Q. How does the Delivery Optimization for Windows Update in Windows 10 work?
A. Windows 10 features a delivery optimization which enables machines to share downloaded updates with other machines on their local network and even out on the Internet. This can be configured via Settings - Update & security - Windows Update - Advanced options - Choose how updates are delivered.
Behind the scenes there is a service, Delivery Optimization (DoSvc), which is responsible for the delivery optimization of updates and various firewall exceptions are enabled based on the settings (these can be seen in Windows Firewall and there are two, both named Delivery Optimization with one for TCP, one for UDP both on port 7680).
Unlike technologies such as BranchCache which utilizes broadcasts to find machines with required traffic, Delivery Optimization (DO) uses a cloud service for peer discovery and peer management. This service uses HTTPS to *.do.dsp.mp.microsoft.com (which therefore has to be allowed outbound to the Internet even if only local network sharing is enabled).
DO then leverages port 7680 to listen for incoming connections from peers. Port 3544 is a Teredo port that is used for NAT traversal, i.e. for machines on the Internet or if peering is used across NATs (Group DownloadMode).
Microsoft has a good article at https://technet.microsoft.com/en-us/itpro/windows/manage/waas-delivery-optimization which talks about Group Policies related to DO. If you cannot use DO then you could leverage BranchCache if using Enterprise edition of Windows 10 (but make sure you disable DO and set DownloadMode to bypass as outlined in the aforementioned article).
