Optimizing Content Delivery with Microsoft Delivery Optimization and Zscaler Proxy

Introduction:

Microsoft Delivery Optimization (DO) is a powerful feature integrated into Windows 10 and Windows 11, designed to enhance the distribution of updates and applications across devices within a network

Delivery Optimization (DO) leverages peer-to-peer distribution model and It basically serves to reduce the bandwidth usage by sharing the content with each other and speed up the delivery of updates to devices.

Delivery Optimization Download request flow Delivery Optimization client-service communication - Windows Deployment | Microsoft Learn

image

For more information about Delivery Optimization, please read What is Delivery Optimization? - Windows Deployment | Microsoft Learn

Recent Implementation:

In a recent assignment, I collaborated with a customer managing a diverse fleet of devices, including hybrid Azure AD joined (Entra) and Azure AD joined devices, all utilizing Zscaler proxy.

Configuration Essentials:

When configuring Delivery Optimization settings in Intune, the focus is on two pivotal components:

  1. Download Mode:

    • Seven modes govern the download method, each addressing specific scenarios.
    • HTTP only, no peering (0) : Disables peer-to-peer caching but allows the content to come directly from the CDN or connected cache server.
    • HTTP Blended with peering behind same NAT (1)  : This is renamed from LAN mode. Devices share content across the same network (using the same public IP).
    • HTTP blended with peering across private group (2): This is renamed from Group mode. Devices are grouped together using a group ID for sharing the content.
    • HTTP blended with internet peering: Enable internet peer sources.
    • Simple download mode with no peering (99): Delivery Optimization will be disabled.
    • Bypass mode (100): This is applicable to windows 11 and is deprecated. so don't use this one.
  2. Peer Selection:

    • Two methods, Subnet Mask and Local Peer Discovery, control peer selection.
    • Subnet Mask restricts peers to devices within the same subnet, while Local Peer Discovery extends this to devices with the same group ID on the local network.

Testing Phase:

In the testing phase, I configured the following settings:

  • Download Mode: HTTP Blended with peering behind the same NAT (1)
  • Peer Selection: Subnet Mask

Despite the devices being on the same network with Wi-Fi enabled, both store apps and Win32 apps consistently accessed the CDN for downloads, bypassing Delivery Optimization.

Logs and Troubleshooting:

To troubleshoot, I examined the cached content folder on both devices:

  • Folder Location: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Cache

Registry keys and PowerShell scripts were used to check deployed settings and collect Delivery Optimization logs for analysis.

Registry to validate the DO settings deployed by intune.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\DeliveryOptimization

Powershell:

Get-DeliveryOptimizationStatus > "C:\temp\$env:COMPUTERNAME-DeliveryOptimizationStatus-$(get-date -format dd-MM-yyyy-HHmmss).txt"

Get-DeliveryOptimizationPerfSnap -verbose > "C:\temp\$env:COMPUTERNAME-DeliveryOptimizationPerfSnap-$(get-date -format dd-MM-yyyy-HHmmss).txt"

Get-DeliveryOptimizationLog | Set-Content "C:\temp\$env:COMPUTERNAME-DeliveryOptimizationLog-$(get-date -format dd-MM-yyyy-HHmmss).txt"

Zscaler Proxy Challenges:

Upon reviewing logs, it became apparent that clients leveraging Zscaler proxy were not aligning with the deployed download mode and peer selection.

The following should help you understand why HTTP Blended with peering behind same NAT (1) will not work with Zscaler proxy.

Without Proxy:

Let’s say we have two machines Device A and Device B and both the devices are in the same subnet and also sharing the Same NAT, they are going-out and going-in with same public IP.

Device A (10.10.0.1/255.255.255.0) ----->NAT(Your physical router) ----->Public IP (100.24.24.225) ----->DO cloud service (Device A join in DO and tell your peers with same NAT 100.24.24.225)

Device B (10.10.0.5/255.255.255.0) ----->NAT(Your physical router) ----->Public IP (100.24.24.225) ----->DO cloud service (Device B join in DO and tell your peers with same NAT 100.24.24.225)

Devices A and B in the same subnet sharing the same NAT successfully communicated with the Delivery Optimization cloud service.

With Zscaler Proxy:

Now with proxy, the behavior is little different.

Device A (10.10.0.1/255.255.255.0) ----->Proxy -----> Proxy’s own NAT with Public IP (could be any) ----->DO cloud service (Device A join in DO , could be any NAT group)

Device B (10.0.0.5/255.255.255.0) ----->Proxy -----> Proxy’s own NAT with Public IP (could be any) ----->DO cloud service (Device B Join in DO , could be any NAT group)

Devices A and B communicating through the proxy exhibited different behavior due to dynamic NAT assignments by the proxy.

Desired DO Settings and PAC File Changes:

To address these challenges, I recommend adjusting the PAC file as outlined in Microsoft's documentation.

image

In your pac file, you can add a syntax something like the following.

shExpMatch(host, "*.prod.do.dsp.mp.microsoft.com")|| //your comments or ticket number for reference.

Revised DO Settings:

To ensure optimal performance, consider the following revised settings:

  • Old Setting: Subnet Mask for peer selection.

image

  • Revised Setting: Authenticated domain SID is also AAD or Microsoft Entra ID.

image

There are other DO settings such as Min RAM, Battery , cache size etc which can be configured according your requirements.

With these adjustments, clients within the same subnet successfully participated in Delivery Optimization, as confirmed by the logs.

#funfacts about DO that I have observed:

DO service doesn’t need to be running all time.

DO service will shutdown if there is no content in cache with status of 'caching'.

If there is no content in cache to share, it will shutdown until triggered (by content download request).

You cannot remove the cache manually until you stop the do service or use Powershell to clear the cache.

Conclusion:

This article provides a comprehensive guide to optimizing content delivery through Microsoft Delivery Optimization, especially in environments employing Zscaler proxy.

The suggested adjustments aim to enhance the efficiency of content distribution, contributing to a seamless user experience.

References:

Delivery Optimization Internals – Get Win32 App Download Info (2pintsoftware.com)

Using a proxy with Delivery Optimization - Windows Deployment | Microsoft Learn

Delivery Optimization client-service communication - Windows Deployment | Microsoft Learn

Testing Delivery Optimization - Windows Deployment | Microsoft Learn

Post Comment