Introduction
Windows Updates have always been a priority for Systems Administrators. Ensuring these updates are automatically installed on workstations has been pretty straight-forward in an Active Directory domain, by utilising Group Policy configurations. The issue arises for users when an update is downloaded during business hours, and floods the site network link.
Windows 10 has even introduced larger-sized updates in the form of versions; for example Version 1803. Although these updates are fantastic and add new features, their size increases the risk of flooding site links even more. This is what Microsoft is calling ‘Windows as a Service’.
Various solutions exist for enterprises to overcome flooding of a network link. These can include Microsoft System Center Configuration Manager (SCCM), Microsoft Intune and other third party applications. Windows Server Update Services (WSUS) is another option but would only be beneficial in stopping the link from flooding, if there was a local WSUS repository at each site.
Small businesses (and even medium businesses) don’t always have the luxury of running Enterprise-class patching software. So there needs to be another solution to accommodate them; it needs to be cheap (or free), simple to setup and require little (or no) maintenance.
Solution
Microsoft has come to the party with some really good feature updates in their more recent versions of Windows 10. The Windows Updates new feature that I’m personally interested in is called Delivery Optimisation. I go into more depth later in this article, discussing what options we now have. The key items I have found that are of interest, are firstly throttling bandwidth usage (via kilobytes or percentage of available bandwidth) and applying that to timeframes. Next is the ability to control Windows updates from computers at the same site; so in theory only one computer per site, is required to download updates from Microsoft.
To the user this will be seen in a similar fashion to the screenshot below, in the Windows Update settings on their computer. It is hidden under Advanced Options, but is there. The second screenshot shows the Advanced Options available, which enhances the new features even further.
I won’t go into details on the above desktop settings; instead I’ll go through the Group Policy configuration, as this is where majority of System Administrators will be configuring Windows Updates.
Implementation
Windows 10 group policies are constantly being updated by Microsoft, so you need to ensure you have the latest Administrative Templates to get all the configuration items. As of writing this article, the current edition of Windows 10 is Version 1803, and the Administrative Templates are at the same version.
The Administrative Templates can be downloaded here:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=56880
Once you have these copied these to your central or local repository, you can begin configuring Delivery Optimisation. I have made the assumption that Windows Update policies in your Group Policy have already been configured. Delivery Optimisation settings can be found in Group Policy in the below section:
Computer Configuration->Policies->Administrative Templates->Windows Components->Delivery Optimization
I have summarised the key configuration items below:
Configuration Item |
Comments |
Maximum Download Bandwidth (percentage) | I use this, as other bandwidth policies require Windows 10 Version 1803. Can be removed once all computers are on Version 1803 |
Set Business Hours to Limit Background Download Bandwidth | Percent of available bandwidth to use for background Windows Updates and the time-windows this applies to (custom times for business hours) |
Set Business Hours to Limit Foreground Download Bandwidth | Percent of available bandwidth to use for foreground Windows Updates and the time-windows this applies to (custom times for business hours) |
Download Mode | I have set this to Group 2, as that will ensure downloading from other computers that are in the same Active Directory site |
Select the source of Group IDs | I have set this to 1, as that will ensure downloading from other computers that are in the same Active Directory site |
There are various other configuration items that you will want to review. The link below details all configuration items and also the minimum required Windows 10 Version.
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization
Monitoring
On a workstation you can check various items as detailed in the screenshot below. This can assist with diagnostics of polices, but unfortunately is a per-workstation console. Bandwidth usage monitoring tools for the whole site are a much more efficient way to see Windows Update utilisation on a site link. Activity Monitor can be found in the console below:
Settings->Windows Updates->Advanced Options->Delivery Optimization->Activity Monitor
Conclusion
Windows 10 patching is an essential item for System Administrators. Microsoft has come a long way with their latest Delivery Optimisation additions. By tweaking settings via Group Policy, even small businesses can optimise their bandwidth usage in regards to Windows Updates. The configuration is straight forward and the results can assist greatly in ensuring the end user experience is increased; that is, if their site link is important to day-to-day work of course.
Subject Matter Expert
With over 20 years in IT industry Paul brings expertise in implementing Cloud solutions for a broad range of clients.
***