How to effectively use Delivery Optimization to distribute Windows Update content to clients inside your LAN

2
Delivery Optimization to distribute Windows Update

Goal

Switch from Windows Server Update Services and a world of pain keeping the service up and running with its MANY foibles, and instead switch to Windows 10 Delivery Optimization to distribute Windows Update content in a peer to peer content distributed system.

You won’t be disappointed…….trust me!

Prerequisites

  • A network
  • Windows 10 version 1703 or later
  • The latest Windows 10 ADMX Files imported from here
  • Group Policy creation/edit access
  • A deep seeded desire to want to live a simpler existence without WSUS and instead switch to Delivery Optimization to distribute Windows Update content

Firewall Rules

  • *.dl.delivery.mp.microsoft.com
  • *.emdl.ws.microsoft.com
  • *.download.windowsupdate.com
  • *.windowsupdate.com
  • *.prod.do.dsp.mp.microsoft.com
  • *.delivery.mp.microsoft.com
  • *.update.microsoft.com
  • *.tsfe.trafficshaping.dsp.mp.microsoft.com

Solution Summary

  1. If you block specific URLs on your firewall open up the prerequisites to ensure traffic can flow freely to your clients and test using PortQueryUI (point 1 not covered in this guide as it would be impossible to list all methods for all firewalls)
  2. Open port 7680 on client devices via Group Policy
  3. Enable Delivery Optimization via Group policy and set applicable options
  4. Configure Windows Updates settings via Group Policy
  5. Test that clients can access the Delivery Optimization service on other clients using telnet
  6. Monitor the performance of the Delivery Optimization service

Solution Steps

Open port 7680 on client devices via Group Policy

This is often enabled as standard but it is good practice to enable this via Group Policy to ensure the ports are available. There are already pre defined policies built into Windows 10 named Delivery Optimization (TCP-In) and Delivery Optimization (UDP-In) that will cover all aspects of incoming client traffic.

2021 02 23 07 53 50 Windows Defender Firewall with Advanced Security

These can be enabled using a Group Policy built into the same GPO for DO and WU

The settings can be found under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules

2021 02 23 08 01 08 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Create a new policy to store the settings in
2021 02 23 08 01 34 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Give the new policy an appropriate name
2021 02 23 08 01 45 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Edit the policy
2021 02 23 08 33 24 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Drill down to Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
2021 02 23 08 33 45 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Tick Predefined then select DO
2021 02 23 08 33 57 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Both options will be ticked as default
2021 02 23 08 34 05 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
Allow the connection will be set as default, click Finish
2021 02 23 08 34 13 DC 01 on ALAMO PF26WT50 Virtual Machine Connection
The new rules will now be shown in the Inbound rules table

Enable Delivery Optimization via Group policy

Now still inside the same GPO navigate to the Delivery Optimization settings in Group Policy under Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization and double click Download Mode

2021 02 23 12 56 09 DC 01 on ALAMO PF26WT50 Virtual Machine Connection

For this guide we are going to set Download Mode to 1, HTTP blended with peering behind the same NAT. Which basically means clients behind your router can share data but the clients will not share data with Internet Peers or members of the same Domain which are located on a WAN connection.

The following list shows the supported values for Delivery Optimization to distribute Windows Updates –

0 = HTTP only, no peering.

1 = HTTP blended with peering behind the same NAT.

2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.

3 = HTTP blended with Internet Peering.

99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.

100 = Bypass mode. Do not use Delivery Optimization and use BITS instead.

Configure Windows Updates settings via Group Policy

Follow the previous steps to create a new GPO to store Windows Update settings with an appropriate name “Computer – Windows Updates” for example.

2021 02 23 13 16 37 DC 01 on ALAMO PF26WT50 Virtual Machine Connection

The amount of settings held within this Policy is quite large and complex so it is recommended you download the backup below and Import the settings into your blank GPO.

