Partager via


Windows 10, Delivery Optimization, and WSUS: Take #2

01/31/2017:  Edited to reflect a change in the minimum disk size.

I had posted an article about Windows 10 1607, Delivery Optimization, and WSUS last week at https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/, but based on conversations with the engineering team and more testing of my own using virtual machines, I thought it would be good to make a second attempt at it.

Let’s start off with some basic behaviors:

  • Both Windows 10 1511 and Windows 10 1607 will talk to the Delivery Optimization service to find peers that can provide the content.  For devices connected to Windows Update, the peers are used in addition to the Windows Update content distribution servers on the internet.  For devices, connected to WSUS, the peers are used in addition to the WSUS server.
  • Windows 10 1511 and Windows 10 1607 are configured by default for Delivery Optimization, but the download mode (used to determine what peers should be considered) is different depending on the SKU of Windows that is installed:
    • Enterprise, Enterprise LTSB and Education SKUs are configured for “LAN” (download mode 1) so they will only use PCs on the corporate network as peers.
    • Other SKUs default to “Internet” (download mode 3) so they will use a broader set of clients as peers.
  • There are minimum requirements for a PC to cache and provide content to peers, with at least 4GB of RAM and 32GB of disk space needed.  There are also minimum requirements for clients to receive content from peers; those that don’t meet those requirements will download updates directly from the source (Windows Update or WSUS).
  • Delivery Optimization presently will only use peer-to-peer sharing for larger updates like feature updates and cumulative updates.
  • Windows 10 1607 adds two new download modes, “Simple” (mode 99) and “Bypass” (mode 100).  “Simple” is great for “closed” networks where PCs wouldn’t be able to get to the Delivery Optimization service on the internet.  And “Bypass” is useful if you are already using BranchCache and want all updates to be pulled from WSUS using BITS.  (Since Windows 10 1511 doesn’t have a Bypass mode, you can use “HTTP only” mode 0 to skip Delivery Optimization peer checks on closed networks.)
  • Windows 10 1511 and Windows 10 1607 both also include a “Group” download mode setting (mode 2) that limits the population of PCs that can be considered peers to just those in a particular group.  With Windows 10 1511, groupings are based on the AD domain and an optional group ID that you can set via policy.  With Windows 10 1607, the groups are based on AD domain and AD site, and can also add in an optional group ID.

So let’s assume we have a Windows 10 1511 or Windows 10 1607 PC configured to talk to WSUS, and it checks for updates.  What happens?  Here’s the basic flow with the default settings:

  • The PC talks to WSUS to determine what updates are needed.
  • For each needed update, the PC checks with the Delivery Optimization service (on the internet) to find any applicable peer PCs that already have the needed content.
  • If peers are available,, the PC will try to get the content from the peers.
  • If some or all of the content isn’t available from a peer, or if no peers are available, the remainder will be retrieved from WSUS.

So overall Delivery Optimization is a good thing:  It enables PCs on your network to share feature updates (new Windows 10 releases) and quality updates (monthly patches) with other PCs on your network.  But you might want to tweak the behavior.  I already mentioned one key scenario:  If you are using Windows 10 1607 with WSUS and BranchCache.  Since Windows 10 1607 no longer uses BITS by default for downloading updates from WSUS, you may want to deploy a policy to change the download mode to “Bypass” when you are using BranchCache.

One other tweak to consider:  Instead of using the default “LAN” download mode, you may want to instead use the “Group” download mode.  The “LAN” mode identifies PCs that are on the same LAN by looking at their external IP address – all PCs going through the same internet IP (through a proxy server or router) are considered to be on the same “LAN.”  But if you’re a typical large enterprise, your “LAN” might be made up of a bunch of different LAN segments with WAN connections between them, with all internet traffic funneled back to a central location that has a connection to the internet.  In that type of an environment, you don’t necessarily want a PC in Anchorage sharing an update with a PC in Auckland through WAN links that pass through Chicago.  Instead, you want peer-to-peer sharing to happen locally.  The “Group” mode in Windows 10 1607 handles that nicely, as long as your AD sites are defined to correspond with physical locations.  If they aren’t, or if you are using Windows 10 1511, you can instead use the “Group ID” policy (delivered via site-specific GPOs) to segment PCs into more appropriate groups.

See https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-updates and https://technet.microsoft.com/en-us/itpro/windows/plan/setup-and-deployment for more background on Delivery Optimization.

