Partager via


Using WSUS with Windows 10 1607?

Note:  Consider this post obsolete and replaced by https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/, which offers more detail and clarity around the behavior of Delivery Optimization in both Windows 10 1511 and 1607.

For those of you who have started deploying Windows 10 1607 (edit: and Windows 10 1511), you might notice a change in the behavior of the Windows Update agent for PCs that are configured to pull updates from WSUS.  Instead of pulling the updates from WSUS, PCs may start grabbing them from peers on your network, leveraging the Delivery Optimization service for referrals to other PCs that have already obtained the content.  This change should generally help reduce the amount of network traffic being generated for both quality (monthly) updates and feature updates, offloading that traffic from the WSUS server.  It will add some additional traffic between each client PC and the Delivery Optimization service on the internet, as it has to talk to this internet-only service in order to get a list of peers.

If the Windows Update agent can’t talk to the Delivery Optimization service (due to firewall or proxy configurations), or if there are no peers able to provide the content, it will then go ahead and grab the content from the WSUS server.

There is a new Group Policy setting available if you want to disable this behavior, e.g. because you are already using BranchCache for peer-to-peer sharing.  To do this, you need to set the “Download Mode” policy under “Computer Configuration –> Administrative Templates –> Windows Components –> Delivery Optimization” to specify “Bypass” mode, which will result in the client always using BITS to transfer the content from WSUS (with BranchCache jumping in to provide the peer-to-peer capabilities through its integration with BITS):

image

Of course to set this policy, you need the latest ADMX files, which can be downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=53430 and are also included in Windows 10 1607 and Windows Server 2016.  (The “Bypass” setting wasn’t available in previous versions.)  See https://support.microsoft.com/en-us/kb/3087759 for details on how to update the Group Policy central store with these latest ADMX files, if you are using a central store.

Comments

  • Anonymous
    August 08, 2016
    Thanks for this information
  • Anonymous
    August 08, 2016
    Does this setting affect SCCM SUP in any way? I also found it confusing that Microsoft named this new release of Win 10 ADMX templates "Version 1.0".Thanks!
    • Anonymous
      August 15, 2016
      No, no affect on SCCM, since it takes care of downloading updates itself.
  • Anonymous
    August 09, 2016
    The comment has been removed
    • Anonymous
      August 15, 2016
      See my follow-up post for more detail. You can control what set of clients are considered, or you can choose to use BranchCache instead (or no peer-to-peer at all, although I wouldn't suggest that).
  • Anonymous
    August 09, 2016
    The comment has been removed
    • Anonymous
      August 15, 2016
      Just curious: Why did you pick the value 64? That doesn't appear to be valid, so I would expect it to use the SKU default (see my next post for details).
  • Anonymous
    August 10, 2016
    The Help section in the GPO does not state what the default actions are for Disabled or Not Configured.
    • Anonymous
      August 15, 2016
      See my follow-up post - it explains that in more detail.
  • Anonymous
    August 10, 2016
    If we are using SCCM and WSUS for updates - what's the effect of the GPO?
    • Anonymous
      August 15, 2016
      There is no impact with ConfigMgr - it takes care of downloading the update itself, then tells the Windows Update agent to install the already-downloaded package.
  • Anonymous
    August 10, 2016
    Our 1607 Clients don't see the cumulative Update KB3176495, no matter if they are running 14393.0 or 14393.10.We have set the Download Mode to bypass through GPO.The update was downloaded by our WSUS yesterday, so it is ready for deployment.At first the 1607 clients want to go to the internet to download updates, when we hit the search for updates button.We get an error code 08x8024401b, which means that our proxy is blocking the download, which is correct. But at first they should communicate with WSUS not with the Internet. When we send a wuauclt /reportnow command from the client, we can see the timestamp in the WSUS Console.So communication to WSUS should work.But WSUS says no Updates required, 100% installedWSUS is running under W2012R2 (6.3.9600.18324).Will there be an update for WSUS to be able to deploy updates to 1607 clients?
  • Anonymous
    August 10, 2016
    Do you have any tips or information for those affected by what seems to be a bug in version 1607 where clients cannot update from WSUS because downloads get stuck and event logs show services like the Windows Update service, BITS, and others related to Windows update repeatedly crashing? Since there have only been a couple updates for version 1607 that are already a part of my image the updates that are trying to get installed mainly relate to Office 2016 in my environment.
    • Anonymous
      August 15, 2016
      We are currently investigating this issue. If you are running into this, please contact Microsoft Support. (Strangely enough, I can't duplicate the issue.)
  • Anonymous
    August 15, 2016
    Thanks for this. I had already discovered this particular policy and enabled it before upgrading some of my local users to 1607. Unfortunately it seems that Windows Update in 1607 and WSUS do not like each other very much.What I am encountering now is that many of those 1607 clients exhibit very strange behavior as relates to WSUS:- Massive delays in reporting status, if it ever reports at all. "Last contact" is recent but "Last status report" is very old.- The console shows "Version" is 10.0.14393.0 no matter which CU the client has installed.- I'm finding that it is very rare that a 1607 client will actually install a Windows CU from WSUS, I'm having to go to each machine and deploy the .msu by hand to get them up to date. Windows update shows downloading updates with some random percentage between zero and 100 every time I go to look at it, it doesn't finish and install in most cases. Once I manually install the Windows CU and reboot, the other updates (office, whatever) will download and install normally.My WSUS is running on Server 2012 R2 with the latest fixes including the one that everyone had a fit about with the manual steps after install to upgrade the database and fix the web.config file.
    • Anonymous
      August 16, 2016
      I am getting basically the same issue as Pepper, while also running Windows Server 2012 R2. I have set everything you specified in: https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/ . Installing 1511 updates don't seem to have the same issue at all, and PeerCacheing enabled or disabled does not seem to make a difference in speed.
      • Anonymous
        August 16, 2016
        also seeing problems getting updates. I can get past this in a new build by installing the latest CU as a package but clinets updated via WSUS to 1607 from 1511 cannot download any updates.
        • Anonymous
          August 28, 2016
          The comment has been removed
      • Anonymous
        August 17, 2016
        I left two systems on for about 14 hours, the update status is still at 44%. I looked through the event log and noticed this piece of information under the setup log, and it seems to repeat the message every 10 minutes or so.Message 1: " Initiating changes for package KB3176495. Current state is Resolved. Target state is Staged. Client ID: WindowsUpdateAgent "Message 2: " Package KB3176495 failed to be changed to the Staged state. Status: 0x800f0816Is anyone else having this problem noticed these logs?
  • Anonymous
    August 22, 2016
    i have server 2008 R2. applying this msi file to import the admx did nothing for me. currently my org is using Build 1511 for our lab pc's and want 1607 via WSUS. is this only a server 2016 feature within GPO?
  • Anonymous
    August 22, 2016
    i have server 2008 R2. is this only a server 2016 feature within GPO?
    • Anonymous
      August 22, 2016
      please disregard that post. downloaded RSAT on Win 10 and the setting is there. thanks.