Is Windows 10 ignoring sysadmins' network QoS settings? An Australian sysadmin frustrated with his business' sudden loss of performance has sparked a conversation about whether Windows 10 is behaving badly on network connections. To jump well into the discussion thread that points the finger at Microsoft: “We have had reports now from several people, not all our clients, reporting …
$ ssh root@server
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-74-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Thu Jun 9 09:00:20 2016 from 10.87.130.21
root@server:~# apt-get install wsus
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package wsus
Funny you should mention that I've been working on for a while what I think is the first third party implementation of a SUS server (it's a well-documented open standard - no really) and it happens to be Open Source and also, y'know, run on Linux (for updating windows hosts) :)
I recall researching the problem a few months back and drawing blanks. There was some commercial solution, but nothing distributed in the standard repositories.
Normally "WSUS" refers to the Microsoft implementation, which is only shipped with Windows Server. A very expensive piece of software to perform what is essentially just a caching proxy server role.
Today I created a VLAN, at work, called SEWER purely for a set of devices too dodgy to go on the THINGS VLAN. THINGS was for IoT stuff like tellys, cameras and the like and brave real systems with a carefully crafted firewall and rather more HIDS and monitoring than the usual. SEWER devices are just a bit odd(er) to be honest.
It seems I will now need a CESSPOOL VLAN for Windows 10 PCs with even more stringent checks.
It's not quite clear whether people are talking about updates to an existing copy of Windows 10, or the rammed-down-the-throat upgrades being applied to existing Windows 7 and 8.1 systems. From the involvement of Akamai, I can't imagine these are regular updates. Surely not even Microsoft would be insane enough to outsource those.
If Microsoft has engaged Akamai somehow to push their thrice-cursed upgrades, then that might also go some way to explain the tactics that have been deployed. (Particularly if Akamai is paid by the download.)
Microsoft used to - not sure if they still do - sell their software via Digital River. It was a steaming pile of rubbish, little support, failed to allow you to enter basic details, etc.
If they couldn't even do ecommerce (when everyone lese seemed to have managed it) I'm not surprised if they have to outsource their CDN.
Installed windows 10 + office, and there are dozens of gigabytes of downloads. New C drive went from 12 gig after install to 50 gig now and growing.
On a 2 megabit ADSL, and it clobbers everything.
There are rumours that gsedit can throttle the BITS, but did not work for me.
Also llnw downloads, is MS using them too? All hidden behind the svchost.
Anyway, Gargoyle to the rescue, throttles the IP, seems to work despite this article. ALthough Gargoyle itself has been crashing recently.
"On a 2 megabit ADSL, and it clobbers everything."
Pity the poor buggers on the end of a satellite phone or dial up. The sort of people who have to turn off HTML in their email ...
There are plenty of them across the world, say in huge swathes across Africa, large parts of Asia, masses in South America etc etc and I'm sure they are loving the free upgrade.
One additional thing I've not tested but heard might be a work-around is marking the network connection as a metered connection. Apparently this stops the connection being used (even it it's wired or wireless) for collecting updates in the background. I have no idea what other consequences this has, and it might not help out much at all, but hey. worth a try and sharing if it works or not.
If I recall correctly, Win10 sans WSUS will act like a bit like a Bittorrent client and advertise itself and start sharing. The article mentions that the sysadmin has an alternative patching mechanism and hence this may have kicked in ... along with a nasty looking bug.
This is purely speculation on my part but hey, I'm a commentard.
I suggest that MS restrict themselves to doling out their malware themselves or via Akamai and Co. They charge their customers for their OS. No other OS vendor has tried to hijack their customers connection like this, that I'm aware of. Most Linux/*BSD distros don't even get to charge at all and none of them have even contemplated this nonsense. Apple get's the moral high ground here as well *haaaaawk* ... *spt-ing*.
@ gerdesj, I remember reading something about W10 acting like torrent client for updates awhile back and the report was apparently straight from Slurp. If my memory is correct, using users machines as part of a torrent stream strikes me as below dodgy since most people do actually have monthly data cap even if it is quite large.
