locked
Windows Update Delivery Optimization Download Settings Appear To Be Ignored RRS feed

  • Question

  • I have a completely new Windows Server 2016 lab environment.  I have installed a dedicated WSUS server and want all updates to be delivered from it, for Windows 10 and Windows Server 2016.  I have followed the standard installation process and configured GPO to configure the Windows Update and Delivery Optimization settings.  It seems that the "Download" setting is ignored, as I can change it to any of the available settings, and no matter what it calls Internet based servers and wants to download updates from Microsoft servers.  Because Internet traffic is not permitted the update fails, and I get a "retry" button.   Reviewing the Windows Update Logs clearly shows it failing to connect because of the network restrictions.

    I have drained the Internet for answers without any luck.

    Thanks in advance

    Sandy Millar

     

    Sandy

    Thursday, April 6, 2017 12:45 PM

Answers

  • Hi Sandy_Millar,

    Glad to hear you have solved the issue and thanks for your feedback. Then, you may mark the solution as answer, so that the most useful information can be highlighted and this case can be ended :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sandy_Millar Tuesday, April 18, 2017 6:24 AM
    Tuesday, April 18, 2017 5:46 AM

All replies

  • All my testing has so far been with Windows Server 2016, not Windows 10.

    Further investigation has shown that Windows Server 2016 doesn't have the Delivery Optimization registry settings that Windows 10 has.  Does this suggest that Windows Server 2016 doesn't use Delivery Optimization. 


    Sandy

    Friday, April 7, 2017 9:36 PM
  • Hi Sandy_Millar,

    >  I have installed a dedicated WSUS server and want all updates to be delivered from it, for Windows 10 and Windows Server 2016.

    If you want all updates are downloaded from WSUS server, then, we need to turn off "Delivery Optimization settings".

    Delivery Optimization service is used to find peers which in addition to WSUS server to provide the update content.

    https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/

    >Because Internet traffic is not permitted the update fails, and I get a "retry" button.

    Where does the WSUS server sync and download updates from, internal upstream WSUS server or Microsoft Update, we need to ensure the WSUS server has downloaded the updates needed by clients, then, clients can download updates from WSUS server.

    >Does this suggest that Windows Server 2016 doesn't use Delivery Optimization. 

    Delivery Optimization is for win10 1511 and win10 1607, not Server 2016.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 11, 2017 8:36 AM
  • Thank you for replying to my question.

    I understand how DO works, however I could find anything definitive statement regarding W2K16.  Thanks for the clarification.

    Looking at my W2K16 WSUS update issue.  I have a new installation of of WSUS, that syncs directly from Windows Update.  My expectation is that when I check for updates the W2K16 server will contact the local WSUS server, the download any outstanding approved updates.  What I do see if the W2K16 server accessing the local WSUS server, then almost immediately it tries to connect to Microsoft internet hosts, and after about 5 minutes those connection appear to time out, the update fails and returns a "retry" in the Updates Status.  This is confirmed by the WindowsUpdateLog.  Everything works fine if I allow Internet access.

    Further investigation, led me to the "Do not connect to any Windows Update Internet locations" GPO setting. When this GPO setting is set, the W2K16 server immediately fails and displays the "retry" when attempting an update.  This suggests that the default setting is to retrieve updates from the Internet.

    All help gratefully excepted.

    Kind regards

    Sandy Millar 

       

      

    Tuesday, April 11, 2017 12:19 PM
  • Hi SandyMillar,

    On the WSUS server, please check if you select "Do not store updates files locally; computers install from Microsoft Update" in Option>Update files and Languages. If yes, then, WSUS clients will turn to Microsoft Update to download the update files when they detect needing updates from WSUS server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 13, 2017 2:33 AM
  • Hi Anne

    The WSUS server is configured to store approved update files locally including express installation files.

