Windows 10, Delivery Optimization, and WSUS: Take #2


01/31/2017:  Edited to reflect a change in the minimum disk size.

I had posted an article about Windows 10 1607, Delivery Optimization, and WSUS last week at https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/, but based on conversations with the engineering team and more testing of my own using virtual machines, I thought it would be good to make a second attempt at it.

Let’s start off with some basic behaviors:

  • Both Windows 10 1511 and Windows 10 1607 will talk to the Delivery Optimization service to find peers that can provide the content.  For devices connected to Windows Update, the peers are used in addition to the Windows Update content distribution servers on the internet.  For devices, connected to WSUS, the peers are used in addition to the WSUS server.
  • Windows 10 1511 and Windows 10 1607 are configured by default for Delivery Optimization, but the download mode (used to determine what peers should be considered) is different depending on the SKU of Windows that is installed:
    • Enterprise, Enterprise LTSB and Education SKUs are configured for “LAN” (download mode 1) so they will only use PCs on the corporate network as peers.
    • Other SKUs default to “Internet” (download mode 3) so they will use a broader set of clients as peers.
  • There are minimum requirements for a PC to cache and provide content to peers, with at least 4GB of RAM and 32GB of disk space needed.  There are also minimum requirements for clients to receive content from peers; those that don’t meet those requirements will download updates directly from the source (Windows Update or WSUS).
  • Delivery Optimization presently will only use peer-to-peer sharing for larger updates like feature updates and cumulative updates.
  • Windows 10 1607 adds two new download modes, “Simple” (mode 99) and “Bypass” (mode 100).  “Simple” is great for “closed” networks where PCs wouldn’t be able to get to the Delivery Optimization service on the internet.  And “Bypass” is useful if you are already using BranchCache and want all updates to be pulled from WSUS using BITS.  (Since Windows 10 1511 doesn’t have a Bypass mode, you can use “HTTP only” mode 0 to skip Delivery Optimization peer checks on closed networks.)
  • Windows 10 1511 and Windows 10 1607 both also include a “Group” download mode setting (mode 2) that limits the population of PCs that can be considered peers to just those in a particular group.  With Windows 10 1511, groupings are based on the AD domain and an optional group ID that you can set via policy.  With Windows 10 1607, the groups are based on AD domain and AD site, and can also add in an optional group ID.

So let’s assume we have a Windows 10 1511 or Windows 10 1607 PC configured to talk to WSUS, and it checks for updates.  What happens?  Here’s the basic flow with the default settings:

  • The PC talks to WSUS to determine what updates are needed.
  • For each needed update, the PC checks with the Delivery Optimization service (on the internet) to find any applicable peer PCs that already have the needed content.
  • If peers are available,, the PC will try to get the content from the peers.
  • If some or all of the content isn’t available from a peer, or if no peers are available, the remainder will be retrieved from WSUS.

So overall Delivery Optimization is a good thing:  It enables PCs on your network to share feature updates (new Windows 10 releases) and quality updates (monthly patches) with other PCs on your network.  But you might want to tweak the behavior.  I already mentioned one key scenario:  If you are using Windows 10 1607 with WSUS and BranchCache.  Since Windows 10 1607 no longer uses BITS by default for downloading updates from WSUS, you may want to deploy a policy to change the download mode to “Bypass” when you are using BranchCache.

One other tweak to consider:  Instead of using the default “LAN” download mode, you may want to instead use the “Group” download mode.  The “LAN” mode identifies PCs that are on the same LAN by looking at their external IP address – all PCs going through the same internet IP (through a proxy server or router) are considered to be on the same “LAN.”  But if you’re a typical large enterprise, your “LAN” might be made up of a bunch of different LAN segments with WAN connections between them, with all internet traffic funneled back to a central location that has a connection to the internet.  In that type of an environment, you don’t necessarily want a PC in Anchorage sharing an update with a PC in Auckland through WAN links that pass through Chicago.  Instead, you want peer-to-peer sharing to happen locally.  The “Group” mode in Windows 10 1607 handles that nicely, as long as your AD sites are defined to correspond with physical locations.  If they aren’t, or if you are using Windows 10 1511, you can instead use the “Group ID” policy (delivered via site-specific GPOs) to segment PCs into more appropriate groups.

See https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-updates and https://technet.microsoft.com/en-us/itpro/windows/plan/setup-and-deployment for more background on Delivery Optimization.

Comments (24)
  1. niall says:

    hi Michael, you mention 256gb disc space needed, is that a minimum (free) disc space needed ? or the total size of the disc, and if total size, how much free space is needed ?

    cheers
    niall

    1. That would be total disk size, not free disk space. (There is a separate Delivery Optimization policy that lets you specify a maximum percentage of free disk space that can be used.)

  2. Darin says:

    Great writeup Michael, I’ve been looking for some details on Delivery Optimization, and this answered most of my questions. Specifically I was trying to figure out what clients on the “same NAT” really mean, and you confirmed my suspicions that the out of box defaults are less than ideal for a distributed network with a central proxy server. If possible, could you also provide answers to the following three questions:

    1.) Logging – I know that Get-WindowsUpdateLogs is a part of the picture, but is there another place to look to get specifics on what the Delivery Optimization service is doing, which peers it’s downloading from, what’s getting pulled from the internet, what it’s sharing etc?

