Delivery Optimization GPO
Posted by Boring_Pipe_5449@reddit | sysadmin | View on Reddit | 3 comments
Hi there, thanks for reading!
I am facing a few issues with my Delivery Optimization GPO for Windows updates. I have set the following options in my GPO and they are applied:
Download Mode = Group (2)
Source of Group IDs = AD Site (1)
On my firewall, i still see a lot of connections to other AD sites and also to the internet (4,124 target IPs in total, therefore 3,935 to the internet).
Windows updates are either coming from WSUS or Intune.
Does anyone face a similar issue?
Thank you!
MeetJoan@reddit
Delivery Optimization Group mode means "prefer peers in my group". It doesn't block internet traffic if no peer has the content yet. Those 3,935 internet connections are probably expected.
Quick things to check: are you running a Connected Cache server? Without one, clients will still hit Microsoft's CDN as fallback. Also worth verifying your Intune DO policy isn't overriding the GPO for co-managed devices. That trips people up a lot.
What destination IPs are you seeing on the firewall? If it's *.dl.delivery.mp.microsoft.com that's just normal DO CDN traffic and the policy is likely doing exactly what it's supposed to.
Boring_Pipe_5449@reddit (OP)
Thank you!
Those public IPs seems to belong to our SDWAN provider, i will check with them. But shouldn´t the cross site traffic go done to zero normally if it is based on AD site?
MeetJoan@reddit
Good point on the SDWAN IPs. Definitely worth checking with them.
On the cross-site question: AD Site grouping means clients in the same site prefer each other as peers, but if a client needs an update and no peer in its site has it cached yet, DO won't wait - it'll go to the next available source which could be another site or the internet. The "group" boundary reduces cross-site traffic, it doesn't eliminate it. You'd only get it down to near-zero with a Connected Cache server at each site acting as a local source.
What does your AD site topology look like? Are clients at smaller sites frequently hitting peers at a hub site?