Comments

  • Anonymous
    August 16, 2016
    hi Michael, you mention 256gb disc space needed, is that a minimum (free) disc space needed ? or the total size of the disc, and if total size, how much free space is needed ?cheersniall
    • Anonymous
      August 16, 2016
      That would be total disk size, not free disk space. (There is a separate Delivery Optimization policy that lets you specify a maximum percentage of free disk space that can be used.)
  • Anonymous
    August 17, 2016
    The comment has been removed
    • Anonymous
      August 18, 2016
      The comment has been removed
  • Anonymous
    August 19, 2016
    Hi Michael,Does Microsoft know the problem with Windows 10 1607 and WSUS ?Impossible to download updates when a Cumulative update is available on WSUS.When you install the cumulatives updates manually, all others updates works.
    • Anonymous
      August 19, 2016
      I've been doing this without any issues, so it sounds like something more specific with your environment. Any additional details? WU policies in use? WU for Business policies in use? Error messages?
      • Anonymous
        August 19, 2016
        I have a clean install of 2012R2 with WSUS enabled and all updates from Microsoft Update installed (incl. 3159706 and post install), I have a manual clean install of 1607 Enterprise configured to look at my WSUS server, both have full access to the Internet, I approved 3176495 only on my WSUS server and the client fails to download the update, at the same time multiple WU related services are constantly crashing, the crashing and following restart may make the update eventually download - or not, in addition to that if Get-WindowsUpdateLog not resolving the GUIDs which prevents any troubleshooting of the issue, I have two cases open with premier and get nowhere...
        • Anonymous
          August 19, 2016
          We're investigating those issues. For Get-WindowsUpdateLog, the issue is with the symbols needed to format the log entries. For the crashing issues, they are making progress.
          • Anonymous
            August 29, 2016
            Any further progress on the WSUS downloading issues, seems it's quite widespread based on forum threads.
      • Anonymous
        August 19, 2016
        Many other users have encountered this bug (see: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus)No specific error but windows update is stuck at 0% of downloading.Any idea where I can find more logs ?Thanks
        • Anonymous
          August 24, 2016
          yep have this issue also
    • Anonymous
      August 20, 2016
      See below more logs:ReportingEvents.log:{8ECD0B56-6538-44C9-BBF6-47F4B7B8AE14} 2016-08-21 08:28:56:266+0200 1 147 [AGENT_DETECTION_FINISHED] 101 {00000000-0000-0000-0000-000000000000} 0 0 <>: cscript.exe Success Software Synchronization Windows Update Client successfully detected 1 updates.{C2E6D6D4-4CD1-4D43-BDC6-9ADC7F01BDF0} 2016-08-21 08:28:56:266+0200 1 156 [AGENT_STATUS_30] 101 {00000000-0000-0000-0000-000000000000} 0 0 <>: cscript.exe Success Pre-Deployment Check Reporting client status.{10B3032E-0BEB-4FC8-905B-E5F999411A31} 2016-08-21 08:28:56:391+0200 1 167 [AGENT_DOWNLOAD_STARTED] 101 {1D3328B4-DFA2-458B-B5F5-4C7AD45965E7} 203 0 <>: cscript.exe Success Content Download Download started.{18F9E4E6-A1C8-4309-9AD4-3F4BD0B2D517} 2016-08-21 08:30:27:445+0200 1 161 [AGENT_DOWNLOAD_FAILED] 101 {1D3328B4-DFA2-458B-B5F5-4C7AD45965E7} 203 80d02003 <>: cscript.exe Failure Content Download Error: Download failed.{E91D6533-7919-4D39-8EA7-42FE371BB954} 2016-08-21 08:43:48:705+0200 1 147 [AGENT_DETECTION_FINISHED] 101 {00000000-0000-0000-0000-000000000000} 0 0 TrustedInstaller FOD Success Software Synchronization Windows Update Client successfully detected 0 updates.WindowsUpdate.log:1601/01/01 01:00:00.0000000 5032 3208 Unknown( 119): GUID=2fc03aa6-a1fa-3d0c-ba09-b8539ec28a26 (No Format Information found).1601/01/01 01:00:00.0000000 5032 3208 Unknown( 14): GUID=3905367d-5739-34f2-739b-cf9a482c3e56 (No Format Information found).1601/01/01 01:00:00.0000000 5032 3208 Unknown( 16): GUID=bc21bb5e-eb28-3f99-1073-acecfea6cb82 (No Format Information found).1601/01/01 01:00:00.0000000 5032 1716 Unknown( 35): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).1601/01/01 01:00:00.0000000 5032 1716 Unknown( 10): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).1601/01/01 01:00:00.0000000 5032 4640 Unknown( 35): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).1601/01/01 01:00:00.0000000 5032 4640 Unknown( 10): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).1601/01/01 01:00:00.0000000 5032 4640 Unknown( 10): GUID=d1317ae8-ec05-3e09-4a50-d3b2ce02f784 (No Format Information found).1601/01/01 01:00:00.0000000 5032 4640 Unknown( 10): GUID=d1317ae8-ec05-3e09-4a50-d3b2ce02f784 (No Format Information found).1601/01/01 01:00:00.0000000 5032 4640 Unknown( 63): GUID=e26dfe10-35bf-3106-db9d-9a51a6a0981f (No Format Information found).1601/01/01 01:00:00.0000000 5032 4640 Unknown( 29): GUID=1f9e54c8-9e31-3e53-867d-d9f39756ad7f (No Format Information found).
