Well, ConfigMgr Current Branch 1806 is here and with it comes support for the Windows LEDBAT Congestion Provider (Windows Server 2016/19 only), which is really awesome news! In case you’ve been hiding under a rock, on the run from the law, or sitting at home with a tinfoil hat on, you can catch up on LEDBAT and what it can do via these  great articles.




However, here at 2Pint we like to take things to the max – and it occurred to me today that although the LEDBAT support in ConfigMgr is rather splendid, it only covers Distribution Point traffic on ports 80/443. We have more work to do here to save your networks!

Avoiding ‘SUP Meltdown’

Back in February (I think) there was a pretty nasty wee bug, as described here https://support.microsoft.com/en-us/help/4163525/high-bandwidth-use-when-clients-scan-for-updates-from-local-wsus-serve

That issue resulted in eye-watering amounts of traffic from clients to WSUS (or ConfigMgr SUP), as the clients all downloaded a large amount of metadata.

Windows LEDBAT can of course help with such crisis situations (and even when the SUP is operating normally) , by backing off in the event of latency increases caused by all this excess traffic, but as WSUS traffic generally arrives over port 8530, you need to manually enable LEDBAT for that port. Once enabled, the WU Metadata downloads will take a back seat to any other non-LEDBAT traffic.

Enabling LEDBAT for WSUS

Simple as ABC, all you have to do is to run the following PowerShell snippet on your WSUS/SUP server, to enable LEDBAT support over port 8530(And don’t forget to create a similar rule for TCP 8531 if that’s what you’re using for WSUS SSL.).  If your server is already a LEDBAT enabled SCCM DP then you don’t even need the first of these two lines..

Set-NetTCPSetting -SettingName InternetCustom -CongestionProvider LEDBAT
New-NetTransportFilter -SettingName InternetCustom -LocalPortStart 8530 -LocalPortEnd 8530 -RemotePortStart 0 -RemotePortEnd 65535

Happy LEDBAT-ing 🙂