    Kind regards

    Sandy Millar

    Thursday, April 13, 2017 3:27 AM
  • the DO service isn't installed on WS2016 - it uses BITS, so if your servers are trying to go out to the internet I would suggest that it's a WSUS GPO setting that's incorrect..

    cheers

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Thursday, April 13, 2017 9:23 AM
  • Hi Sandy Millar,

    Agree with Phil Wilcock, please also show us the AU settings in registry keys, which locates in HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 14, 2017 1:55 AM
  • Hi Anne and Phil

    I am fairly sure that it the WSUS configuration and GPO's are OK, as there are W2K12R2 servers on the same network, that are working as expected.  Nevertheless, here is a screenshot of the current settings.

      

    The Internet URL's that the WSUS client wants to connect to are:-

    https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx

    HTTPS://sls.update.microsoft.com/SLS/{9482F.......

    Earlier I mentioned that when I enable "Do not connect to any Windows Update Internet locations", then WSUS fails immediately, I am wondering if there is a W2K16 specific setting or behavior in play.


    Sandy

    Friday, April 14, 2017 7:56 AM
  • hi Sandy,

    did you read this article? - thinking it could be the 'Dual scan' issue? And yes - looks like it could be a specific WS2016 setting

    https://argonsys.com/learn-microsoft-cloud/library/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/

    do you have these reg settings as per the article?

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU]

    “NoAutoUpdate”=dword:00000001

    “UseWUServer”=dword:00000001


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Friday, April 14, 2017 9:12 AM
  • Hi Sandy_Millar,

    Just to check if the above reply could be of help? Welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 17, 2017 7:35 AM
  • Hi Anne and Phil

    I spotted that one, it didn't appear to make any difference.

    I have broken out Message Analyzer to watch what Windows Server 2K16 is doing when an update scan is selected.  Interestingly, it backed up my previous observations, where the WSUS client is requesting DNS addresses for a variety of Microsoft content servers.  However, I can see the client trying to connection to http://ctld.windowsupdate.com, instead of the local WSUS server.  And when that fails it reports back to the local WSUS server.  

    I have rolled back the GPO with the WSUS configuration and opening up the firewall, which as expected worked as it should.  I am now going to roll out a new GPO with the absolute minimum settings to see what happens and the firewall locked back down.  I did find a number of articles that suggesting that certain settings combinations could be the problem.  I am also looking at the various client logs as they are reporting 80072efe, 0x8024401c and 0x8024500c errors, as they could be the cause or symptom. I hope to bottom that out.

    Thanks again for you help.

    Sandy Millar


       


    Sandy

    Monday, April 17, 2017 12:19 PM
  • SOLVED

    As discussed, I creates a new GPO for Windows Update settings, using the minimum of settings (see below)

    .

    I was surprised that it worked, with all communication going to the WSUS server.  Some background articles I found indicated that certain setting combinations caused issues like the previously described symptoms.  This suggests to me that there are issues with the new W2K26 update method, and care is required when configuring WSUS and "less is better".  The original GPO I used was a copy from another environment which was W2K12R2 only.  

    When I get a moment I will try out different settings combinations and see what happens.    

    Thanks Phil and Anne for your help, you were both right, it was the GPO, but in an unexpected way.    

    Very kind regards

    Sandy Millar


    Sandy

    Tuesday, April 18, 2017 4:33 AM
  • Hi Sandy_Millar,

    Glad to hear you have solved the issue and thanks for your feedback. Then, you may mark the solution as answer, so that the most useful information can be highlighted and this case can be ended :)

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sandy_Millar Tuesday, April 18, 2017 6:24 AM
    Tuesday, April 18, 2017 5:46 AM
  • useful info Sandy, thanks for reporting back with your results - these mixed legacy/new GPOs are proving to be a minefield!

    Phil


    Phil Wilcock http://2pintsoftware.com @2pintsoftware

    Tuesday, April 18, 2017 6:36 AM
  • Hey Sandy, what was the configuration for your Delivery optimazation? I have the same issue here
    Thursday, April 20, 2017 1:13 PM
  • Hi there

    It appears that any DO setting cause issues with W2K16, so I suggest not to set any DO options.


    Sandy

    Thursday, April 20, 2017 9:37 PM