safety commit

windows/deployment/update/waas-delivery-optimization-reference.md

@@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do
 
 By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
 
-[//]: # (Configuration Manager Boundary Group option; GroupID Source policy)
+[//]: # (Configuration Manager boundary group option; GroupID Source policy)
 
 >[!NOTE]
 >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)

windows/deployment/update/waas-delivery-optimization-setup.md

@@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se
 >[!NOTE]
 >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set.
 
+> [!NOTE]
+> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings).
+
 Quick-reference table:
 
 | Use case | Policy | Recommended value | Reason |
@@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat
 
 To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
 
+> [!NOTE]
+> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
+
 
 ### Large number of mobile devices
 

windows/deployment/update/waas-delivery-optimization.md

@@ -124,6 +124,30 @@ For the payloads (optional):
 
 **How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
 
+**How does Delivery Optimization handle VPNs?**
+Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
+
+If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the {WE SHOULD NAME OR POINT TO THIS POLICY} policy.
+
+If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.
+
+With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints:
+
+Delivery Optimization service endpoint:
+- `https://*.prod.do.dsp.mp.microsoft.com`
+
+Delivery Optimization metadata:
+- `http://emdl.ws.microsoft.com`
+- `http://*.dl.delivery.mp.microsoft.com`
+
+Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads
+
+- `http://*.windowsupdate.com`
+- `https://*.delivery.mp.microsoft.com`
+- `https://*.update.microsoft.com`
+- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
+
+For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
 
 ## Troubleshooting