In this post we will be discussing on how to install RAT for WSUS configured devices using Group Policy. With workstations such Windows 10 or Windows 11 with domain joined, there will be scenario where SCCM / WSUS is installed. It could be standalone Windows Server Update Services or could be Configuration manager installed with Software Update point role which eventually uses WSUS only to download the metadata.
This kind of configuration protects the devices directly contacting the Windows update. While you try to install RSAT – Remote Server Administration Tools you will get error.
There could be multiple ways of installing the RSAT, but it will fail with every scenario.
For example, if you are trying to install RSAT using Optional features, you need to go to Settings > Apps > Apps & Features > Optional features. And when you try to Add a feature lets say RSAT: Active Directory Domain Services and Lightweight Directory Services Tools, you will see the error “Install failed”
This will be applicable for every kind of installation of optional features you are aware of.
That could be either through PowerShell to install RSAT:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
Or could be using Command line to install RSAT tools:
dism /online /get-capabilityinfo /capabilityname:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
This will eventually fail with error code 0x8024402c. You will see the error:
Add-WindowsCapability: Add-WindowsCapability failed. Error code – 0x8024402c
How to Install RSAT when WSUS configured
The question might come in mind, what is the way to install RSAT where windows update is not reachable because of WSUS configuration in place which is blocking the access.
There could be multiple ways and depends upon how you want to achieve it.
But the most efficient way to configure it through a group policy where we can set policy to skip contact WSUS and directly contact Microsoft Windows update.
Login to Domain controller,launch Group Policy Management (gpmc.msc) and create new policy / edit policy. Navigate to Computer Configuration > Policies > Administrative Templates > System.
Select Specify settings for optional component installation and component repair. Enable the policy and check the box for Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)
That’s it, this is all we require. Navigate to Windows 10 / Windows 11 device. Run Gpupdate /force. And try installing the RSAT tools again, and this time we can see the tool got installed successfully
Install RSAT using FOD (Feature on Demand ISO)
GPO is a good option if we have to apply it in environment. But that might not be the case every time because of security approvals and as per solution architect design document it might not allow organizations to enable this feature.
The is one of the easiest method which can be applicable for user when he/she is having a Feature on Demand (FOD) iso. Once image is mounted, we can use the path as source.
We can use following PowerShell command to install RSAT tools with source specified:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -LimitAccess -Online -Source D:
This might look like lot of work to be done to get the ISO and run the command.
Install RSAT using SCCM
There is another way where we are not going to apply any policy but to bypass WSUS configuration as a PowerShell Script. This script will simply disable WSUS Server configuration, will run the command to install the tool and will re-enable WSUS at the end.
The below PowerShell Script will perform task:
- Set UseWUServer to 0, to disable WSUS Config.
- Restart Windows Update service
- Install RSAT – Active Directory tools
- Set UseWUServer to 1, to enable WSUS
- Restart Windows update service
<#Disable WSUServer value to 1 Run Windows Capability to directly download the components from internet Enable WSUServer value to 0 #>
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0
Restart-Service "Windows Update" -ErrorAction SilentlyContinue
Write-Host "Adding Components…" -ForegroundColor Green
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 1
Restart-Service "Windows Update" -ErrorAction SilentlyContinue
This has been explained in detail Deploy Quick Assist using SCCM | Configuration Manager ManishBangia. The technique remains the same which will be applicable not only for RSAT tools but all other optional features. Following are the RSAT tools which can be installed:
RSAT: Active Directory Domain Services and Lightweight Directory Services Tools |
RSAT: BitLocker Drive Encryption Administration Utilities |
RSAT: Active Directory Certificate Services Tools |
RSAT: DHCP Server Tools |
RSAT: DNS Server Tools |
RSAT: Failover Clustering Tools |
RSAT: File Services Tools |
RSAT: Group Policy Management Tools |
RSAT: IP Address Management (IPAM) Client |
RSAT: Data Center Bridging LLDP Tools |
RSAT: Network Controller Management Tools |
RSAT: Network Load Balancing Tools |
RSAT: Remote Access Management Tools |
RSAT: Remote Desktop Services Tools |
RSAT: Server Manager |
RSAT: Shielded VM Tools |
RSAT: Storage Migration Service Management Tools |
RSAT: Storage Replica Module for Windows PowerShell |
RSAT: System Insights Module for Windows PowerShell |
RSAT: Volume Activation Tools |
RSAT: Windows Server Update Services Tools |
To check and see and see what is the capability name, here is the list:
Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 |
Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0 |
Rsat.CertificateServices.Tools~~~~0.0.1.0 |
Rsat.DHCP.Tools~~~~0.0.1.0 |
Rsat.Dns.Tools~~~~0.0.1.0 |
Rsat.FailoverCluster.Management.Tools~~~~0.0.1.0 |
Rsat.FileServices.Tools~~~~0.0.1.0 |
Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0 |
Rsat.IPAM.Client.Tools~~~~0.0.1.0 |
Rsat.LLDP.Tools~~~~0.0.1.0 |
Rsat.NetworkController.Tools~~~~0.0.1.0 |
Rsat.NetworkLoadBalancing.Tools~~~~0.0.1.0 |
Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0 |
Rsat.RemoteDesktop.Services.Tools~~~~0.0.1.0 |
Rsat.ServerManager.Tools~~~~0.0.1.0 |
Rsat.Shielded.VM.Tools~~~~0.0.1.0 |
Rsat.StorageMigrationService.Management.Tools~~~~0.0.1.0 |
Rsat.StorageReplica.Tools~~~~0.0.1.0 |
Rsat.SystemInsights.Management.Tools~~~~0.0.1.0 |
Rsat.VolumeActivation.Tools~~~~0.0.1.0 |
Rsat.WSUS.Tools~~~~0.0.1.0 |