it will prove controversial with the tin hat crowd.

Delivery Optimization debuted in Windows 10 version 1511, providing users with the option to download Windows and app updates from other PCs on their own network. The goal here is to lower bandwidth consumption: If you have multiple Windows 10 PCs on your network, each will not need to download every single update individually.

If you’re familiar with Windows Server, you may recall that Microsoft started offering an on-premises take on this technology called Branch Cache several years ago. That solution was for branch offices that were connected to the home office via a slow, unreliable and expensive WAN, but the theory is the same: Download updates once (or at least as infrequently as possible) and then distribute them locally, saving bandwidth.

As released in Windows 10 version 1511, Delivery Optimization was controversial, but given the other Windows 10 privacy FUD from last year, it was only a minor issue that received little press. And the fact that users could turn off this functionality softened the blow as well.

But the change we see in build 14915—which won’t be public until spring 2017, when the next major release of Windows 10 ships–could prove more problematic. Now, in addition to getting Windows and app updates from other PCs on your local network, you can get them from other PCs on the Internet. And this functionality is enabled by default.

Hm.

“[Those who] have Delivery Optimization enabled will be able to download new [Windows] builds, OS updates, and app updates from other PCs on their local network as well as from other PCs on the Internet,” Microsoft’s Dona Sarkar explains in a post to the Windows 10 Feedback Hub. “When enabled, your PC may also send parts of apps or updates that you have downloaded using Delivery Optimization to other PCs.”

That quote twice indicates that this functionality will work only “if” you have Download Optimization enabled, and that’s where the privacy policy will can and should take exception: This feature is in fact enabled by default in Windows 10. And you’d have to know about this feature and find it in the UI to disable it and protect yourself from any potential security and privacy issues.

You do this by navigating to Settings, Update & Security, “Advanced options,” and then “Choose how updates are installed.”

choose-how

Looking at the Windows Update Delivery Optimization FAQ, which of course only addresses the currently shipping version of this feature, it’s unclear what the potential risks are.

For example, the FAQ notes that “Delivery Optimization uses the same security measures as Windows Update and the Windows Store. Windows Update uses information obtained securely from Microsoft to validate the authenticity of files downloaded to your PC. Delivery Optimization also checks the authenticity of each part of an update or app that it downloads from other PCs before installing it.”

That sounds safe. But the ability of one PC to poll another and find out which apps are installed is a potential security risk, even given the safeguards in the Universal Windows Platform (UWP). Could a hacker who knows about a compromised app now poll PCs to find those that have that app?

I don’t know. And I’m not trying to be sensationalist. But this is something that Microsoft needs to communicate better, for sure.

My advice remains unchanged from before: There is absolutely no reason for most users to leave this feature enabled, and unless you are on a very expensive, slow, or unreliable Internet connection, I recommend simply turning it off.