Use Delivery Optimization with WSUS

Activity monitor for delivery optimizationThe delivery optimization is used for the efficient distribution of updates in the network, saving bandwidth by caching downloaded files. In combination with WSUS, it can be particularly useful in companies with multiple locations if it is configured accordingly.

Delivery Optimization (DO) was originally introduced as a component of Windows Update for Business (WUfB), but also works with Windows Server Update Services (WSUS).

Delivery Optimization works with WSUS and Windows Update for Business.

Clients first contact the WSUS server to see if there are any new updates. Then they check whether they can obtain cached files from other PCs (peers). If this is not the case, Windows 10 will only download the updates from WSUS.

DO activated by default in all editions

The DO is not just an additional option that can be unlocked to relieve WSUS. Rather, it is already activated by default on all editions of Windows 10. In the Enterprise Edition, however, it is limited to the caching of update files in the LAN, while the consumer versions also integrate computers via the Internet.

Delivery optimization is enabled by default in all editions of Windows 10.

Even if users already use BranchCache to cache update files, Windows 10 uses it instead, delivery optimization, if this was not explicitly switched off (the value is used for this Bridging (100) in the GPO setting mentioned below Download mode).

Support for Office and Windows Server

Since Windows 10 1709, in addition to feature and quality updates for Windows, drivers and files from the store, the DO has also processed click-to-run updates for Office. With the 2004 release, support for conventional office updates and MSIX was added.

The DO can also be used for Windows servers, but is deactivated there by default.

In principle, Windows servers can also obtain their updates from PCs in the network, but by default this optimization is deactivated there. This feature has also been available for Server Core since version 1709.

Control via cloud service

A prerequisite for the optimization of the transmission is that the computers are connected to the Internet because the caches are orchestrated via a cloud service.

In addition, there is a minimum hardware requirement of 4GB RAM and 32GB storage space on the system drive by default. These values ​​and the storage location for the cache can be adjusted using Group Policy.

The hardware requirements of the peer caches can be adapted via a GPO.

Organize peers in groups

So that the clients can pass the updates to each other efficiently, it is important to group them in groups to match the network topology. With the option mentioned to download content only from PCs in the local network, the DO simply puts all computers in a group that are connected to the Internet via the same public IP (read: same firewall).

However, if the clients grouped in this way are spread over several locations and connected via a slow network, then one will rather achieve the opposite of the desired result. On top of that, the cache content is transferred to other applications.

For this reason, the Group Policy offers Download mode under Computer Configuration => Policies => Administrative Templates => Windows Components => Delivery Optimization further settings to sort Windows PCs into groups.

The download mode is the central setting for the transmission optimization.

Microsoft recommends using in the Update Baseline Group (2). By default, peering takes place between devices in the same Active Directory site or, if not available, in the same domain.

If the domain-based group were too large or AD sites are not aligned with the network topology, then there are alternative ways to group peers.

Group PCs using an ID

One of them is in the shot Group ID. All computers that are to cooperate as peers for caching and distributing updates are assigned the same ID. This has the form of a GUID, which can be generated with PowerShell.

Computers can be grouped together for the DO using a common ID.

Ideally, the computers in question are in the same organizational units, so that they can be given the same ID by linking the GPO to these OUs. WMI filters could be used to further limit the clients.

If the GPO link is not suitable for addressing the desired PCs for the DO, then offers Select source for group IDs More options. This setting overlaps the group ID mentioned.

Alternative methods to organize computers for transmission optimization in groups.

In addition to the common DNS suffix, the additional criteria include the assignment of a GUID via DHCP option 234. This is particularly useful if certain subnets can be reached in this way.

VPN management

A similar problem arises when users are connected to the company network via a VPN. In this case, too, the connections are often relatively slow, so it is not desirable that such remote PCs serve as an update cache for the computers in the LAN.

The Delivery Optimization tries to find out independently whether a computer is connected via VPN by checking the type of network adapter and also checking whether its description contains certain keywords such as “VPN” or “secure”.

In this case, the DO deactivates all peer-to-peer activities. If you want to change this standard behavior, you can do this with the setting Enable peer caching while the device is connected via a VPN to do.

Bandwidth control

The group policies also offer numerous settings, regardless of the type of connection, to control the load on the network caused by communication between the peers.

A number of settings help to avoid overloading the network with the DO.

They range from maximum download bandwidths (in percent or, since Windows 10 2004, absolutely) in the foreground and background, through monthly upper limits in GB to the definition of business hours in which the transferred volume can be limited.

Monitor DO and evaluate activities

If you have configured the delivery optimization according to your own requirements and circumstances, you will want to know whether this feature will behave as planned. You can do this on individual computers in the app Settings under Update and security => transmission optimization the Activity monitor start.

Much more information is available with PowerShell, which offers a number of cmdlets for this purpose, like how to use

Get-Command -Verb Get -Noun * Delivery *

can easily find out. With the 2004 version Get-DeliveryOptimizationStatus and Get-DeliveryOptimizationLogAnalysis new additions. The first allows an insight into peer-to-peer activities such as IP addresses or sent and received bytes.

Evaluation of the DO activities with the help of PowerShell

The second provides a summary of the DO logs, including the number of files downloaded, downloads from other PCs on the network and overall efficiency. The desk ListConnections informs about the peer-to-peer connections.

For problem analysis you can also use Enable-DeliveryOptimizationVerboseLogs start a detailed recording.

Conclusion

If configured accordingly, delivery optimization can relieve the WSUS infrastructure and help reduce the number of its servers and lean complex topologies from upstream and downstream servers.

In contrast to BranchCache, this feature is included in all editions of Windows 10 and can also be used for Windows Server if required. Support for Office updates has given it an additional upgrade.

While it can only be configured rudimentarily via the GUI, numerous group guidelines are now available for managed environments, with which admins can particularly control the resource consumption in the network and on the clients.

You might like

About the Author: Jan Gruber

Leave a Reply

Your email address will not be published. Required fields are marked *