Windows Delivery Optimization: Whose Machine Is It Anyway?
In recent weeks, Windows 10 has made some significant changes to the way it delivers Windows Updates. While the Windows Update service itself still remains, the mechanisms by which those updates are delivered has been significantly revamped, and, unfortunately, comes with a few bugs baked in.
The feature in question is called “Delivery Optimization”, and is a system service that is apparently intended to replace the Background Intelligent Transfer Service (BITS). What both do is regulate how Windows Updates are acquired, controlling not only how and when updates are downloaded, but also the amount of bandwidth consumed while doing so. BITS was pretty efficient at this task, typically running during idle, or after-business hours (if a PC was left on), and never consuming more than a fraction of available bandwidth at any given time.
Delivery optimization, however, does things a little differently, introducing two new aspects that trigger concerns severe enough to merit immediate attention. This is the first in a two-part article looking into the new changes, and what they can mean for systems administrators.
First, a little additional background on what, precisely, Delivery Optimization does…
According to Microsoft’s FAQ, Delivery Optimization
…lets you get Windows updates and Windows Store apps from sources in addition to Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. And if you own more than one PC, it can reduce the amount of Internet bandwidth needed to keep all of your PCs up-to-date. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet.
Take note of the phrase, “from sources in addition to Microsoft”. What Microsoft means by this is that now Delivery Optimization will now use your PC (and any others in the network vicinity) as a sort of virtual Windows Update host. Again, from the Microsoft FAQ:
Delivery Optimization downloads the same updates and apps that you get through Windows Update and the Windows Store [and] stores files that it has downloaded in [a local] cache for a short period of time. Depending on your settings, Windows then send (sic) parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.
Depending on your firm’s network security protocols, this may or may not be such a great idea. On the one hand, using your local network “neighbors” as an alternate download source would, in fact, likely accelerate the download process as the number of network hops between your machine and Bob’s in accounting is far fewer than, say, yours to a potentially congested update server in Redmond, Washington. But a wise administrator would ask himself two questions: 1) “When did I give Microsoft permission to use my equipment as a subsidiary device?”, and 2) “Do I trust Bob’s machine, or some stranger’s on the Internet to be as secure a source as a Microsoft owned and administered server?”
The first problem here lies with Microsoft’s assumption that your computer, or, more significantly, your company’s equipment, are subject to Microsoft’s needs – that your bandwidth, your disk space, and your CPU’s processing power and time are theirs to co-opt at will. This kind of careless disregard for ownership is starting to become common practice in the tech world (see Comcast’s efforts to co-opt personal wi-fi networks to broaden its coverage base), and, in my opinion, merits a little push-back.
The second problem is one of simple security: How does one know if all of these newly available sources for Windows updates are, in fact, offering up legitimate Microsoft updates, versus a host of malware injected look-alikes that could seriously compromise the integrity of a home or business network? The Microsoft FAQ offers this assurance:
Windows Update uses information obtained securely from Microsoft to validate the authenticity of files downloaded to your PC. Delivery Optimization also checks the authenticity of each part of an update or app that it downloads from other PCs before installing it.
Is that satisfactory for you? Is it satisfactory for your business?
Another area of concern is in how Delivery Optimization currently works. When enabled (under Settings->Update & Security->Windows Update->Advanced Options), Windows will poll both Internet-based servers and other machines to see what updates might be available, then download from whichever source or sources it determines be viable. The problem comes from the way it does this. Under its current iteration, when the service activates, it immediately consumes as much as 99% of all available bandwidth as it searches, identifies hosts, updates its internal manifests, and begins both synchronizing and downloading updates among the many machines it has identified as suitable hosts. Whether this is by-design, or just a simple oversight on the developer’s fault, the problem is particularly acute on lower-bandwidth connections (such as DSL or T-1), where the consumption of 99% of a 1.5 Mbps. connection translates into a reduction to speeds reminiscent of early dial-up. Pages that once loaded in a flash, now trickle into view, and connectivity to remote hosts becomes wildly unstable.
Thankfully, though, there are some steps you can take that will enable you to both take back a little control over how your equipment is used, and define an alternate method for acquiring updates.
First, you can disable Delivery Optimization altogether. Again, go to Settings->Update & Security->Windows Update->Advanced Options->Choose how updates are delivered, and switch the toggle to off:
Next, you can temporarily set Windows to revert back to using the much more efficient BITS service to handle Windows Update downloads. To do this, open Group policy Editor by clicking Start->Windows System->Command Prompt (or, right-click on Start and select the “Run” command), enter “gpedit.msc” and hit Enter. In the window that appears, navigate to the Local Computer Policy->Computer Configuration->Administrative Templates->Windows Components->Delivery Optimization folder:
Click on this folder and you will see sixteen options for controlling the service, the third of which should be Download Mode. Double-clicking this value will open the editor screen, which contains a single drop-list of modes the service can utilize, with descriptions for each displayed in the help area:
The last option, “Bypass (100)” will disable the current iteration of Delivery Optimization, and revert to the old method of using BITS instead. Apply the changes, reboot your computer, and your bandwidth consumption should return to normal levels.