Any half competent sys-admin knows
Most Windows users aren't competent system admins or even competent computer users (why would they be using Windows if they were? :) ) - most are home users who may be extremely competent in other fields but not computers.
a) how to disable the peer to peer going out to the internet
Most Windows users would not have a clue about that.
b) How to disable it completly
Most Windows users would not have a clue about that.
c) how to stop auto-updates.
Most Windows users would not have a clue about that.
Even if you do have auto-updates running, change the bloody schedules!
Most Windows users would not have a clue about how to do that!
"...most people do actually have monthly data cap even if it is quite large.."
Not justifying this in any way (and I had the whole torrent-style of sharing/downloading updates turned off from the get-go, but most people's caps are for download only.
Now I can see why this would be a decent idea for machines on the same LAN segment that are behind a slow link, but come on MS...that's one of the things WSUS is for
> but most people's caps are for download only.
I doubt that.
While I'm now on an "unmetered" tariff and VDSL (FTTC in the UK), my previous ADSL tariff with the same ISP metered traffic both ways. I'm fairly certain that this is not uncommon.
But anyway, people have mentioned slow connections - but even "modestly fast" connections (like the 6Mbps ADSL I used to have) often have much slower uplinks (442kbps before overheads for ADSL is typical in the UK). Hence acting as a torrent peer is going to royally screw your uplink, and therefore your latency, and therefore make anything interactive turn into "an unpleasant experience".
After all their previous issues with networking going back to Windows 3.0/3.1 I am actually saddened that MS puts out software that behaves like this.
It is almost as if the droids in Redmond are deliberately ignoring the fact that most of the world is not on 100Mbit Connections (not ASDL either).
So come you MS fanbois, defend this?
My decision to never use W10 that I made lst October seems to be even wiser every day.
IMHO, it is a POS and not fit to wipe yor arse when doing No 2's.
Sadly, MS won't do anything to fix the problems. They are in 'la-la-la-la-la-can't here you land' at the moment.
Such a shame. They could have made a really good OS instead... they failed, miserably (IMHO)
@Steve Davies 3
I've not touched a Win10 install. The handful of visiting vendor tech's that are using them like the OS itself. However, the slurp factor, and all of the underhanded crap that is also part of the Win10 experience has put us off to put it mildly and politely.
I think you have nailed it, the C and D levels at MS are living in la la la la land, fingers in ears, collecting a big salary on a regular basis. As long as their fat salaries are being paid I'm sure they're living large in another reality.
Unlike us, see icon: -------------------------------------------------------------------------------^
While there are a couple of caveats with using Windows 10, overall, once you've stopped the persistent reporting back to MS (try this AntiBeacon tool: https://www.safer-networking.org/2015/spybot-anti-beacon-privacy-protection-tool/), uninstalled all the apps you'll never use (Sway, Sport, Candy bl**dy crush) and sorted your privacy settings, it's actually pretty good to use.
OK, I'd still prefer a more stripped down version of Windows (ala XP) but you have to move with the times and Windows 10 is a return to form after the disaster that was Windows 8.
I don't feel it deserves the rant you've posted.
I didn't say it was perfect. With the way I set up Windows 10 (which is "Minimal" and that should actually be an install option), I actually prefer it to Windows 7. I still prefer Windows XP where everything just worked and feel that both Windows 7 and Windows 10 could learn lessons in usability from Windows XP, but I think Windows 10 is a fine OS.
<Divergence> For any old-timers who use SUBST on local drives for development purposes, has anyone found a Windows 10 method of getting SUBST to work in both "Normal" mode and "Elevated" mode at startup? This is one of the other caveats of Windows 10 use :-) </Divergence>
once you've stopped the persistent reporting back to MS ..., uninstalled all the apps you'll never use ... and sorted your privacy settings, it's actually pretty good to use.
Now do that on the other systems in your house and then the parents and other family systems you are supporting... and repeat every so often as MS has a habit of messing things up with it's periodic major updates...
Perhaps instead of Classic Shell and Start8/10 we need an XP Shell/StartXP which automatically do all of the stripping out of Win10 and make it as well behavied as XP/7...
Is it actually Windows 10/Office or is it Akamai?
