Notes from Reduce the Network Impact of Windows 10 Updates session at Microsoft Ignite (BRK3145)

Here are notes from Reduce the Network Impact of Windows 10 Feature and Quality Updates Using Peer-to-Peer Tech (BRK3145) session at Microsoft Ignite 2016, compiled by Ami Arwidmark (@AArwidmark).

Video: http://www.youtube.com/watch?v=tY6Deq0k0Lo

Changes in the way Windows 10 is delivered:

http://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/

Insider Preview program

• Regular release of new builds to track progress and features
• In Place upgrade to deploy feature updates
• Overall servicing for monthly updates has changed

Link: http://aka.ms/waas – Documentation for Updating Windows 10 in the enterprise

Quality Updates vs. Feature Updates

Quality Updates

• Monthly updates that are fully cumulative (each one also contains previous fixes with new fixes)
• These updates because they are cumulative, grow over time
• Currently at 1GB but expected to grow

Feature Updates

• Contain new features and are released 2/3x per year
• 2017 will have 2 of these type updates
• Full sets of media, not just CU packages
• x64 ~3.5GB in each update

Windows 10 Size Solutions

Quality Updates

Express packages (simplest way)

• WU, WU4B, WSUS the agent can just DL specific changes for each monthly change
• If using 3rd party for this, you will have to DL the entire package, not just the delta changes

P2P distribution

• Instead of connecting to a DP/central server, have an endpoint elsewhere on the network DL and share the content with the rest of the PCs on that network
• Shifts network traffic out to the edges of the network so it doesn't get saturated

Bandwidth throttling

• BITS throttling – restrict rate to spread it out over time

Scheduled distribution

• Maintenance windows to allow distribution of servicing outside of business hours

Feature Updates

P2P distribution

Bandwidth throttling

Scheduled distribution

Limited delta upgrade technology (feature)

• An added capability to come to Windows late 2017 to shrink 3.5 GB into "something smaller"

WU Express Packages

• Express packages read cabs to version compare and install anything new
• WU agent reads header info to figure out what is there and what's missing
• DLs specific byte ranges (off sets) from that file – essentially only what it needs
• WU/WU4B – done directly from WU service
• Proxy server needs to support byte range transfers over http
• If proxy doesn't support it, then it defeats the purpose so it will download the entire package, not just the offsets
• Currently not usable in SCCM
• Not usable for feature updates – media is completely new, no deltas available

Distributing content P2P

• Goal is to shift traffic away from central part of network out to edges – 90% traffic moves out and relieves central network bottlenecks

WSUS/SCCM – BranchCache (Full feature set is in Enterprise, in Pro it can do BITS transfers)

Delivery Optimization (new in W10 1511, 1607)

• Internet based service that client workstations ping to get a list of computers (by IP Address) that would have the content needed already on the network (works great for WU, WSUS, and WU4B because before the client goes there, it checks the service first)
• SCCM 1609 TP – 1 CM client can download the entire package and share with the rest of the clients.

BITS Throttling

• Policies that define how much bandwidth the computers can use (can specify bandwidth and time ranges only) – only applies for content coming from the server.  BranchCache can go full speed.
• SCCM gives control on site to site, when PCs can see the content, download the content, install the content
• Win10 1607 active hours – primarily to control when the PC can reboot (not when it can install) similar to SCCM maintenance windows

More on Delivery Optimization

• Requires internet access
• If client can't get to DO it falls back to traditional methods (WSUS, etc.)
• P2P distribution mechanism that works WITH WU service
• Reduces need for all endpoints to DL content from the internet
• Content is shared across the private network

How it works:

• Client A checks for updates
• WU returns the update info
• Client A then asks WU for download sources
• Sources:  WU Content Server, other clients on your network
• Client A requests specific small pieces of the update file from WU and those clients on the network who already have that content
• Client A will check the hash of each update file and discard mismatching hashes
• Client A checks the hash of the entire file before installing

Policies available for Enterprise SKU

• LAN mode = just look at the PCs on a particular subnet
• Group mode = look at x, y, z PC (preferred cache devices) (default = AD site boundary)
• Policies for admins
  • group by location
  • control bandwidth
  • configure cache size
• In 1511 and 1607 it is used by default even with WSUS
  • client asks the DO service for avail peers before dl content from WSUS
  • Policy available to bypass DO and just use BITS

TechNet article: "Configure Delivery Optimization for Windows 10 updates" http://technet.microsoft.com/en-us/itpro/windows/manage/waas-delivery-optimization

