When using the Modern IT approach and building Microsoft 365 powered devices it is a combination of the following cloud services for Modern Management:
- Microsoft Azure Active Directory for Identity
- Microsoft Intune for Management
- Windows Update for Business for Servicing
- Windows Analytics to Monitor
To support the Windows as a Service strategy with cloud services we rely on the well known Windows Update service, but with the controls for business usage. This is called Windows Update for Business (WUfB). That means our content is provided by Microsoft Update servers and we define the installation behavior like deferrals or even pause of feature or quality updates. The WUfB settings can be configured in Intune via Software Udpates. This article will not show the details of the WUfB settings. To monitor the Delivery Optimization Performance we have the Delivery Optimization Status in the Windows Analytics solution – Update Compliance.
For successful servicing we need to make sure an internet break out with proper bandwidth capacity is available to support our devices. To prevent internet traffic congestion we can utilize Peer 2 Peer technologies like BranchCache and Delivery Optimization to optimize Windows 10 update delivery. In case of Windows Update for Business we need to focus on Delivery Optimization (DO).
You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers.
How does Delivery Optimization work in detail?
First of all the published content must be chunked and hashed. Currently Microsoft supports the following content:
- Windows Updates (Feature/Quality)
- Store Apps
The basic procedure is:
- Client A checks for Updates
- Client A gets download sources (MS content server and additional clients (peers) B, C, …
- Client A requests chunks from MS content server and peers B, C, …
- Client A verifies hashes of chunks and builds file from chunks
- Client A verifies complete file via hash
The clients will check-in to the Delivery Optimization cloud service as long as the content is valid in its cache. This is necessary to let DO service keep track of devices and let it distribute peer info to requesting clients.
The Delivery Optimization has multiple Download Modes and this is an important part for successful utilization of DO. It configures the logical grouping of devices based on certain criteria. In this example we set Download Mode to Group and we use a custom group ID. This custom Group ID can be delivered by DHCP as an Option ID with code 234 when using upcoming Windows 10 Version 1803.
Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization.
The custom group id delivered by DHCP for scoped devices will let us take control over the grouping. We can assign multiple DHCP scopes the same Group ID or different Group IDs. That’s how we build our device collections and control the peer 2 peer traffic even across NATs.
The DO Peer 2 Peer traffic is a direct TCP/UDP connection on port 7680.
Now we can build effective groups aligned with our networking infrastructure to restrict P2P traffic to physical sites, multiple sites, subnets, what ever we want.
How to configure DO with Intune?
At time of this writing I’m using the Insider Preview for the upcoming Windows 10 Version 1803 to test and include settings which are really worth to mention in this context.
I won’t get into details about every available setting but I will show a complete setup to test DHCP Option ID as source for Group ID.
The custom group ID can be generated by PowerShell:
The custom OMA-URI to configure Download Mode to Group is:
Name: DODownloadMode OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode Data type: integer Value: 2 (group)
With Windows 10 Version 1803 we can provide the Group ID as a DHCP Option ID with code 234. To configure the client to use DHCP option ID we need to configure the following OMA-URI:
Name: DOGroupIdSource OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupIdSource Data type: integer Value: 3 (DHCP Option ID)
Now we need to configure our DHCP infrastructure to provide the DHCP Option ID to our clients. In my example I use a Microsoft DHCP Server:
1. Set Predefined Options
2. Configure the Predefined Options
3. Confirm with OK
4. Configure Scope Options
5. Set Custom Group ID as Option ID 234
6. Verify new Scope Option 234 DOGroupID
This would be enough to let all clients in the same DHCP scope group together and allow P2P traffic.