Download here

Import the GPO

  1. Right click on the blank GPO
  2. Import Settings
  3. Next
  4. Next
  5. Browse to the location you downloaded and extracted the GPO Backup
  6. Next
  7. Click Computer
  8. Next
  9. Next
  10. Finish
2021 02 23 13 17 58 DC 01 on ALAMO PF26WT50 Virtual Machine Connection

The policy will now be populated with the correct settings.

2021 02 23 13 29 51 DC 01 on ALAMO PF26WT50 Virtual Machine Connection

Don’t forget to apply both the GPOs to the OU containing your Windows 10 clients.

Test that clients can access the Delivery Optimization service

With the GPO applied to the clients give them a good few reboots to pickup the GP settings and apply them.

Once again load up PortQueryUI and enter the IP/Hostname of a client on your network that has had the GPO applied. Select manually enter query ports and enter 7680 then click Query.

2021 02 23 15 23 10 Settings

You should get back a LISTENING status

TCP port 7680 (ms-do service): LISTENING
portqry.exe -n 127.0.0.1 -e 7680 -p TCP exits with return code 0x00000000.

If you get anything other than this then consider checking your firewall settings are applied and that the Delivery Optimization service isn’t set to Disabled or Manual

2021 02 23 15 26 46 Services

Monitor the performance of the Delivery Optimization service

The below PowerShell command can be ran locally or via a PowerShell Remote console.

For ease of reading I have numbered output

Get-DeliveryOptimizationPerfSnapThisMonth

DO stats
  1. The amount of bytes uploaded to other LAN Peers in the previous calendar month
  2. The amount of bytes uploaded to Internet Peers, with option 1 as in this guide this will always be 0 as clients will not be uploading data to Internet Peers in the previous calendar month
  3. The amount of data downloaded from Microsoft Servers in the previous calendar month
  4. The amount of bytes downloaded from a Microsoft Connected Cache in the previous calendar month
  5. The amount of bytes downloaded from LAN peers in the previous calendar month
  6. The amount of bytes downloaded from Internet Peers in the previous calendar month

Check the current DO jobs status

Running the below PowerShell command will output the current job status showing you Download and Upload tasks for that client. Below you can see an example of a WU Download task for file ID 86fe26c6ef504ec17095eb2ad1e5872f8e896ca3 with a total file size of 90889562 bytes of which 82500954 of those bytes, nearly 91% came from LAN Peers.

Get-DeliveryOptimizationStatus

2021 02 24 07 45 51 DEL SD 06 Syncro Live and 4 more pages Work Microsoft​ Edge

Export the Delivery Optimization log file

This is achieved again via PowerShell with a simple command as below.

Get-DeliveryOptimizationLog | Set-Content c:\dosvc.txt

You are also able to check the DO Windows 10 console for activity levels, the easiest way to get to this is to search Delivery Optimisation in on your Start Bar

2021 02 23 17 04 46

This will then show you the Activity Monitor statistics for this client

2021 02 23 17 05 49 Settings 1

Acronyms

DO – Delivery Optimization

WU – Windows Update

WSUS – Windows Server Update Services

GP – Group Policy

GPO – Group Policy Object

External Links

Internal Links

Reset WSUS SUSDB And Content Folder – The ICT Guy

WSUS Prerequisites For Normal Operation – The ICT Guy

Windows Server And Installing Selective Windows Updates – The ICT Guy

Found priceless insights in this blog? Support the author’s creativity – buy them a coffee!

2 thoughts on “How to effectively use Delivery Optimization to distribute Windows Update content to clients inside your LAN

  1. One question, I have some pc that are not directly connected through the internet and I would like to use this feature so the internet connected pc can share the updates with the others.

    How could I do? I haven’t wsus in the office because servers are hosted in cloud.
    If I open the traffic from pc that are not directly internet to the delivery optimization service specific urls and port could it works?

    Thanks!

    1. The machines need access to the Internet to receive information about the other machines inside the LAN to work with DO.

Leave a Reply

Your email address will not be published. Required fields are marked *