Oct 082018
 
Microsoft Windows Logo

If you are running Microsoft Windows in a domain environment with WSUS configured, you may notice that you’re not able to install some FODs (Features on Demand), or use the “Turn Windows features on or off”. This will stop you from installing things like the RSAT tools, .NET Framework, Language Speech packs, etc…

You may see “failure to download files”, “cannot download”, or errors like “0x800F0954” when running DISM to install packages.

To resolve this, you need to modify your domain’s group policy settings to allow your workstations to query Windows Update servers for additional content. The workstations will still use your WSUS server for approvals, downloads, and updates, however in the event content is not found, it will query Windows Update.

Enable download of “Optional features” directly from Windows Update

  1. Open the group policy editor on your domain
  2. Create a new GPO, or modify an existing one. Make sure it applies to the computers you’d like
  3. Navigate to “Computer Configuration”, “Policies”, “Administrative Templates”, and then “System”.
  4. Double click or open “Specify settings for optional component installation and component repair”
  5. Make sure “Never attempt to download payload from Windows Update” is NOT checked
  6. Make sure “Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)” IS checked.
  7. Wait for your GPO to update, or run “gpupdate /force” on the workstations.

Please see an example of the configuration below:

Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)

You should now be able to download/install RSAT, .NET, Speech language packs, and more!

  22 Responses to “Enable Windows Update “Features on Demand” and “Turn Windows features on or off” in WSUS Environments”

  1. […] *Please Note: If you are using WSUS, you may not be configured to download “optional features” from Windows Update (resulting in “cannot download”, or “0x800F0954”). To resolve this, please follow the instructions at: https://www.stephenwagner.com/2018/10/08/enable-windows-update-features-on-demand-and-turn-windows-f… […]

  2. Hi Stephen. I’m trying it on my Windows 2008 R2 and there is no “Specify settings for optional component installation and component repair” option…

  3. Hi Cristian,

    Is your server fully up to date? I’m wondering if 2008 R2 doesn’t support support these GPO options in that version of Active Directory.

    2008 R2 is reaching end of life soon. When you upgrade I think it should become available.

    Cheers,
    Stephen

  4. Hi Stephen,

    Just wanted to say thanks for this post.
    Added it to my deployment plan for networks and it totally fixed my problem.

  5. To Christian: If you look at the window above in the screenshot, you can see that this setting is only supported on Windows 2012, Windows 8 or Windows RT. It is not applicable to Server 2008R2

  6. I just wanted to join in thanking you so very much for posting this information. You saved me a tonne of time.

  7. Second time you saved me…

  8. Glad I could help Pawel!

    Cheers,
    Stephen

  9. I’ve found that even with that oolicy enabled, we still could not install RSAT as a FOD. This is because we also have “Computer Configuration -> Administrative Settings -> System -> Internet Communication Management -> Internet Communication settings -> Turn off access to all Windows Update features” enabled. The reason we normally have that policy enabled is because it prevents Device Manager from automatically installing driver updates. We want to control the drivers installed in our environment.

  10. PS C:\WINDOWS\system32> DISM.exe /Online /add-capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

    Deployment Image Servicing and Management tool
    Version: 10.0.17763.1

    Image Version: 10.0.17763.316

    [==========================100.0%==========================]

    Error: 2

    The system cannot find the file specified.

    The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log

  11. Thank you, thank you, thank you.
    I have been trying to solve this for weeks and finally did the right google search to find this post.

  12. Thank you for this post i finally go them to install will also properly work via the GUI as well now

  13. You’re awesome!

  14. Hmmm. I’ve enabled the “Specify settings for optional component installation and component repair,” turned on “Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS),” but I still get this error:

    Deployment Image Servicing and Management tool
    Version: 10.0.17763.1

    Image Version: 10.0.17763.529

    [==========================100.0%==========================]

    Error: 0x8024002e

    DISM failed. No operation was performed.
    For more information, review the log file.

    The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log

  15. I’d recommend checking the log file to see what’s going on.

    Also, maybe try a “gpupdate /force” and restart. Then try again as well.

    “0x8024002e” is usually a windows update error, so I’m wondering if the GPO hasn’t been applied (gpupdate should fix this), or if your Windows Update components may be corrupted. You might have to reset your Windows Update. If you’re managing your Windows Updates with a 3rd party application, this may also cause this issue.

    Stephen

  16. On item #4, using Windows 8.1 Home edition, “Specify settings for optional component installation and component repair” is not on the list. How can I update the list?

  17. Hi Steve,

    If it’s not there, I’m wondering if you’re administrative templates for your GPO are old and out of date.

    I think you can either download the GPO Administrative Templates, or grab them off a Windows 10 computers (or newer Windows Server), and add them to your AD Template Store, then the option should become available.

    Cheers,
    Stephen

  18. I’ve been having this problem for YEARS, and eventually just took it as a fact of life that I will need to specify source files from Windows Media in some WSUS environments. Thank you SO MUCH for this post.

    There is truly no reason this policy should not be in the “Windows update” container in GPedit, or the repair/content files should be automagically imported to WSUS when you enable feature on demand.

  19. What if your environment, including all domain controllers, WSUS, and workstations, are in a closed room with no possible internet access/connection? If the WSUS repository here has been manually seeded offline and works for other updates, will this solution work as long as “Feature Packs” is selected for an update classification? Are there any other update classifications required to be selected in addition to Feature Packs? We already have the other necessary ones selected and synchronized offline and working in the closed environment. I read somewhere else that “Updates” needed to be selected as well, but we are trying to avoid selecting unnecessary classifications in order to keep the amount of data down because it’s a bit of a chore to get it into the closed room. It’s for a military contract in case you are wondering.

  20. Hey Vinnie,

    That’s a tough one. The resolutions I’ve posted allow the Windows workstations to bypass WSUS to install Features or Roles. Having them completely cut off kinda breaks that, lol.

    If you’re doing this for Features and Roles, I don’t think this will work for your scenario. To load them offline, I don’t even know if this is possible (I haven’t Google’d it), but could you put a Windows ISO on a network share, and use DISM to install components or roles you need for your specific use case?

    As for Updates:

    Your case is interesting, because typically in most environments there’s the master synchronization, and then as clients contact WSUS, admins approve updates that are “Needed”. After an admin approves the “needed” update, WSUS will reach out and download the update making it available to the host.

    For offline synchronization, in a use case where you can’t have that back and forth communication to sync/download only “needed” and approve from there, technically you’d need to synchronization all categories, and then approve all updates which would probably be 100’s of GB or even possibly TBs of data. In this case I’d highly recommend using WSUS with SQL, instead of the WID (Windows internal Database), and make sure your keep the WSUS database clean. In that case, you’d have all the updates but the problem is that they would all be approved and installed.

    I don’t even know if this is possible, but you might need to have two WSUS servers, one where everything is approved, so it offline downloads all updates, and then downstream have a secondary one that the computers report to so you can manually approve when you want.

    I hope this helps, sorry I don’t have more exact info.

    Stephen

  21. This does not work on 1909

  22. Hi Jimmy,

    It does work on 1909. I’d recommend checking your Syntax and trying again.

    Cheers,
    Stephen

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)