When testing DO in Virtual Machines I encourage you to configure the following additional settings:
- DOMinFileSizeToCache to 1 MB to ensure caching with even small downloads
- DOMinRAMAllowedToPeer to 1 GB to let VMs with small amount of RAM P2P
- DOPercentageMaxForegroundBandwidth to limit manual Store download Bandwith (this will not restrict peer traffic) *
- DODelayForegroundDownloadFromHttp to 30 seconds to give time to find other peers *
* Windows 10 Version 1803 is needed
./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinFileSizeToCache = 1 (Integer, in MB) ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinRAMAllowedToPeer = 1 (Integer, in GB) ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxForegroundBandwidth = 10 (Integer, in %) ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayForegroundDownloadFromHttp = 30 (Integer, in Sec.)
A test environment configuration may look like this:
For production environments please review all available MDM Delivery Optimization settings and adjust as needed for your environment. For example DOMaxCacheAge, DOMinBackgroundQoS, DOPercentageMaxBackgroundBandwidth , and DOMinBatteryPercentageAllowedToUpload might be from interest for production environments. Remember to check for new settings with every new Version of Windows 10!
Test to verify everything works as expected!
Make sure the settings are applied to the test devices. Generate a advanced diagnostic report:
Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”
Important settings to verify:
On Client A start a download from the Store with 100MB+ download size and wait for finish. You should observe a throttled download when using VMs with setting DOPercentageMaxForeDownloadBandwidth.
On Client B start the same download from the Store and wait for finish. You should notice a significant faster download on Client B, as it will receive data from local peer without restrictions when tested with VMs and mentioned settings above.
Since Windows 10 Version 1803 we can generate a DO log file to trace the behavior:
Get-DeliveryOptimizationLog | ft -Wrap | Out-File -FilePath $env:temp\DOLogs.txt ; notepad $env:temp\DOLogs.txt
Get the log files from Client A and B and look for entry “Using groupID”, here you must find the DHCP Group ID in both logs:
On Client B you will find stats regarding communication with Peer Client A on port 7680:
If you like to test again you can use disk cleanup utility to clean the DO cache:
Then uninstall the Store app and start the test over again.
- Configure Delivery Optimization for Windows 10 updates
- Policy CSP – DeliveryOptimization
- Delivery Optimization – a deep dive (Ignite 2017)
- Windows PowerShell cmdlets for analyzing usage
- Frequently asked questions
A follow up article with the new Microsoft Connected Cache and DHCP discovery options see here:
Delivery Optimization with Intune and Microsoft Connected Cache (MCC)
Happy caching and a good P2P utilization!
Is Windows 10 Version 1803 a requirement. I’m currently using 1709.
no you can use DeliveryOptimization even with Windows 10 Version 1511. Every new version brought us new options to configure and in the last insider preview (pre-release of 1803) we have DeliveryOptimization/DOGroupIdSource. That was the particular setting what I demonstrated. So you can use DO also without the latest options. On the documentation https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization you find a table which is listing the supported versions like Enterprise or Pro and there are small side notes like 1, 2, 3, or 4 they are for version 1607, 1703, 1709 and 4 is for next major version which is 1803 at the moment.
Excellent. Testing in the lab now using 1709 by creating a Profile and custom Group ID for each location using ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupId. Can’t wait to be able to use DHCP. Very nice info. Thanks!
Nice to hear, you are welcome!
How is this different or ADD-on on the feature in Windows 10 Service Rings option in Intune?
“Delivery optimization: Select HTTP only, no peering, HTTP blended with peering behind same NAT, HTTP blended with peering across private group, HTTP blended with internet peering, Simple download mode with no peering or Bypass mode.”
the post relates to “HTTP blended with peering across private group” in fact the OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode=2 is exactly the option “HTTP blended with peering across private group”. So you can build a Servicing ring in Intune under Software Updates and choose “HTTP blended with peering across private group”. It the same as the OMA-URI. Then you only need to configure DOGroupIdSource to use the DHCP Option if you like.
0 – HTTP only, no peering.
1 (default) – HTTP blended with peering behind the same NAT.
2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
3 – HTTP blended with Internet peering.
99 – Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
100 – Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
hope this helps.
