In this post we will be discussing on how to install RAT for WSUS configured devices using Group Policy. With workstations such Windows 10 or Windows 11 with domain joined, there will be scenario where SCCM / WSUS is installed. It could be standalone Windows Server Update Services or could be Configuration manager installed with Software Update point role which eventually uses WSUS only to download the metadata.

This kind of configuration protects the devices directly contacting the Windows update. While you try to install RSAT – Remote Server Administration Tools you will get error.

There could be multiple ways of installing the RSAT, but it will fail with every scenario.

For example, if you are trying to install RSAT using Optional features, you need to go to Settings > Apps > Apps & Features > Optional features. And when you try to Add a feature lets say RSAT: Active Directory Domain Services and Lightweight Directory Services Tools, you will see the error “Install failed

RSAT install failed

This will be applicable for every kind of installation of optional features you are aware of.

That could be either through PowerShell to install RSAT:

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~ -Online

Or could be using Command line to install RSAT tools:

dism /online /get-capabilityinfo /capabilityname:Rsat.ActiveDirectory.DS-LDS.Tools~~~~

This will eventually fail with error code 0x8024402c. You will see the error:

Add-WindowsCapability: Add-WindowsCapability failed. Error code – 0x8024402c

How to Install RSAT when WSUS configured

The question might come in mind, what is the way to install RSAT where windows update is not reachable because of WSUS configuration in place which is blocking the access.

There could be multiple ways and depends upon how you want to achieve it.

But the most efficient way to configure it through a group policy where we can set policy to skip contact WSUS and directly contact Microsoft Windows update.

Login to Domain controller,launch Group Policy Management (gpmc.msc) and create new policy / edit policy. Navigate to Computer Configuration > Policies > Administrative Templates > System.

Select Specify settings for optional component installation and component repair. Enable the policy and check the box for Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)

InstallRSATwithWSUS 02 1

That’s it, this is all we require. Navigate to Windows 10 / Windows 11 device. Run Gpupdate /force. And try installing the RSAT tools again, and this time we can see the tool got installed successfully

InstallRSATwithWSUS 03

Install RSAT using FOD (Feature on Demand ISO)

GPO is a good option if we have to apply it in environment. But that might not be the case every time because of security approvals and as per solution architect design document it might not allow organizations to enable this feature.

The is one of the easiest method which can be applicable for user when he/she is having a Feature on Demand (FOD) iso. Once image is mounted, we can use the path as source.

We can use following PowerShell command to install RSAT tools with source specified:

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~ -LimitAccess -Online -Source D:

This might look like lot of work to be done to get the ISO and run the command.

Install RSAT using SCCM

There is another way where we are not going to apply any policy but to bypass WSUS configuration as a PowerShell Script. This script will simply disable WSUS Server configuration, will run the command to install the tool and will re-enable WSUS at the end.

The below PowerShell Script will perform task:

  1. Set UseWUServer to 0, to disable WSUS Config.
  2. Restart Windows Update service
  3. Install RSAT – Active Directory tools
  4. Set UseWUServer to 1, to enable WSUS
  5. Restart Windows update service
<#Disable WSUServer value to 1 Run Windows Capability to directly download the components from internet Enable WSUServer value to 0 #>
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0
Restart-Service "Windows Update" -ErrorAction SilentlyContinue
Write-Host "Adding Components…" -ForegroundColor Green
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~ -Online
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 1
Restart-Service "Windows Update" -ErrorAction SilentlyContinue

This has been explained in detail Deploy Quick Assist using SCCM | Configuration Manager ManishBangia. The technique remains the same which will be applicable not only for RSAT tools but all other optional features. Following are the RSAT tools which can be installed:

RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
RSAT: BitLocker Drive Encryption Administration Utilities
RSAT: Active Directory Certificate Services Tools
RSAT: DHCP Server Tools
RSAT: DNS Server Tools
RSAT: Failover Clustering Tools
RSAT: File Services Tools
RSAT: Group Policy Management Tools
RSAT: IP Address Management (IPAM) Client
RSAT: Data Center Bridging LLDP Tools
RSAT: Network Controller Management Tools
RSAT: Network Load Balancing Tools
RSAT: Remote Access Management Tools
RSAT: Remote Desktop Services Tools
RSAT: Server Manager
RSAT: Shielded VM Tools
RSAT: Storage Migration Service Management Tools
RSAT: Storage Replica Module for Windows PowerShell
RSAT: System Insights Module for Windows PowerShell
RSAT: Volume Activation Tools
RSAT: Windows Server Update Services Tools

To check and see and see what is the capability name, here is the list: