How to use delivery optimization with WSUS

Delivery optimization helps to save bandwidth by caching downloaded files when updates are distributed throughout the network. When used together with WSUS, it can be particularly useful in multisite organizations if configured properly.

Delivery optimization (DO) was originally introduced as a component of Windows Update for Business (WUfB), but it also works with Windows Server Update Services (WSUS).

Delivery optimization works with WSUS and Windows Update for Business

Delivery optimization works with WSUS and Windows Update for Business

Clients first contact the WSUS server to check for new updates. If there are any, Windows 10 checks whether it can obtain cached update files from other PCs (peers). If it can't, then the PC will download updates from WSUS.

DO enabled by default in all editions ^

DO is not just an additional option that you can activate to reduce the load on WSUS. It is already enabled by default on all editions of Windows 10. The Enterprise Edition, however, is limited to requesting cached update files in the LAN, while the consumer versions also contact computers on the internet.

Delivery optimization is activated in all editions of Windows 10 by default

Delivery optimization is activated in all editions of Windows 10 by default

Even if companies are already using BranchCache to cache update files, Windows 10 will automatically switch to delivery optimization instead if it has not been explicitly turned off (this is done using Bypass (100) in the GPO setting Download Mode mentioned below).

Support for Office and Windows Server ^

Besides feature and quality updates for the operating system, drivers, and files from the Microsoft store, Windows 10 also processes click-to-run updates for Office, starting with version 1709. Support for traditional Office updates and MSIX was added with the 2004 release.

Delivery optimization can also be used with Windows Server, but it is deactivated by default

Delivery optimization can also be used with Windows Server, but it is deactivated by default

Windows Servers can also obtain their updates from PCs in the network; in this case, delivery optimization is deactivated by default. Since version 1709, this feature is also available for Server Core.

Coordination via cloud service ^

A prerequisite for delivery optimization is that the computers are connected to the internet because the caches are orchestrated via a cloud service.

In addition, there are minimum hardware requirements of 4 GB RAM and 32 GB storage space on the system drive by default. These values and the storage location for the cache can be adjusted via group policies.

The hardware requirements of the peer caches can be adapted via a GPO

The hardware requirements of the peer caches can be adapted via a GPO

Organizing peers into groups ^

To enable clients to efficiently exchange updates, it is important to group them according to the network topology. The aforementioned option of downloading content only from PCs in the local network simply puts all computers that are connected to the internet via the same public IP (i.e., the same firewall) into one group.

However, if the clients grouped in this way are spread over several locations and connected via a slow network, it will defeat the whole purpose of DO. On top of that, the transfer of cache contents will also slow down the other applications.

For this reason, the group policy Download Mode under Computer Configuration > Policies > Administrative Templates > Windows Components > Transfer Optimization provides additional settings to sort Windows PCs into groups.

Download mode is the central setting for delivery optimization

Download mode is the central setting for delivery optimization

In the update baseline, Microsoft recommends that you use Group (2). With this setting, peering by default occurs between devices on the same Active Directory sites or on the same domain if there are none available.

If a domain-based group is too large or AD sites are not aligned with the network topology, there are alternative ways to aggregate peers.

Merging PCs by ID ^

One of the options is called Group ID. With it, you assign the same ID to all computers that are to cooperate as peers for caching and distributing updates. The ID must be a GUID, which can be generated with PowerShell as follows:

[guid]::NewGuid()

Computers can be combined into groups for the DO using a common ID

Computers can be combined into groups for the DO using a common ID

Ideally, the computers in question are located in the same organizational units, so that they can be assigned the same ID by linking the GPO to these OUs. In addition, you could use WMI filters to target the clients more specifically.

If linking a GPO is not suitable for addressing the desired PCs for DO, then Select the source of Group IDs offers further options. This setting overrides the Group ID mentioned above.

Alternative methods for organizing computers into groups for delivery optimization

Alternative methods for organizing computers into groups for delivery optimization

In addition to grouping PCs by a common DNS suffix, one of the additional options is to assign a GUID via DHCP option 234. This is particularly useful if certain subnets can be targeted in this way.

VPN management ^

A similar problem arises when users are connected to the company network via a VPN. As these connections are often relatively slow, it is therefore not desirable for such remote PCs to serve as update caches for the computers in the LAN.

Delivery optimization tries to find out whether a computer is connected via VPN by checking the type of network adapter and whether its description contains certain keywords, such as "VPN" or "secure."

In this case, the DO deactivates all peer-to-peer activities. If you want to change this default behavior, you can do so via the setting Enable peer caching while the device is connected over a VPN.

Bandwidth control ^

Group policy also provides numerous settings, regardless of connection type, to control the load on the network from peer-to-peer communication.

Several settings help to avoid network congestion caused by DO

Several settings help to avoid network congestion caused by DO

They include maximum download bandwidths (in percent or, since Windows 10 2004, also absolute values) in the foreground and background, using monthly upper limits in GB, and defining business hours during which the transfer volume can be limited.

Monitoring DO and evaluating activities ^

Once you have configured delivery optimization according to your own requirements, you will want to know whether this feature functions as planned. To check this, you can start the activity monitor on individual computers in the settings app under Update and Security > Delivery Optimization.

You can obtain much more information with PowerShell, which offers several cmdlets for this purpose. They can be found easily using:

Get-DeliveryOptimizationStatus and Get-DeliveryOptimizationLogAnalysis have been added in the 2004 version of Windows 10. The former allows insight into peer-to-peer activities, such as IP addresses or bytes sent and received.

Analyzing DO activities with the help of PowerShell

Analyzing DO activities with the help of PowerShell

The second provides a summary of the DO logs, including the number of files downloaded, downloads from other PCs on the network, and overall efficiency. The ListConnections parameter provides information about peer-to-peer connections.

For problem analysis, you can start a detailed logging using Enable-DeliveryOptimizationVerboseLogs.

Conclusion ^

If configured for such, delivery optimization can reduce the load on the WSUS infrastructure and help customers consolidate complex topologies of upstream and downstream servers.

Unlike BranchCache, this feature is included in all editions of Windows 10 and can be used for Windows servers as needed. It has been given an additional benefit by supporting Office updates.

While it can only be configured in a rudimentary way via the GUI, numerous group policies are now available for managed environments, with which administrators can control resource consumption in the network and on the clients.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

2+
avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account