I wanted to share my success story in setting up and using Microsoft’s Delivery Optimization for Windows Update. After some struggle, I have Delivery Optimizations working correctly in our organization. It was tough to find any information online about setting it up, I think because potentially delivering patches to other PCs on the Internet is a scary thought for admins. However, getting it to work the way it was intended really only took changing 3 Group Policy settings. Here are some of my tips/tricks:
- Download the latest ADMX for Windows 10 (1809 as of writing this). There are 25 settings for Delivery Optimization (Computer Config>Policies>Admin Templates>Windows Components>Delivery Optimization). Additional settings were added in 1809 as well as some corrections to the help information that can be really confusing prior.
- The most important setting is the Download Mode setting. LAN (1) is the only option that works in our environment. I messed with Group (2) for some time because that showed a lot of promise and opens up additional configuration options. However, Group mode requires the PCs to be able to communicate out to Microsoft using the Teredo protocol (https://en.wikipedia.org/wiki/Teredo_tunneling) on port 3544 or possibly use IPv6. Microsoft’s servers determine which PCs talk to other PCs based on their group ID/SID. We block that port and also, who want’s MS to manage that? So that just leaves the one LAN option to enable.
- We also configured 2 additional settings. Basically we tell the PCs to keep cached updates until it uses 20% of the disk space rather than deleting the cached updates based on age (which is the default). Those two settings are Max Cache Age (set to 0) and Max Cache Size (set to 20). Here are all of the settings together:
- One caveat to using the LAN setting is that Delivery Optimization assumes that every PC that shares the same public PC is on the same LAN. In our case, that means that our LAN is really our entire WAN. Still better than all the PCs reaching out to the same WSUS server for updates (yes, it works great along with WSUS!). Another weird thing is that we share the same public IP address with sister organizations through the same ISP. Local PCs are blocked from sharing between the different organizations because of network segmentation but I do see “peers” listed in the log files with other “10 dot” addresses outside our local network. All of them show up with errors and 0 bytes sent/received.
- Speaking of logs… That was something that was tough to find info on online as well. Logs are super messy and difficult to read but are located at C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs and the file name starts with “dosvc.” Cached update files are found here: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache (not all that useful except to see that things have been cached as they are all hashed names)
- Lastly, proving success. Each PC has a built in graphical representation of the Delivery Optimization activity. That can be found in Settings>Update & Security>Delivery Optimization>Activity monitor and looks like this (keep in mind again that “Microsoft” in this case is still our local WSUS server):
Hopefully this helps anyone going down the same path as me and it makes it a little easier. 🙂