Microsoft Windows Update and Network Bandwidth?

Brett Glass asks: "As we reviewed the cache statistics for our small ISP today, we noted that the traffic generated by Microsoft's Windows Update feature constituted 45% -- no, that's not a misprint -- of our total throughput. Because so many computers on the Internet run Windows, this massive resource drain occurs whenever Microsoft announces major security holes (as it did this week). The traffic could be greatly reduced, and service to users much improved, if the updates were cacheable at the ISP. But Microsoft has set up the service in such a way that the data can't be cached. (It's digitally signed, so inserting Trojans into the cache is virtually impossible; in any event, no more of an issue than intercepting the data stream.) Are others out there seeing the same pattern? How might Microsoft be convinced to make its updates cacheable, so as not to waste unthinkable amounts of bandwidth?"

can't be cached?

[greck]

I can only speak from what I've seen in our offices, but squid (running in transparent proxy mode) very definitely caches content from Windows Update... I set it up about six month ago and remeber being really surprised (because I think I very reasonably expected it not to).

Re:can't be cached?

[Blkdeath]

I can only speak from what I've seen in our offices, but squid (running in transparent proxy mode) very definitely caches content from Windows Update... I set it up about six month ago and remeber being really surprised (because I think I very reasonably expected it not to).

Our store Squid server caches the likes of IE 6.1, Media Player and DirectX, but the vast majority of the Critical/Security updates are not cached. Our connection is quick enough to handle it, but a PITA nonetheless due to the dozens of machines requiring updates every week.

Re:can't be cached?

[bobibleyboo]

I can also vouch for this I had a Linux Mandrake SNF Server running a transparent squid server (with a little tweaking to the max file size and the average file size) I was able to cut out about 90% of the windows update traffic at the site (The site had about 200 users) none of the transactions where cached but when it came to downloading the updates and service packs it works wonderfully.

Re:can't be cached?

[lifeless]

Well, the sites I run happily cache all the udpates available via windows update. The only thing that doesn't cache is the https:// transfers (which I understand to be the catalog of available fixes).

You might want to analyze exactly what is occuring in your site(s).

Cheers,
Rob
(Squid core developer)

Re:can't be cached?

[Wolfrider]

--Check your squid.conf, and look for # TAG: maximum_object_size (bytes)
# Objects larger than this size will NOT be saved on disk.

# maximum_object_size 4096 KB
maximum_object_size 32767 KB

there is the way that large corperations do it

[rritterson]

Here at Berkeley all of the Windowsupdates come from an internal server instead of externally. That way they control who gets the updates and when.

You can download the updates individually, and there is probably a way to have them downloaded to the server automatically. All you have to do is convince the users to download them from you and install them manually. Can you block traffic from the autoupdate applet? I bet that would significantly reduce traffic, at the cost of insecure customers.

What about running an internal WU server and changing the DNS entry at the local level to a local server? You'd have to keep the catalog of updates stocked and refreshed constantly, for multiple OS's, so I don't know how cost effective it might be.

Several options available

[questionlp]

There are a couple of options that you can choose to help reduce the amount of bandwidth used to pull down and install Windows Updates. The first one, which is available for free and runs on Windows 2000 Server, is Microsoft's Software Update Services which allows you to create a local store of the updates (for any language and all supported platforms) and point the client Windows Update to the internal server. It's not perfect but it works in a lot of cases.

Another option is to use a systems management package (LANDesk, ZENworks, SMS, etc.) to build the packages and deploy them while only using your internal network bandwidth (once you've downloaded the hotfixes anyway).

Of course, the two options above are really meant for company networks, but even those can help reduce the bandwidth used for more important things.

Out of my experience

[jsse]

Yes you can't cache it. That save Microsoft a lot of trouble and the trouble is on you. :)

First step is to download the patches/update manually and save them elsewhere accessable to all users:

• Windows 2000 users, please visit the Windows 2000 Downloads site.
• Windows NT 4.0 users, please visit the Microsoft Download Center.
• Windows 98 users, please visit the Windows 98 Downloads site.
• Windows 95 users, please visit the Windows 95 Downloads site.

Second, we found that users would rather use windowsupdate.microsoft.com then to go to our patches/update repository, that make sense. You could forbid your users from accessing windowsupdate.microsoft.com, but it might have a problem, as some update might actually request windowsupdate.microsoft.com during installation.

Therefore, we limit the priority of traffic in/out of windowsupdate.microsoft.com. Eventually we lower the prior of entire microsoft.com because that's really necessary. Users could access to windowsupdate.microsoft.com on their own as usual - if they don't mind holding up their machines for a couple of days. :)

This works great. Larger and bigger patches are stored locally for users, while they could still access to windowsupdate for smaller patches/fixes. Our bandwidth load lessen(to a certain degree, we still can't solve that 5-15% Netbios traffic jam :)

Hope this help.

Re:How big are these things?

[tedDancin]

Not being a windows user, how big are the windows updates and how often do they come?

Since Microsoft release patches via Windows Update so frequently, they are usually fairly small. 1MB-5MB downloads are frequent, with the occasional 10MB+ one every now and then. There are updates practically every few days, so having a Windows Update Server running will negate the expense of everyone having to download redundant files.

Some help about storing Windows Update files for later can be found here.

Software Update Services

[superyooser]

Microsoft used to have a corporate Windows Update site where you could download all the patches as executable files. That site was retired last year in favor of something called Software Update Services. It requires running a SUS server and appears to distribute the updates only to systems running Windows 2000 or later.

In the meantime, you should be aware that all the major service packs for Microsoft products can be downloaded as stand-alone executables. Also, the IE download page includes some critical updates. Make your own "cache" on the network, and let everybody get their updates from there.

Re:Software Update Services

[Brett+Glass]

Microsoft's Software Update Services require you to modify all of the clients. Those that aren't modified still try to access Microsoft's Windows Update site.

So, since ISPs can't administer their users' systems, this really isn't an answer. Caching is a much better solution.

Stats for the past 24 hours are even worse....

[Brett+Glass]

Just checked the stats for the past 24 hours (from a Squid cache). This time, *.windowsupdate.com generated 56.11% of the traffic, with a hit rate of only 2.37%. In short, Microsoft is eating (and expending!) huge amounts of bandwidth, and almost none of what is being transmitted can be cached. What a waste.

ISP Caching

[kmellis]

Why don't you subscribe to or at least take a look the ISP-Caching mailing list?

Software Update Service

[blues5150]

How about trying something like this.