On Mon, 18 Mar 2019 01:12:19 -0400, Paul wrote:

Char Jackson wrote:


Thanks for the detailed reply. As for the possibility of corrupt updates
being shared within the LAN, I assume each update package is signed so
that a host knows if it can be trusted. However, if MS isn't taking
advantage of the other hosts on the LAN in this way, then I might as
well just disable the whole thing.

They're signed. Doesn't matter how they're sliced and diced,
a package cannot be installed without the signature working.
Change 1 bit of content, the signature will fail.

Even when materials come straight from a Windows Update
server, we have to assume the delivery method could be
compromised in flight. The signing step, is the ultimate
protection for that path. That covers MITM attacks.

Then, as I suspected, it doesn't matter where update chunks come from.
Could be MS, another PC on the LAN, or another PC on the Internet. It's
all the same.

However, if as you said earlier, the feature doesn't really work, then
it's pointless. I might as well disable the feature and get updates from
MS.

The reason I asked in the first place is that I have about two dozen
Win10 VMs, and counting, and it seemed a shame to get updates for each
of them separately. I guess that's how it needs to be, though.