Configure Delivery Optimization with Intune for Windows Update for Business

When using the Modern IT approach and building Microsoft 365 powered devices it is a combination of the following cloud services for Modern Management:

• Microsoft Azure Active Directory for Identity
• Microsoft Intune for Management
• Windows Update for Business for Servicing
• Windows Analytics to Monitor

To support the Windows as a Service strategy with cloud services we rely on the well known Windows Update service, but with the controls for business usage. This is called Windows Update for Business (WUfB). That means our content is provided by Microsoft Update servers and we define the installation behavior like deferrals or even pause of feature or quality updates. The WUfB settings can be configured in Intune via Software Udpates. This article will not show the details of the WUfB settings. To monitor the Delivery Optimization Performance we have the Delivery Optimization Status in the Windows Analytics solution – Update Compliance.

For successful servicing we need to make sure an internet break out with proper bandwidth capacity is available to support our devices. To prevent internet traffic congestion we can utilize Peer 2 Peer technologies like BranchCache and Delivery Optimization to optimize Windows 10 update delivery. In case of Windows Update for Business we need to focus on Delivery Optimization (DO).

You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers.

How does Delivery Optimization work in detail?

First of all the published content must be chunked and hashed. Currently Microsoft supports the following content:

• Windows Updates (Feature/Quality)
• Drivers
• Store Apps

The basic procedure is:

1. Client A checks for Updates
2. Client A gets download sources (MS content server and additional clients (peers) B, C, …
3. Client A requests chunks from MS content server and peers B, C, …
4. Client A verifies hashes of chunks and builds file from chunks
5. Client A verifies complete file via hash

The clients will check-in to the Delivery Optimization cloud service as long as the content is valid in its cache. This is necessary to let DO service keep track of devices and let it distribute peer info to requesting clients.

The Delivery Optimization has multiple Download Modes and this is an important part for successful utilization of DO. It configures the logical grouping of devices based on certain criteria. In this example we set Download Mode to Group and we use a custom group ID. This custom Group ID can be delivered by DHCP as an Option ID with code 234 when using upcoming Windows 10 Version 1803.

Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization.

The custom group id delivered by DHCP for scoped devices will let us take control over the grouping. We can assign multiple DHCP scopes the same Group ID or different Group IDs. That’s how we build our device collections and control the peer 2 peer traffic even across NATs.

The DO Peer 2 Peer traffic is a direct TCP/UDP connection on port 7680.

Now we can build effective groups aligned with our networking infrastructure to restrict P2P traffic to physical sites, multiple sites, subnets, what ever we want.

How to configure DO with Intune?

At time of this writing I’m using the Insider Preview for the upcoming Windows 10 Version 1803 to test and include settings which are really worth to mention in this context.

I won’t get into details about every available setting but I will show a complete setup to test DHCP Option ID as source for Group ID.

The custom group ID can be generated by PowerShell:

[guid]::NewGuid()

The custom OMA-URI to configure Download Mode to Group is:

Name: DODownloadMode
OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode
Data type: integer
Value: 2 (group)

With Windows 10 Version 1803 we can provide the Group ID as a DHCP Option ID with code 234. To configure the client to use DHCP option ID we need to configure the following OMA-URI:

Name: DOGroupIdSource
OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupIdSource
Data type: integer
Value: 3 (DHCP Option ID)

Now we need to configure our DHCP infrastructure to provide the DHCP Option ID to our clients. In my example I use a Microsoft DHCP Server:

1. Set Predefined Options

2. Configure the Predefined Options

3. Confirm with OK

4. Configure Scope Options

5. Set Custom Group ID as Option ID 234

6. Verify new Scope Option 234 DOGroupID

This would be enough to let all clients in the same DHCP scope group together and allow P2P traffic.

When testing DO in Virtual Machines I encourage you to configure the following additional settings:

• DOMinFileSizeToCache to 1 MB to ensure caching with even small downloads
• DOMinRAMAllowedToPeer to 1 GB to let VMs with small amount of RAM P2P
• DOPercentageMaxForegroundBandwidth to limit manual Store download Bandwith (this will not restrict peer traffic) *
• DODelayForegroundDownloadFromHttp to 30 seconds to give time to find other peers *

* Windows 10 Version 1803 is needed

Custom OMA-URIs:

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinFileSizeToCache = 1 (Integer, in MB)

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOMinRAMAllowedToPeer = 1 (Integer, in GB)

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOPercentageMaxForegroundBandwidth = 10 (Integer, in %)

./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODelayForegroundDownloadFromHttp = 30 (Integer, in Sec.)

A test environment configuration may look like this:

For production environments please review all available MDM Delivery Optimization settings and adjust as needed for your environment. For example DOMaxCacheAge, DOMinBackgroundQoS, DOPercentageMaxBackgroundBandwidth , and DOMinBatteryPercentageAllowedToUpload might be from interest for production environments. Remember to check for new settings with every new Version of Windows 10!

Test to verify everything works as expected!

Make sure the settings are applied to the test devices. Generate a advanced diagnostic report:

Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”

Important settings to verify:

Test procedure:

On Client A start a download from the Store with 100MB+ download size and wait for finish. You should observe a throttled download when using VMs with setting DOPercentageMaxForeDownloadBandwidth.

On Client B start the same download from the Store and wait for finish. You should notice a significant faster download on Client B, as it will receive data from local peer without restrictions when tested with VMs and mentioned settings above.

Since Windows 10 Version 1803 we can generate a DO log file to trace the behavior:

Get-DeliveryOptimizationLog | ft -Wrap | Out-File -FilePath $env:temp\DOLogs.txt ; notepad $env:temp\DOLogs.txt

Get the log files from Client A and B and look for entry “Using groupID”, here you must find the DHCP Group ID in both logs:

On Client B you will find stats regarding communication with Peer Client A on port 7680:

If you like to test again you can use disk cleanup utility to clean the DO cache:

Then uninstall the Store app and start the test over again.

Further information

• Configure Delivery Optimization for Windows 10 updates
• Policy CSP – DeliveryOptimization
• Delivery Optimization – a deep dive (Ignite 2017)
• Windows PowerShell cmdlets for analyzing usage
• Frequently asked questions

A follow up article with the new Microsoft Connected Cache and DHCP discovery options see here:

Delivery Optimization with Intune and Microsoft Connected Cache (MCC)

Happy caching and a good P2P utilization!