**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.
Imagine you are sitting at home, one computer in the house, and your computer needs to download patches for Microsoft Windows 10. No big deal… if there are 250mb of patches, your computer will download 250mb of patches and be done with it.1 It takes precisely 250mb and is in no real way going to tax the average home Internet conduit.
Now imagine you are sitting in your office with 500 coworkers, and all of your computers need to download 250mb of patches. Without proper planning, we are now talking 125gb of downloads. This will slow things down somewhat.
Enter Delivery Optimization (DO). In a nutshell, Delivery Optimization will allow all of your computers to work together, downloading the bits from the Internet once and then sharing it internally. To set this up, we need to create a Configuration Profile.
Navigate to your Microsoft Endpoint Manager admin center (https://www.endpoint.microsoft.com). In the navigation pane click Devices, then under the Policy section click Configuration profiles.
In the Devices | Configuration profiles screen click + Create profile.
In the Create a profile sidebar that appears, select Windows 10 and later from the Platform dropdown menu, and then Templates from the Profile type dropdown menu. In the list that appears, Delivery Optimization should be close to the top. Click it and then click Create at the bottom.
In the Basics tab, enter a name (and description) for your profile. Click Next.
The Configuration settings tab is where most of our work is going to be done, and where most of the explanations will be needed. Let’s look at the options:
Download mode specifies the method that DO can use to manage network bandwidth consumption for content distribution scenarios. As of this writing there are seven (7) options:
- Not configured. This option should be perfectly clear.
- HTTP only, no peering: Computers will download updates directly from the Internet, and will not leverage any peer-to-peer sharing.
- HTTP blended with peering behind same NAT: Computers can get updates from the Internet, or from other computers on your network that are behind the same Network Address Translation (NAT) IP addresses.
- HTTP blended with peering across private group: Computer can get updates from computers in the same Active Directory Domain Services (AD DS) site, or in the same domain. This option can be dangerous when computers are geographically dispersed, so all of a sudden your computers in Seattle are downloading from a cache in Paris. Only use this option if your AD sites are properly configured and maintained.
- HTTP blended with internet peering: Computers can get updates from the Internet, or from other computers on your network.
- Simple download mode with no peering: Computers will get updates directly from the Internet.
- Bypass mode: Your computers will use Background Intelligent Transfer Services (BITS) to get updates, and not Delivery Optimization.
I will select HTTP blended with peering behind same NAT.
Restrict Peer Selection (only available if Download Mode is set to one of the HTTP blended with peering options) allows you to restrict peer selection to a specific group of devices. If you like, you can set it up so your computers will only select a peer on the same subnet mask.
Group ID source (only available if your Download mode is set to HTTP blended with peering across private group) restricts peer selection to a specific group of devices, such as an AD site, Authenticated domain SID, DHCP user option, DNS Suffix, or Custom.
Bandwidth is how Intune determines the maximum bandwidth that Delivery Optimization can use across all concurrent download activities. Your options are:
- Absolute which allows you to specify the maximum download bandwidth (in KB/s) that a device can use across all its concurrent DO download activities.
- Percentage allows you to specify the maximum foreground download bandwidth and maximum background download bandwidth that a device can use across all its concurrent DO download activities.
- Percentage with business hours is the same as Percentage, but allows you to specify different levels for business hours versus non-business hours.
Delay background HTTP download (in seconds) allows you to configure a maximum time to delay a background download of content over HTTP. This configuration applies only to downloads that support a peer-to peer download source. During this delay, the device searches for a peer with the content available. While waiting for a peer source, the download appears to be stuck for the end user.
Delay foreground HTTP download (in seconds) allows you to configure a maximum time to delay a foreground (interactive) download of content over HTTP. This configuration applies only to downloads that support a peer-to-peer download source. During this delay, the device searches for a peer with the content available. While waiting for a peer source, the download appears to be stuck for the end user.
Minimum RAM required for peer caching lets you specify the minimum RAM size that a device needs to use peer caching. Devices short on memory might be bad candidates.
Minimum disk size required for peer caching lets you specify the minimum disk size a device must have… although frankly I think it would be smarter to specify how much free space instead of disk size, which you can do further down the list.
Minimum content file size for peer caching (in MB) specifies how large a file you need for peer caching to kick in. Anything smaller will just come direct from the Internet.
Minimum battery level required to upload (in %) allows you to prevent devices with short battery lives to offer peer caching.
Modify cache drive allows you to specify what drive a computer will use for peer caching. By default it will use the system drive (%SystemDrive%), but this can be changed.
Maximum cache age (in days) specifies how long a peer should keep its patch files.
Maximum cache size type lets you manage the amount of disk space on a device. By default, DO will use 20% of free space available.
VPN peer caching reminds us that a lot of computers are connecting to our network from remote, and might not be efficient peer caching candidates.
Cache server fully qualified domain names (FQDN) or IP addresses lets you specify a cache server for Delivery Optimization, rather than allowing all devices to participate.
Delay foreground/background download Cache Server fallback (in seconds) specifies the time to delay the fallback from the specified cache server to the HTTP source for a foreground/background content download.
When you have configured all of your options on the Configuration settings tab, click Next.
On the Assignments tab, select the groups to include (or exclude) from the profile. You can be selective, of you can include either all devices, or all users. Click Next.
On the Applicability Rules tab, you can either include or exclude specific versions and/or editions of the operating system. Do so, then click Next.
On the Review + create tab look over all of your choices, and then click Create.
At this point, your patch management will start using much less bandwidth, and work much more efficiently. This can be as simple or as complex as you want it to be, with some organizations using one DO profile, and others using dozens or more. Work with your networking and desktop teams to see what is best for your organization. Now go forth and optimize!
1Remembering with fondness the days when it took seven minutes to download a simple GIF image off an electronic BBS in 1986, this statement can truly boggle the mind!