Nomad SECure enables content to be compressed and signed, and also encrypted on the DP which clients can download. If you intend to use this feature, you must update all Nomad clients to 6.1 or later, or they will fail to download encrypted content. This is because clients older than 6.1 only support the original unencrypted data format. Content is downloaded according to the data format specified in the client policy:

  • 0 – original - Nomad SECure is not used
  • 1 – compressed + signed
  • 2 – compressed + signed + encrypted

Compression is required for encryption. Signing is automatically enabled if compressed.

SECure and AOT LSZ generation features are not supported on Cloud DPs.

On this page:

Enabling the SECure feature

Client policy

  • For packages/task sequences, compression and encryption can be applied on individual packages.
  • For applications, compression and encryption applies to all applications as the option is in client settings.
  1. On Configuration Manager:
    1. To mark content for a compressed and encrypted download, update the Nomad tab:
      Marking download content for compression and encryption

    2. Click OK.
  2. On the client, peers will only respond if the format they hold matches those of the election.

To illustrate the data formats in the LSZ files:

  • Compressed data format (1)
    Compressed data format in the LSZ file
  •  Encrypted data format (2)
    Encrypted data format in the LSZ file


You can use the smsnomad command-line to set the data format for packages. For example:

smsnomad --s --pp="http://[server]/SMS_DP_SMSPKG$/PS100014" --prestage --contentid=PS100014 --ver=7 --wr=10 --pc=1 --df=1


  • --s is where we run Nomad independently of Configuration Manager
  • --pp is directory containing the source files to be downloaded
  • --prestage enables Nomad to download a package without the need to run any executable in the package
  • --contentid is the content identifier
  • --ver is the version of the package to be downloaded
  • --wr is the workrate
  • --pc is the priority for the cache
  • --df is the data format 

AOT LSZ generation

When Nomad runs on Configuration Manager, it automatically triggers the Ahead-of-time (AOT) LSZ generation. This feature reduces time the client has to wait before the LSZ is generated and downloaded from the DP. 

AOT runs on the Site Server monitoring deployments that are currently running. For any content that is compressed and/or encrypted, it sends a HTTP/S message to Nomad on DPs that have the content. It behaves as follows:

  • AOT works with compressed (1) and encrypted (2) data formats (SupportedDataFormats). 
  • Scanning of candidates for AOT LSZ requests is carried out every 30 minutes
  • Nomad keeps an in-memory log of AOT requests to DPs – it is lost if you restart the service. AOT requests sent successfully are not sent again. AOT requests are resent if service is bounced, content version is changed or content format is changed.

Prerequisites for AOT are:

  • Content must be distributed to DPs
  • Content must be deployed using supported data formats - compressed, or compressed + encrypted

  • Deployment schedules must be within the AOT time frame – the default for PastWindowsHrs is 6 and FutureWindowsHrs is 24 
  • Content size should be above a threshold - default 1GB

Pre-caching and software updates are not supported by AOT.

SECure and AOT LSZ generation features are not supported on Cloud DPs.