What if your ISP hijacks your DNS (pretty common) and someone was to poison it and instead downloads a malware ? That would mean thousands of windows pcs download this malware by just connecting to the internet.
Then the string compare would fail and the little icon in the bottom right would show an exclamation mark.
This can be a problem if there's some kind of critical vulnerability in the Microsoft HTTP stack, but I don't think this attack vector is all that relevant.
Same with other captive portal detection endpoints, there's very little actual parsing going on with these requests.
Windows Updates are downloaded via HTTP but signed in the package themselves. This is why Delivery Optimization (peer to peer distribution) can be used. HTTP downloads for WU are also good because it allows upstream proxies to cache the content reducing overall network load.
Thus: Hijacking WU to download malicious content takes far, far more than just DNS hijacking. You'd also need to subvert the WU signing system. (This is more nation-state level stuff.)
