Set Delivery Optimization

What the Delivery Optimization enforcement Worklet does

This Automox Worklet™ enforces Windows Update Delivery Optimization (WUDO) settings on Windows 10 and Windows 11 endpoints by writing policy values directly into the registry. The Worklet does not require Group Policy distribution, a domain join, or an Intune configuration profile, so it covers remote workstations, contractor laptops, and endpoints that legacy GPO never reaches.

The policy hive lives at HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization. The Worklet manages a targeted subset of the values an administrator would otherwise set in gpedit.msc under Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization, including DODownloadMode, DOGroupID, DOAllowVPNPeerCaching, DOMinDiskSizeAllowedToPeer, DOModifyCacheDrive, DOMaxCacheSize, DOMaxCacheAge, DOAbsoluteMaxCacheSize, DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DORestrictPeerSelectionBy, DOVpnKeywords, and DODisallowCacheServerDownloadsOnVPN.

Add the desired parameters to the Compare-DeliveryOptimization call at the bottom of evaluation.ps1 and the Set-DeliveryOptimization call at the bottom of remediation.ps1, then run the policy on a recurring schedule. Each evaluation re-reads the registry, so any drift introduced by a user with local admin, a competing GPO, or an image refresh is caught on the next run and corrected without touching the endpoint by hand.

Why enforce Delivery Optimization across managed Windows endpoints

Default Delivery Optimization behavior on Windows 10 and Windows 11 is peer-assisted (DODownloadMode 1), which is fine on a corporate LAN but problematic over VPN, on home networks, and on metered cellular connections. A large update at the wrong DODownloadMode can saturate the WAN link at a branch office, disrupt real-time collaboration tools, and push monthly egress past budget. Setting DODownloadMode to 0 disables peering outright when you need every endpoint to pull from Microsoft directly. CIS Microsoft Windows 11 Benchmark control 18.10.50.1 expects DODownloadMode to be configured explicitly rather than left at default, and the same control is enforced under most ISO 27001 endpoint hardening profiles.

WUDO drift hits two failure modes: a tampered registry value that quietly re-enables peering during a sensitive patch window, or a missing key that reverts the endpoint to the default DODownloadMode 1. A recurring Automox policy enforces the configured DODownloadMode and peer caching values on every evaluation, so the next policy run catches drift before it becomes an audit finding for CIS 18.10.50.1 or a saturated WAN link during the next Patch Tuesday. The same policy run reaches every domain-joined workstation, every Azure AD-joined laptop, and every standalone endpoint in the same evaluation cycle.

How Delivery Optimization enforcement works

1. Evaluation phase: The Worklet reads each managed value under HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization with Get-ItemPropertyValue and compares it against the desired value declared in the Compare-DeliveryOptimization call. A missing key, a mismatched DODownloadMode (0 HTTP only, 1 LAN, 2 group, 3 internet, 99 simple, 100 bypass), or any other out-of-range value marks the endpoint non-compliant. The script exits 1 to schedule remediation; exit 0 means the endpoint already matches the policy and nothing runs.

2. Remediation phase: remediation.ps1 creates the DeliveryOptimization policy key if it is missing, then writes each managed value with New-ItemProperty -Force using the registry type defined in the script map (dword for DODownloadMode, DOAllowVPNPeerCaching, DORestrictPeerSelectionBy, and DODisallowCacheServerDownloadsOnVPN; string for all other values). Exit 0 indicates a clean apply; a non-zero exit surfaces the registry error in the Automox activity log.

Delivery Optimization enforcement requirements

• Windows 10 or Windows 11 (Pro, Enterprise, or Education). Home editions ignore the policy hive and fall back to defaults.

• Automox agent running as SYSTEM (the default) so it can write under HKLM:\SOFTWARE\Policies.

• PowerShell 5.1 or later available on the endpoint (built into all supported Windows versions).

• Add the desired parameters to the Compare-DeliveryOptimization call in evaluation.ps1 and the Set-DeliveryOptimization call in remediation.ps1. For DODownloadMode, set one of 0, 1, 2, 3, or 99. Avoid mode 100 on Windows 11 – that value is deprecated and can cause some content to fail to download; use mode 0 to disable peer-to-peer instead.

• For DODownloadMode 2 (group peering), set DOGroupID to a consistent GUID (example: {944fa07e-ecad-49f4-8dd1-5d4b93578b74}) and apply the same value across the peer group. Endpoints with different DOGroupID values will not peer with each other.

• If you set DOModifyCacheDrive, point it at a fixed local volume (for example, D:\). Removable media and network drives are rejected by the Delivery Optimization service.

• Network connectivity to Microsoft Delivery Optimization endpoints (*.do.dsp.mp.microsoft.com over 443/TCP and 7680/TCP for peer traffic) for any mode other than 0.

Expected Delivery Optimization state after remediation

After the Worklet runs successfully, the DeliveryOptimization policy key exists under HKLM:\SOFTWARE\Policies\Microsoft\Windows\ and every managed value matches the desired configuration. No reboot is required. Subsequent evaluations exit 0 and the endpoint reports compliant in the Automox console without re-running remediation.

Validate the apply by running Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' in an elevated PowerShell session and confirming every value matches the policy. For runtime evidence, run Get-DeliveryOptimizationStatus to surface the active download mode, current cache size, peer count, and bytes transferred per source. gpedit.msc under Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization will show each setting as Enabled with the matching values once the policy refreshes.

Common mode choices in practice: DODownloadMode 1 for office-network endpoints; DODownloadMode 0 for VPN-only laptops that should pull directly from Microsoft; DODownloadMode 2 plus a per-site DOGroupID for branch offices that share a NAT and a slow WAN link. Settings persist across reboots, Windows updates, and image refreshes – if a user or a competing tool clears the policy key, the next Automox evaluation compares the registry values to the policy parameters and the remediation script rewrites whatever is missing.