News

Windows 10 Update Service Poses Client Management Issues

• By Kurt Mackie
• January 18, 2017

Administrators managing PC updates and network bandwidth issues could run into some snags when using Microsoft's Windows 10 update services.

Organizations typically use Microsoft's Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) to tightly manage Windows 10 clients, including limiting when those clients update. However, IT pros can lose control over when these updates arrive if they use certain values in the registry that are associated with Microsoft's Windows Update for Business solution.

Using those values will cause Windows 10 clients "to also reach out to Microsoft Update online to fetch update bypassing your WSUS/SCCM end-point," explained Shadab Rasheed, a technical advisor for Windows devices and deployment at Microsoft, in a blog post this month.

Rasheed noted that the following registry values are intended for use with the Windows Update for Business service, but they will invoke the Microsoft Update service if used with WSUS or SCCM:

• DeferFeatureUpdate
• DeferFeatureUpdatePeriodInDays
• DeferQualityUpdate
• DeferQualityUpdatePeriodInDays
• PauseFeatureUpdate
• PauseQualityUpdate
• DeferUpgrade
• ExcludeWUDriversInQualityUpdate

WSUS or SCCM users wanting to regain control over Windows 10 client updates should verify that those Windows Update for Business values aren't showing up in the Group Policy for Windows Update, Rasheed added.

Windows Update for Business has client management capabilities but it's mostly focused on ensuring that Windows 10 clients are "always up to date with the latest security defenses and Windows features," Rasheed explained. It does so "by directly connecting these [Windows 10 client] systems to Windows Update service." Consequently, it can trip up organizations whose intent was to restrict Windows 10 updates by using WSUS or SCCM management tools.

The issue came up because some organizations found that their Windows 10 clients managed by WSUS or SCCM were still dialing out to get content from Microsoft's content delivery networks.

Rasheed noted another possible reason why an organization's bandwidth gets tapped to connect with Microsoft's content delivery network. Organizations could have Windows Store applications installed. Windows Store apps typically will try to download updates at various times. They tap Microsoft's URL known as "tlu.dl.delivery.mp.microsoft.com." However, a rule has to be in place for the proxy server so that just the changed bits get delivered for Windows Store apps, instead of all of the bits.

Rasheed explained how to set up that rule. An organization's proxy server should support HTTP RANGE requests for the following URLs:

• .download.windowsupdate.com
• .au.windowsupdate.com
• .tlu.dl.delivery.mp.microsoft.com

With those HTTP RANGE request settings in place, just the "deltas," or the changed bits, for the applications will get delivered.

Microsoft doesn't recommend trying to disable the Windows Store as an approach to such bandwidth issues. Doing so "breaks the entire store and makes it inaccessible for the clients," Rasheed explained.