    2.) Windows Store Apps and Updates – As far as I can tell, these all come from the internet or Microsoft’s servers based on what I see in the Windows Update logs. Does the Delivery Optimization service help with reducing bandwidth for these updates as well, or are they too small to be what you considered Cumulative Updates and Feature Updates above.

    3.) The answer to #1 above could possibly tell me this, but is there any hash validation or signing check once the file is downloaded from the internet? I fought with some machines recently that seemed to be in a spin loop using high cpu and network until I turned off Delivery Optimization. Our proxy does SSL inspection on unauthenticated traffic coming from services running under the system account. We turned this off for update.microsoft.com traffic a while ago for Windows Update to work (“Certificate used for SSL failed chain policy check: 0x80096004d”), but I suspect Delivery Optimization might be downloading it’s files from a different URL now.

    1. 1. Not at this point, but it’s something we’re looking at improving in the future. (There are ETL trace files in C:\Windows\LogFiles\dosvc, but those binary files need to be formatted using symbols.)
      2. Yes, Delivery Optimization helps with apps from the Windows Store as well, doing peer-to-peer transfers for apps that are larger than 100MB.
      3. Yes, Delivery Optimization does hash and certification validation. You might also want to exclude the DO-specific traffic to tlu.dl.delivery.mp.microsoft.com.

  3. cmiscloni says:

    Hi Michael,

    Does Microsoft know the problem with Windows 10 1607 and WSUS ?
    Impossible to download updates when a Cumulative update is available on WSUS.

    When you install the cumulatives updates manually, all others updates works.

    1. I’ve been doing this without any issues, so it sounds like something more specific with your environment. Any additional details? WU policies in use? WU for Business policies in use? Error messages?

      1. Dirk says:

        I have a clean install of 2012R2 with WSUS enabled and all updates from Microsoft Update installed (incl. 3159706 and post install), I have a manual clean install of 1607 Enterprise configured to look at my WSUS server, both have full access to the Internet, I approved 3176495 only on my WSUS server and the client fails to download the update, at the same time multiple WU related services are constantly crashing, the crashing and following restart may make the update eventually download – or not, in addition to that if Get-WindowsUpdateLog not resolving the GUIDs which prevents any troubleshooting of the issue, I have two cases open with premier and get nowhere…

        1. We’re investigating those issues. For Get-WindowsUpdateLog, the issue is with the symbols needed to format the log entries. For the crashing issues, they are making progress.

          1. Ben Duff says:

            Any further progress on the WSUS downloading issues, seems it’s quite widespread based on forum threads.

      2. cmiscloni says:

        Many other users have encountered this bug (see: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus)
        No specific error but windows update is stuck at 0% of downloading.

        Any idea where I can find more logs ?

        Thanks

        1. Kerry Hoskin says:

          yep have this issue also

    2. cmiscloni says:

      See below more logs:

      ReportingEvents.log:

      {8ECD0B56-6538-44C9-BBF6-47F4B7B8AE14} 2016-08-21 08:28:56:266+0200 1 147 [AGENT_DETECTION_FINISHED] 101 {00000000-0000-0000-0000-000000000000} 0 0 <>: cscript.exe Success Software Synchronization Windows Update Client successfully detected 1 updates.
      {C2E6D6D4-4CD1-4D43-BDC6-9ADC7F01BDF0} 2016-08-21 08:28:56:266+0200 1 156 [AGENT_STATUS_30] 101 {00000000-0000-0000-0000-000000000000} 0 0 <>: cscript.exe Success Pre-Deployment Check Reporting client status.
      {10B3032E-0BEB-4FC8-905B-E5F999411A31} 2016-08-21 08:28:56:391+0200 1 167 [AGENT_DOWNLOAD_STARTED] 101 {1D3328B4-DFA2-458B-B5F5-4C7AD45965E7} 203 0 <>: cscript.exe Success Content Download Download started.
      {18F9E4E6-A1C8-4309-9AD4-3F4BD0B2D517} 2016-08-21 08:30:27:445+0200 1 161 [AGENT_DOWNLOAD_FAILED] 101 {1D3328B4-DFA2-458B-B5F5-4C7AD45965E7} 203 80d02003 <>: cscript.exe Failure Content Download Error: Download failed.
      {E91D6533-7919-4D39-8EA7-42FE371BB954} 2016-08-21 08:43:48:705+0200 1 147 [AGENT_DETECTION_FINISHED] 101 {00000000-0000-0000-0000-000000000000} 0 0 TrustedInstaller FOD Success Software Synchronization Windows Update Client successfully detected 0 updates.