Thanks for the clarification Oliver!
i cannot find the right CSP policy to set : limit how much bandwidth is used for uploading updates to other pcs on the internet
Is this not available yet?
the only limitation you can set at the moment is a limit by kbps or percentage and this only for all or background or foreground downloads. No differentiation between LAN or internet upload currently.
see here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization
Thanks for clearing that up!
Excellent article. However, running into one issue where the GUID defined on DHCP Scope Options 234 is not getting written to the Win 10 1803 Ent computer’s registry. Does not look like its querying the DHCP. In GPO, I set Download Mode to 2 and GroupID Source to 3 which successfully pushed down to the client and written to its registry. Any pointers would greatly be appreciated.
the DHCP option ID request for GroupID does not write the received value in the registry. The value is queried for all requests, so roaming clients get the new GUID in a new DHCP scope. You can analyse the DO Logs if the client uses the DO Group ID.
use this: Get-DeliveryOptimizationLog | where Message -Match ‘GroupId’
The output should get you an indicator if a GroupId is used. Sadly the GroupId is encoded so you can’t match it to the GroupId in your DHCP scope.
Thank you very much Oliver! I did look at the logs and what really confused me was that the GroupId in logs did not match what was set on the DHCP Scope Options 234. Thanks for clarifying that encoded GroupId displays on the logs. I’m following you on Twitter now!
Do you know if/when MS is going to push Office Proplus and it’s updates using DO as well? We use Intune to push Office Proplus
Microsoft is using DO currently in the monthly Channel of Office 365 ProPlus. I suspect it to be integrated in the next semi-annual channel but this is not sure as there is no official announcement right now for it. Remember if you use the monthly channel you only have support for this version until the next monthly channel is released. So you are able to test it with monthly channel and you can track it in Windows Analytics under Update Compliance – Delivery Optimization. 👍
I have a question about the GUIDs for the DHCP Scopes. Are the GUIDs generated automatically? Or do they need to be manually populated?
The reason I’m asking is I’m trying to rationalise the comment you made
“The custom group id delivered by DHCP for scoped devices will let us take control over the grouping. We can assign multiple DHCP scopes the same Group ID or different Group IDs. That’s how we build our device collections and control the peer 2 peer traffic even across NATs”
Does the above comment mean that you manually made a GUID and assigned that same GUID to a set of DHCP Scopes that are on the same LAN?
yes you create it manually and assign it to a DHCP scope. It is up to you to which scope you are assigning a different or the same GUID. That’s the way how you build you groups of devices which should belong in the same DO P2P group.
Scope A -> GUID A
Scope B -> GUID A
Scope C -> GUID A
Scope D -> GUID B
in this example all devices in scopes a,b,c would get GUID A for DO and all devices in scope d would get GUID B.
I know this thread is old but it is a great post with lots of information. I have a question about the GUIDs, I know we have to come up with our own GUID for each scope…Is there a guideline for what the GUID should be or look like. I see the one you are using, do they all have to be in that format, or can I use a simple 5 digit number?
it needs to be exactly in this format. Just use New-Guid and generate new ones as needed. The guid is used as a global unique identifier you should really use a unique generated one with PS comamnd New-Guid.
What happens on the client if the download mode is set to 2, and no DOGroupID is defined – will the client default back to download mode 1 functionality?
that’s actually a good question. I’m not aware of any fallback. I think in that case the client will directly reach out to the online resource and download the bits from there then.
I know its an old post but hoping you would reply:) if we are located in 32 countries around the world and we need to use the dhcp option that would mean we need to set up 32 different do profiles in intune because of 32 different dhcp group id and map these do profiles to the devices that need to do peer to peer right?
If you do the DHCP option you don’t need to create 32 DO profiles. You just need one profile telling the client use DHCP option id. Next in every location (32 in total) you are going to configure the DHCP option id for each location. Each location gets a unique group ID. Thats all. Every client even travelling ones will ask the local DHCP for the option ID and the DHCP server will respond accordingly.