Configure Delivery Optimization with Intune for Windows Update for Business

When using the Modern IT approach and building Microsoft 365 powered devices it is a combination of the following cloud services for Modern Management:

WUfB

To support the Windows as a Service strategy with cloud services we rely on the well known Windows Update service, but with the controls for business usage. This is called Windows Update for Business (WUfB). That means our content is provided by Microsoft Update servers and we define the installation behavior like deferrals or even pause of feature or quality updates. The WUfB settings can be configured in Intune via Software Udpates. This article will not show details of the WUfB settings.

For successful servicing we need to make sure an internet break out with proper bandwidth capacity is available to support our devices. To prevent internet traffic congestion we can utilize Peer 2 Peer technologies like BranchCache and Delivery Optimization to optimize Windows 10 update delivery. In case of Windows Update for Business we need to focus on Delivery Optimization (DO).

You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers.

How does Delivery Optimization work in detail?

First of all the published content must be chunked and hashed. Currently Microsoft supports the following content:

  • Windows Updates (Feature/Quality)
  • Drivers
  • Store Apps

The basic procedure is:

  1. Client A checks for Updates
  2. Client A gets download sources (MS content server and additional clients (peers) B, C, …
  3. Client A requests chunks from MS content server and peers B, C, …
  4. Client A verifies hashes of chunks and builds file from chunks
  5. Client A verifies complete file via hash

The clients will check-in to the Delivery Optimization cloud service as long as the content is valid in its cache. This is necessary to let DO service keep track of devices and let it distribute peer info to requesting clients.

The Delivery Optimization has multiple Download Modes and this is an important part for successful utilization of DO. It configures the logical grouping of devices based on certain criteria. In this example we set Download Mode to Group and we use a custom group ID. This custom Group ID can be delivered by DHCP as an Option ID with code 234 when using upcoming Windows 10 Version 1803.

Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization.

The custom group id delivered by DHCP for scoped devices will let us take control over the grouping. We can assign multiple DHCP scopes the same Group ID or different Group IDs. That’s how we build our device collections and control the peer 2 peer traffic even across NATs.

The DO Peer 2 Peer traffic is a direct TCP/UDP connection on port 7680.

DOFirewall

Now we can build effective groups aligned with our networking infrastructure to restrict P2P traffic to physical sites, multiple sites, subnets, what ever we want.

 

How to configure DO with Intune?

At time of this writing I’m using the Insider Preview for the upcoming Windows 10 Version 1803 to test and include settings which are really worth to mention in this context.

I won’t get into details about every available setting but I will show a complete setup to test DHCP Option ID as source for Group ID.

The custom group ID can be generated by PowerShell:

[guid]::NewGuid()

The custom OMA-URI to configure Download Mode to Group is:

Name: DODownloadMode
OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode
Data type: integer
Value: 2 (group)

With Windows 10 Version 1803 we can provide the Group ID as a DHCP Option ID with code 234. To configure the client to use DHCP option ID we need to configure the following OMA-URI:

Name: DOGroupIdSource
OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupIdSource
Data type: integer
Value: 3 (DHCP Option ID)

Now we need to configure our DHCP infrastructure to provide the DHCP Option ID to our clients. In my example I use a Microsoft DHCP Server:

1. Set Predefined Options

 

MSDHCPpredefinedOptions

2. Configure the Predefined Options

MSDHCPpredefinedoptionsAdd

3. Confirm with OK

MSDHCPGroupIdValue

4. Configure Scope Options

MSDHCPScopeOptions

5. Set Custom Group ID as Option ID 234

MSDHCPScopeOptionsGroupId

6. Verify new Scope Option 234 DOGroupID

MSDHCPGroupIdOptionInScope

This would be enough to let all clients in the same DHCP scope group together and allow P2P traffic.

When testing DO in Virtual Machines I encourage you to configure the following additional settings:

  • DOMinFileSizeToCache to 1 MB to ensure caching with even small downloads
  • DOMinRAMAllowedToPeer to 1 GB to let VMs with small amount of RAM P2P
  • DOPercentageMaxForeDownloadBandwidth to limit manual Store download Bandwith (this will not restrict peer traffic) *
  • DODelayForegroundDownloadFromHttp to 30 seconds to give time to find other peers *

* Windows 10 Version 1803 is needed

Custom OMA-URIs:

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinFileSizeToCache = 1 (Integer, in MB)

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinRAMAllowedToPeer = 1 (Integer, in GB)

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth = 10 (Integer, in %)

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayForegroundDownloadFromHttp = 30 (Integer, in Sec.)

A test environment configuration may look like this:

DOMDMSettings

For production environments please review all available MDM Delivery Optimization settings and adjust as needed for your environment. For example DOMaxCacheAge, DOMinBackgroundQoS and DOPercentageMaxBackDownloadBandwidth might be from interest for production environments. Remember to check for new settings with every new Version of Windows 10!

 

Test to verify everything works as expected!

Make sure the settings are applied to the test devices. Generate a advanced diagnostic report:

Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”

AdvancedDiagnosticsReport

Important settings to verify:

DOMDMReport

Test procedure:

On Client A start a download from the Store with 100MB+ download size and wait for finish. You should observe a throttled download when using VMs with setting DOPercentageMaxForeDownloadBandwidth.

On Client B start the same download from the Store and wait for finish. You should notice a significant faster download on Client B, as it will receive data from local peer without restrictions when tested with VMs and mentioned settings above.

Since Windows 10 Version 1803 we can generate a DO log file to trace the behavior:

Get-DeliveryOptimizationLog | ft -Wrap | Out-File -FilePath $env:temp\DOLogs.txt ; notepad $env:temp\DOLogs.txt

Get the log files from Client A and B and look for entry “Using groupID”, here you must find the DHCP Group ID in both logs:

DOLogFileGroupId

On Client B you will find stats regarding communication with Peer Client A on port 7680:

DOLogfilePeerUsage

If you like to test again you can use disk cleanup utility to clean the DO cache:

DODiskCleanup

Then uninstall the Store app and start the test over again.

 

Further information

 

Happy caching and a good P2P utilization!

4 thoughts on “Configure Delivery Optimization with Intune for Windows Update for Business”

    1. Hi Mike,
      no you can use DeliveryOptimization even with Windows 10 Version 1511. Every new version brought us new options to configure and in the last insider preview (pre-release of 1803) we have DeliveryOptimization/DOGroupIdSource. That was the particular setting what I demonstrated. So you can use DO also without the latest options. On the documentation https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization you find a table which is listing the supported versions like Enterprise or Pro and there are small side notes like 1, 2, 3, or 4 they are for version 1607, 1703, 1709 and 4 is for next major version which is 1803 at the moment.
      ok

      1. Excellent. Testing in the lab now using 1709 by creating a Profile and custom Group ID for each location using ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupId. Can’t wait to be able to use DHCP. Very nice info. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s