Windows 10, Delivery Optimization, and WSUS: Take #2

01/31/2017:  Edited to reflect a change in the minimum disk size.

I had posted an article about Windows 10 1607, Delivery Optimization, and WSUS last week at https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/, but based on conversations with the engineering team and more testing of my own using virtual machines, I thought it would be good to make a second attempt at it.

Let’s start off with some basic behaviors:

  • Both Windows 10 1511 and Windows 10 1607 will talk to the Delivery Optimization service to find peers that can provide the content.  For devices connected to Windows Update, the peers are used in addition to the Windows Update content distribution servers on the internet.  For devices, connected to WSUS, the peers are used in addition to the WSUS server.
  • Windows 10 1511 and Windows 10 1607 are configured by default for Delivery Optimization, but the download mode (used to determine what peers should be considered) is different depending on the SKU of Windows that is installed:
    • Enterprise, Enterprise LTSB and Education SKUs are configured for “LAN” (download mode 1) so they will only use PCs on the corporate network as peers.
    • Other SKUs default to “Internet” (download mode 3) so they will use a broader set of clients as peers.
  • There are minimum requirements for a PC to cache and provide content to peers, with at least 4GB of RAM and 32GB of disk space needed.  There are also minimum requirements for clients to receive content from peers; those that don’t meet those requirements will download updates directly from the source (Windows Update or WSUS).
  • Delivery Optimization presently will only use peer-to-peer sharing for larger updates like feature updates and cumulative updates.
  • Windows 10 1607 adds two new download modes, “Simple” (mode 99) and “Bypass” (mode 100).  “Simple” is great for “closed” networks where PCs wouldn’t be able to get to the Delivery Optimization service on the internet.  And “Bypass” is useful if you are already using BranchCache and want all updates to be pulled from WSUS using BITS.  (Since Windows 10 1511 doesn’t have a Bypass mode, you can use “HTTP only” mode 0 to skip Delivery Optimization peer checks on closed networks.)
  • Windows 10 1511 and Windows 10 1607 both also include a “Group” download mode setting (mode 2) that limits the population of PCs that can be considered peers to just those in a particular group.  With Windows 10 1511, groupings are based on the AD domain and an optional group ID that you can set via policy.  With Windows 10 1607, the groups are based on AD domain and AD site, and can also add in an optional group ID.

So let’s assume we have a Windows 10 1511 or Windows 10 1607 PC configured to talk to WSUS, and it checks for updates.  What happens?  Here’s the basic flow with the default settings:

  • The PC talks to WSUS to determine what updates are needed.
  • For each needed update, the PC checks with the Delivery Optimization service (on the internet) to find any applicable peer PCs that already have the needed content.
  • If peers are available,, the PC will try to get the content from the peers.
  • If some or all of the content isn’t available from a peer, or if no peers are available, the remainder will be retrieved from WSUS.

So overall Delivery Optimization is a good thing:  It enables PCs on your network to share feature updates (new Windows 10 releases) and quality updates (monthly patches) with other PCs on your network.  But you might want to tweak the behavior.  I already mentioned one key scenario:  If you are using Windows 10 1607 with WSUS and BranchCache.  Since Windows 10 1607 no longer uses BITS by default for downloading updates from WSUS, you may want to deploy a policy to change the download mode to “Bypass” when you are using BranchCache.

One other tweak to consider:  Instead of using the default “LAN” download mode, you may want to instead use the “Group” download mode.  The “LAN” mode identifies PCs that are on the same LAN by looking at their external IP address – all PCs going through the same internet IP (through a proxy server or router) are considered to be on the same “LAN.”  But if you’re a typical large enterprise, your “LAN” might be made up of a bunch of different LAN segments with WAN connections between them, with all internet traffic funneled back to a central location that has a connection to the internet.  In that type of an environment, you don’t necessarily want a PC in Anchorage sharing an update with a PC in Auckland through WAN links that pass through Chicago.  Instead, you want peer-to-peer sharing to happen locally.  The “Group” mode in Windows 10 1607 handles that nicely, as long as your AD sites are defined to correspond with physical locations.  If they aren’t, or if you are using Windows 10 1511, you can instead use the “Group ID” policy (delivered via site-specific GPOs) to segment PCs into more appropriate groups.

See https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-updates and https://technet.microsoft.com/en-us/itpro/windows/plan/setup-and-deployment for more background on Delivery Optimization.