How to effectively use Delivery Optimization to distribute Windows Update content to clients inside your LAN

Goal
Switch from Windows Server Update Services and a world of pain keeping the service up and running with its MANY foibles, and instead switch to Windows 10 Delivery Optimization to distribute Windows Update content in a peer to peer content distributed system.
You won’t be disappointed…….trust me!
Prerequisites
- A network
- Windows 10 version 1703 or later
- The latest Windows 10 ADMX Files imported from here
- Group Policy creation/edit access
- A deep seeded desire to want to live a simpler existence without WSUS and instead switch to Delivery Optimization to distribute Windows Update content
Firewall Rules
- *.dl.delivery.mp.microsoft.com
- *.emdl.ws.microsoft.com
- *.download.windowsupdate.com
- *.windowsupdate.com
- *.prod.do.dsp.mp.microsoft.com
- *.delivery.mp.microsoft.com
- *.update.microsoft.com
- *.tsfe.trafficshaping.dsp.mp.microsoft.com
Solution Summary
- If you block specific URLs on your firewall open up the prerequisites to ensure traffic can flow freely to your clients and test using PortQueryUI (point 1 not covered in this guide as it would be impossible to list all methods for all firewalls)
- Open port 7680 on client devices via Group Policy
- Enable Delivery Optimization via Group policy and set applicable options
- Configure Windows Updates settings via Group Policy
- Test that clients can access the Delivery Optimization service on other clients using telnet
- Monitor the performance of the Delivery Optimization service
Solution Steps
Open port 7680 on client devices via Group Policy
This is often enabled as standard but it is good practice to enable this via Group Policy to ensure the ports are available. There are already pre defined policies built into Windows 10 named Delivery Optimization (TCP-In) and Delivery Optimization (UDP-In) that will cover all aspects of incoming client traffic.

These can be enabled using a Group Policy built into the same GPO for DO and WU
The settings can be found under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules








Enable Delivery Optimization via Group policy
Now still inside the same GPO navigate to the Delivery Optimization settings in Group Policy under Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization and double click Download Mode

For this guide we are going to set Download Mode to 1, HTTP blended with peering behind the same NAT. Which basically means clients behind your router can share data but the clients will not share data with Internet Peers or members of the same Domain which are located on a WAN connection.
The following list shows the supported values for Delivery Optimization to distribute Windows Updates –
0 = HTTP only, no peering.
1 = HTTP blended with peering behind the same NAT.
2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
3 = HTTP blended with Internet Peering.
99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
100 = Bypass mode. Do not use Delivery Optimization and use BITS instead.
Configure Windows Updates settings via Group Policy
Follow the previous steps to create a new GPO to store Windows Update settings with an appropriate name “Computer – Windows Updates” for example.

The amount of settings held within this Policy is quite large and complex so it is recommended you download the backup below and Import the settings into your blank GPO.
Import the GPO
- Right click on the blank GPO
- Import Settings
- Next
- Next
- Browse to the location you downloaded and extracted the GPO Backup
- Next
- Click Computer
- Next
- Next
- Finish

The policy will now be populated with the correct settings.

Don’t forget to apply both the GPOs to the OU containing your Windows 10 clients.
Test that clients can access the Delivery Optimization service
With the GPO applied to the clients give them a good few reboots to pickup the GP settings and apply them.
Once again load up PortQueryUI and enter the IP/Hostname of a client on your network that has had the GPO applied. Select manually enter query ports and enter 7680 then click Query.

You should get back a LISTENING status
TCP port 7680 (ms-do service): LISTENING
portqry.exe -n 127.0.0.1 -e 7680 -p TCP exits with return code 0x00000000.
If you get anything other than this then consider checking your firewall settings are applied and that the Delivery Optimization service isn’t set to Disabled or Manual

Monitor the performance of the Delivery Optimization service
The below PowerShell command can be ran locally or via a PowerShell Remote console.
For ease of reading I have numbered output
Get-DeliveryOptimizationPerfSnapThisMonth

- The amount of bytes uploaded to other LAN Peers in the previous calendar month
- The amount of bytes uploaded to Internet Peers, with option 1 as in this guide this will always be 0 as clients will not be uploading data to Internet Peers in the previous calendar month
- The amount of data downloaded from Microsoft Servers in the previous calendar month
- The amount of bytes downloaded from a Microsoft Connected Cache in the previous calendar month
- The amount of bytes downloaded from LAN peers in the previous calendar month
- The amount of bytes downloaded from Internet Peers in the previous calendar month
Check the current DO jobs status
Running the below PowerShell command will output the current job status showing you Download and Upload tasks for that client. Below you can see an example of a WU Download task for file ID 86fe26c6ef504ec17095eb2ad1e5872f8e896ca3 with a total file size of 90889562 bytes of which 82500954 of those bytes, nearly 91% came from LAN Peers.
Get-DeliveryOptimizationStatus

Export the Delivery Optimization log file
This is achieved again via PowerShell with a simple command as below.
Get-DeliveryOptimizationLog | Set-Content c:\dosvc.txt
You are also able to check the DO Windows 10 console for activity levels, the easiest way to get to this is to search Delivery Optimisation in on your Start Bar

This will then show you the Activity Monitor statistics for this client

Acronyms
DO – Delivery Optimization
WU – Windows Update
WSUS – Windows Server Update Services
GP – Group Policy
GPO – Group Policy Object
External Links
- Download PortQryUI – User Interface for the PortQry Command Line Port Scanner from Official Microsoft Download Center
- Download Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2) from Official Microsoft Download Center
- Delivery Optimization reference – Windows Deployment | Microsoft Docs
Internal Links
Reset WSUS SUSDB And Content Folder – The ICT Guy
WSUS Prerequisites For Normal Operation – The ICT Guy
Windows Server And Installing Selective Windows Updates – The ICT Guy
One question, I have some pc that are not directly connected through the internet and I would like to use this feature so the internet connected pc can share the updates with the others.
How could I do? I haven’t wsus in the office because servers are hosted in cloud.
If I open the traffic from pc that are not directly internet to the delivery optimization service specific urls and port could it works?
Thanks!
The machines need access to the Internet to receive information about the other machines inside the LAN to work with DO.