More on BranchCache

• Win10 Pro enabled for BITS transfers
• Full feature set avail in Enterprise
• Recommended use = distributed cache mode which requires no infrastructure because content sharing is done by the PCs that already exist on the same network segment
• Simple to configure via GP
• Turn on for clients and then configure the firewall rules
  • Clients can retrieve content
  • Clients can discover each other
  • Don't need to configure hosted cache
• Add BranchCache feature on servers for WSUS
• Simple check box in SCCM to turn it on
• Server side Data Deduplication is supported

Biggest challenge is to see if it is doing any good

• New event log entries in W10 tell you:
  • how many bytes came from server
  • vs how many came from a Peer

Niehaus PowerShell script: (coming soon)

• SCCM TP 1609 shows an at a glance chart of where the content comes from
• 2PintSoftware BranchCache Monitoring Tool https://2pintsoftware.com/products/branchcache-monitor

Updating Tools

Windows Update:

• Express packages
• P2P
• BITS throttling
• Active hours

WU4B

• Express packages
• P2P
• BITS throttling
• Active hours
• Additional deferral features

WSUS

• P2P with BranchCache
• Express packages
• BITS throttling

NOTE: NA for LTSB FU's

Requires:

WSUS 4.0 (Server 2012 or above with KB3095113)

Important note: http://blogs.technet.microsoft.com/configurationmgr/2015/12/04/if-you-use-wsus-you-should-read-this-important-update-for-wsus-4-0-kb-3095113/

SCCM

Requires:

• WSUS 4.0
• SCCM 1602 or later

Capabilities:

• Multiple P2P
• Schedule distribution,
• Alternate content providers
• BITS throttling
• Express packages (future)

3rd party tools

• Most won't be able to provide support for express packages – this is an API limitation

The Future

• Limited delta upgrade tech
• Hope to reduce footprint by 1GB (late 2017 earliest)
• Will require changes in tools to support this (so keep your stuff reasonably up to date!)
• Expanded support for express updates
• SCCM peer caching

For more info

Configure Delivery Optimization for Windows 10 Updates
http://technet.microsoft.com/en-us/itpro/windows/manage/waas-optimize-windows-10-updates

Configure BranchCache for Windows 10 Updates
http://technet.microsoft.com/en-us/itpro/windows/manage/waas-branchcache

Manage updates using Windows Update for Business
http://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb

Manage Windows 10 updates using Windows Server Update Services (WSUS)
http://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wsus

Manage Windows 10 updates using System Center Configuration Manager
http://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-configuration-manager

Q&A

Q What should you do with O365 patches
A "it depends" SCCM is implementing O365 update integration

Q: Mechanism in place to prevent initial start of download for SCCM clients using BranchCache?
A Easiest – prestage content on at least 1 PC per segment or ring deployment of updates – deploy day zero to a group (IT), day 2 to another group (pilot), keep expanding on that so available peers is a large population

Q Disk space optimization? Workstation Dedup?
A BranchCache automatically dedups, delivery opt service and SCCM P2P does not

Q Windows.old folder
A This folder looks large because of the hard links – gets created by each feature update install 1511 deletes 30 days 1607 10 days – when it deletes you can no longer roll back – you can manually clean it no way to automate it

Q Exclude patch due to problems – how do you handle it with CUs
A issue with a patch – call MS Support this is why you should try to stay in the Current Branch window – gets fixed fastest here, slows down in CBB, not deploying just 1 update leaves a security hole forever. Updates are also released on third Tuesdays to give you time to validate non-security fixes – sign up for SUVP to get pre-released security releases – requires NDA

Link: http://technet.microsoft.com/en-us/security/gg309155

Q Will any features work with W10 Mobile?
A W10 mobile already does delta upgrade

Q Feature CU vs. security FU cadence
A This is for Win 7/8.1. Two updates per month + 3rd Tuesday. 1 security only with all updates for that month. 1 rollup with all security updates plus all other updates (security and non-security) for previous months. +3rd Tuesday new non security updates

Q Clients that only connect by VPN – how do you deliver updates to them without burning the network point where they connect
A for servicing over metered connection: Use express updates. Feature updates – defer them until there is a time when it's doable – do they ever connect to a higher speed network – do they come to the office quarterly, annually? Or use LTSB release that just isn't going to be updated.

Q When a peer goes offline, what happens?
A BranchCache – use multi peers. Delivery Optimization – use multi peers. SCCM – fallback point

Q Surface device – standardization to reduce downloads when it's not powered up (standby)
A standby mode blocks download using WU Agent + SCCM client because they aren't modern apps. Schedule wake ups for patching (set active hours policies). Windows 7/8.1 Servicing Simplify overall update for legacy OSes as well. Looking for a model with fewer updates released each month. Will look to reduce fragmentation in the environment