I know for fact they've made major changes to the TCP congestion backoff on their kit. Buried in their site somewhere they even advertise it as a benefit, which is great until congestion occurs because you _are_ on a crappy link
It's got to be Akamai. That sort of fundamental breakage of TCP congestion control can't happen client-side, not if it wants the lost packets to be retransmitted so it actually gets them.
I've seen servers that ignore ECN marking recently, but they at least still respond to the packet drops which inevitably happen when the queue overflows. They're misbehaving, but in a sort-of manageable way.
This, though - this is *evil*. It's undoing the mid-1980s work which got the Internet running again after the Great Congestion Collapse Event. It needs to be stopped - NOW.
It is almost as if the droids in Redmond are deliberately ignoring the fact that most of the world is not on 100Mbit Connections (not ASDL either).
You mean that everyone doesn't have 100MBit connections? Well I'll be damned. Everyone I know has at least 100Mbits available to them. </sarcasm>
Whatever is responsible was probably tested (assuming someone did some testing) on an isolated single user environment inside the corporate headquarters then pushed out to the Basic/Home users to do the real testing. Isn't it M$'s policy to have the W10 basic users test the patches before rolling them out to the Pro/Enterprise community?
1 and 2 are the same answers, is that a give-away ? Noo, that would be too easy, 3 has been out for decades, probably misses a few security updates since it EOL'd and is infested with malware? Hm, the servers ? Nooooo, ok, hmmm, OHHHHHHHHH, BINGO!!!!!!!! THERE, Windows 10, Ok, MUST BE 6.
Do I win anything, today?
I noticed this same thing a year ago during the 'insider' program. I complained about it. A *LOT*. I have limited bandwidth available, and Microsoft was _STEALING_ it whenever they *FELT* like it, which might be while I'm listening to streaming radio or something. It was part of my argument *AGAINST* the "not being able to control WHEN windows updates 'happen'".
THAT obviously landed on DEAF ears. Micro-shaft does not care what customers want. Micro-shaft is doing everything in Win-10-nic for their OWN benefit, SCREW everyone else.
I posted the original article on Whirlpool. What makes it particularly nasty is that it is all done on port 80. Presumably Microsoft want their updates to work even when users are behind diligent sysadmins' firewalls. This is doubly nasty. You can't block port 80 or you block browsing. You can't block Akamai, or you block legitimate and well behaved services. I am hoping I can find a header identifier in the traffic that I can use to block the Windows 10 / Office 2016 updates at layer 7 for now.
I just hope people who can fix this at the source are taking notice and do something about it. They are breaking the Internet....literally.
Thanks for dropping by!
What immediately occurred to me is that the bad behaviour you have seen is coming from the TCP/IP stack in Windows, not just the Microsoft upate processes. Does that mean that any outgoing connection from a Win10 box will result in the same packet storm if you choose to throttle it?
I haven't seen any other traffic causing an issue. It is specifically the update process and it is the inbound traffic that runs amok. I thought it might be a flood of syn acks as I had seen a huge surge in connections (several thousand in several seconds) that then died down. However, the packet trace I took whilst the problem was occurring seem to indicate that the connections are fully open and the sending server (Akamai) is just hammering the external interface even though the router is dropping packets to try to throttle the connections back.
What other well-behaved Akamai served resources do you use?
Can you run a 'fixed' hosts file on your AD DNS server that forces all *.akamai.* to lookup as 127.0.0.1?
Or create a GPO script with a schedule that stops and disables the windows update service
with "net stop wuauserv" and "sc config wuauserv start= disabled". Then do the reverse when you wish to allow the PC's to update?
I found one staff members PC this morning with the "Get Windows 10" notification in the tray.
He's not an Admin.
It's on a Domain with WSUS updates (which M$ says won't get Windows 10)
Yet I had to uninstall these updates:
wusa /uninstall /kb:2952664 /norestart
wusa /uninstall /kb:3035583 /norestart
wusa /uninstall /kb:3068708 /norestart
wusa /uninstall /kb:3080149 /norestart
So now I'm wondering if it's something like the annoying Windows 10 pop-ups that MSN Australia has been pushing out, somehow pushing out the updates if the user clicks on the ad. accidentally?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