  • Anonymous
    August 19, 2016
    My organization utilizes SCCM to approve and delivery software update content. It was my understanding from conversing with our DSE that WUDO was not compatible with SCCM (this was about a month ago). Has that changed? Is there any integration/benefit for content managed by SCCM? How about for SCCM instances where clients are set to 'Always Internet' (aka IBCM)...is the answer any different in that scenario? Thanks!
    • Anonymous
      August 19, 2016
      For the most part, Delivery Optimization and ConfigMgr are mutually exclusive. Delivery Optimization would be used in cases where the Windows Update agent is looking to download a fix from WSUS or Windows Update. ConfigMgr, on the other hand, downloads the update to the PC and then tells the Windows Update agent to install the update from the local drive.
      • Anonymous
        August 22, 2016
        The comment has been removed
        • Anonymous
          August 22, 2016
          Not sure as I haven't tried that particular scenario. I would assume DO would be used any time the client is told to install an update from WU, but I don't know the specifics of the ConfigMgr implementation to know if that's exactly what's happening here.
  • Anonymous
    August 30, 2016
    None of these solutions have worked for us. In fact right now all windows 10 1607 build machines that try to download a cumulative updates from 2012 R2 WSUS hang on the download then after reboot are bricked with an error message. At this point the machine is unusable and needs to be rebuilt.Yes you heard that right. WSUS and Windows 10 1607 CUs are bricking my machines... What a disaster. I can reproduce this consistently in our environment. We are sticking with 1511 because we have no choice. Those are downloading to clients properly from WSUS still.We have the new GPO set to bypass mode, we have the MIME types and all WSUS hotfixes installed including the post servicing steps. We know what we are doing. The software is just broken and MS has yet to comment on a solution.EDIT: the error message that comes up on next boot after windows update tries to download a 1607 CU from WSUS is, "C:\windows\system32\config\systemprofile\desktop is unavailable. If the location is on this PC, make sure the device or drive is connected or the disc is inserted, and then try again. if the location is on a network make sure you're connected to the network or internente, and then try again. If the location still can't be found, it might have been moved or deleted." The user's taskbar, start menu are gone and many applications will not run or load. New user profile does not fix the issue and also has the problem. Bricked....
    • Anonymous
      August 30, 2016
      The comment has been removed
      • Anonymous
        September 02, 2016
        When is the WSUS fix due?
  • Anonymous
    August 30, 2016
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus&prof=required
  • Anonymous
    September 02, 2016
    The comment has been removed
    • Anonymous
      September 02, 2016
      i have having this same issue where clients are not obeying WSUS and going to microsoft to download
    • Anonymous
      September 05, 2016
      Me too. Client is reporting it's status to WSUS, but that's all - it's going direct to MS and grabbing updates whether they are approved on WSUS or not. I've tried Download Modes of HTTP only (0), Simple (99) & Bypass (100) and it makes no difference. HTTP only was working fine on 1511.
  • Anonymous
    September 05, 2016
    what are the related GPO settings for disabling delivery optimization at all? We dont use branch cache and we dont want to use delivery optimization in our organization. We simply said only want our WSUS servers being used for download any updates.Could anyone clarify how to disable these (in our point of view) useless features at all?So: what are the related GPOs for disabling these features?