I had posted an article about Windows 10 1607, Delivery Optimization, and WSUS last week at https://blogs.technet.microsoft.com/mniehaus/2016/08/08/using-wsus-with-windows-10-1607/, but based on conversations with the engineering team and more testing of my own using virtual machines, I thought it would be good to make a second attempt at it.
Let’s start off with some basic behaviors:
- Both Windows 10 1511 and Windows 10 1607 will talk to the Delivery Optimization service to find peers that can provide the content. For devices connected to Windows Update, the peers are used in addition to the Windows Update content distribution servers on the internet. For devices, connected to WSUS, the peers are used in addition to the WSUS server.
- Windows 10 1511 and Windows 10 1607 are configured by default for Delivery Optimization, but the download mode (used to determine what peers should be considered) is different depending on the SKU of Windows that is installed:
- Enterprise, Enterprise LTSB and Education SKUs are configured for “LAN” (download mode 1) so they will only use PCs on the corporate network as peers.
- Other SKUs default to “Internet” (download mode 3) so they will use a broader set of clients as peers.
So let’s assume we have a Windows 10 1511 or Windows 10 1607 PC configured to talk to WSUS, and it checks for updates. What happens? Here’s the basic flow with the default settings:
- The PC talks to WSUS to determine what updates are needed.
- For each needed update, the PC checks with the Delivery Optimization service (on the internet) to find any applicable peer PCs that already have the needed content.
- If peers are available,, the PC will try to get the content from the peers.
- If some or all of the content isn’t available from a peer, or if no peers are available, the remainder will be retrieved from WSUS.
So overall Delivery Optimization is a good thing: It enables PCs on your network to share feature updates (new Windows 10 releases) and quality updates (monthly patches) with other PCs on your network. But you might want to tweak the behavior. I already mentioned one key scenario: If you are using Windows 10 1607 with WSUS and BranchCache. Since Windows 10 1607 no longer uses BITS by default for downloading updates from WSUS, you may want to deploy a policy to change the download mode to “Bypass” when you are using BranchCache.
One other tweak to consider: Instead of using the default “LAN” download mode, you may want to instead use the “Group” download mode. The “LAN” mode identifies PCs that are on the same LAN by looking at their external IP address – all PCs going through the same internet IP (through a proxy server or router) are considered to be on the same “LAN.” But if you’re a typical large enterprise, your “LAN” might be made up of a bunch of different LAN segments with WAN connections between them, with all internet traffic funneled back to a central location that has a connection to the internet. In that type of an environment, you don’t necessarily want a PC in Anchorage sharing an update with a PC in Auckland through WAN links that pass through Chicago. Instead, you want peer-to-peer sharing to happen locally. The “Group” mode in Windows 10 1607 handles that nicely, as long as your AD sites are defined to correspond with physical locations. If they aren’t, or if you are using Windows 10 1511, you can instead use the “Group ID” policy (delivered via site-specific GPOs) to segment PCs into more appropriate groups.
See https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-updates and https://technet.microsoft.com/en-us/itpro/windows/plan/setup-and-deployment for more background on Delivery Optimization.