      WindowsUpdate.log:

      1601/01/01 01:00:00.0000000 5032 3208 Unknown( 119): GUID=2fc03aa6-a1fa-3d0c-ba09-b8539ec28a26 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 3208 Unknown( 14): GUID=3905367d-5739-34f2-739b-cf9a482c3e56 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 3208 Unknown( 16): GUID=bc21bb5e-eb28-3f99-1073-acecfea6cb82 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 1716 Unknown( 35): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 1716 Unknown( 10): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 4640 Unknown( 35): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 4640 Unknown( 10): GUID=fbf46613-33f0-3872-c248-268156b5ca06 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 4640 Unknown( 10): GUID=d1317ae8-ec05-3e09-4a50-d3b2ce02f784 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 4640 Unknown( 10): GUID=d1317ae8-ec05-3e09-4a50-d3b2ce02f784 (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 4640 Unknown( 63): GUID=e26dfe10-35bf-3106-db9d-9a51a6a0981f (No Format Information found).
      1601/01/01 01:00:00.0000000 5032 4640 Unknown( 29): GUID=1f9e54c8-9e31-3e53-867d-d9f39756ad7f (No Format Information found).

  4. MLP says:

    My organization utilizes SCCM to approve and delivery software update content. It was my understanding from conversing with our DSE that WUDO was not compatible with SCCM (this was about a month ago). Has that changed? Is there any integration/benefit for content managed by SCCM? How about for SCCM instances where clients are set to ‘Always Internet’ (aka IBCM)…is the answer any different in that scenario? Thanks!

    1. For the most part, Delivery Optimization and ConfigMgr are mutually exclusive. Delivery Optimization would be used in cases where the Windows Update agent is looking to download a fix from WSUS or Windows Update. ConfigMgr, on the other hand, downloads the update to the PC and then tells the Windows Update agent to install the update from the local drive.

      1. MLP says:

        Thanks Michael. My experience, however, is that the default download location for internet based clients in CM 2012 and later is to actually pull the content directly from Windows Update, only using CM DP’s as a fallback in the cases where a client cannot connect to WU servers for some reason (firewall blocking traffic, for example). In those cases, would it still be mutually exclusive? Thanks!

        1. Not sure as I haven’t tried that particular scenario. I would assume DO would be used any time the client is told to install an update from WU, but I don’t know the specifics of the ConfigMgr implementation to know if that’s exactly what’s happening here.

  5. David Borden says:

    None of these solutions have worked for us. In fact right now all windows 10 1607 build machines that try to download a cumulative updates from 2012 R2 WSUS hang on the download then after reboot are bricked with an error message. At this point the machine is unusable and needs to be rebuilt.

    Yes you heard that right. WSUS and Windows 10 1607 CUs are bricking my machines… What a disaster. I can reproduce this consistently in our environment. We are sticking with 1511 because we have no choice. Those are downloading to clients properly from WSUS still.

    We have the new GPO set to bypass mode, we have the MIME types and all WSUS hotfixes installed including the post servicing steps. We know what we are doing. The software is just broken and MS has yet to comment on a solution.

    EDIT: the error message that comes up on next boot after windows update tries to download a 1607 CU from WSUS is, “C:\windows\system32\config\systemprofile\desktop is unavailable. If the location is on this PC, make sure the device or drive is connected or the disc is inserted, and then try again. if the location is on a network make sure you’re connected to the network or internente, and then try again. If the location still can’t be found, it might have been moved or deleted.” The user’s taskbar, start menu are gone and many applications will not run or load. New user profile does not fix the issue and also has the problem. Bricked….

    1. We are aware of the “hanging” issue, which prevents updates from being downloaded. A fix for this is expected soon. However, since this issue prevents updates from being downloaded, no updates get installed, so the other error you are getting is unrelated and indicates a problem loading the user profile. There’s not a lot to go on for that particular error, but I would suspect anti-virus software getting in the way. What antivirus software are you using (including version)?

      1. Joe Mailey says:

        When is the WSUS fix due?

  6. Aaron says:

    Hey Michael- Are there any Group Policy (or other) settings related to Delivery Optimization that would be causing clients to not obey WSUS? Our clients are all set to use our local WSUS server. The only DO setting I have configured is to use “Group” for download mode. On the WSUS server, I have not approved the recent CU (KB3176938) or the Adobe Flash update that came out, but all our build 1607 clients have installed both those updates (and recent firmware updates) either from Microsoft Update or DO, and aren’t listening to the fact I have not approved them through WSUS.

    1. todd r says:

      i have having this same issue where clients are not obeying WSUS and going to microsoft to download

    2. JLT says:

      Me too. Client is reporting it’s status to WSUS, but that’s all – it’s going direct to MS and grabbing updates whether they are approved on WSUS or not. I’ve tried Download Modes of HTTP only (0), Simple (99) & Bypass (100) and it makes no difference. HTTP only was working fine on 1511.

  7. Chw says:

    what are the related GPO settings for disabling delivery optimization at all? We dont use branch cache and we dont want to use delivery optimization in our organization. We simply said only want our WSUS servers being used for download any updates.
    Could anyone clarify how to disable these (in our point of view) useless features at all?
    So: what are the related GPOs for disabling these features?

Comments are closed.

Skip to main content