Microsoft Windows Logo
If you are running Microsoft Windows in a domain environment with WSUS configured, you may notice that you’re not able to install some FODs (Features on Demand), or use the “Turn Windows features on or off”. This will stop you from installing things like the RSAT tools, .NET Framework, Language Speech packs, etc…
You may see “failure to download files”, “cannot download”, or errors like “0x800F0954” when running DISM to install packages.
To resolve this, you need to modify your domain’s group policy settings to allow your workstations to query Windows Update servers for additional content. The workstations will still use your WSUS server for approvals, downloads, and updates, however in the event content is not found, it will query Windows Update.
Please see an example of the configuration below:
Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)
You should now be able to download/install RSAT, .NET, Speech language packs, and more!
While most of us frequently deploy new ESXi hosts, a question and task not oftenly discussed is how to properly decommission a VMware ESXi host. Some might be surprised to… Read More
This guide will outline the instructions to Disable the VMware Horizon Session Bar. These instructions can be used to disable the Horizon Session Bar (also known as the Horizon Client… Read More
Normally, any VMs that are NVIDIA vGPU enabled have to be manually migrated with manual vMotion if a host is placed in to maintenance mode, to evacuate the host. While… Read More
You may experience GPU issues with the VMware Horizon Indirect Display Driver in your environment when using 3rd party applications which incorrectly utilize the incorrect display adapter. This results with… Read More
Today we're going to cover a powerful little NAS being used with VMware; the Synology DS923+ VMware vSphere Use case and Configuration. This little (but powerful) NAS is perfect for… Read More
Today we'll go over how to install the vSphere vCenter Root Certificate on your client system. Certificates are designed to verify the identity of the systems, software, and/or resources we… Read More
View Comments
Hi Stephen. I'm trying it on my Windows 2008 R2 and there is no “Specify settings for optional component installation and component repair” option...
Hi Cristian,
Is your server fully up to date? I'm wondering if 2008 R2 doesn't support support these GPO options in that version of Active Directory.
2008 R2 is reaching end of life soon. When you upgrade I think it should become available.
Cheers,
Stephen
Hi Stephen,
Just wanted to say thanks for this post.
Added it to my deployment plan for networks and it totally fixed my problem.
To Christian: If you look at the window above in the screenshot, you can see that this setting is only supported on Windows 2012, Windows 8 or Windows RT. It is not applicable to Server 2008R2
I just wanted to join in thanking you so very much for posting this information. You saved me a tonne of time.
Second time you saved me...
Glad I could help Pawel!
Cheers,
Stephen
I've found that even with that oolicy enabled, we still could not install RSAT as a FOD. This is because we also have "Computer Configuration -> Administrative Settings -> System -> Internet Communication Management -> Internet Communication settings -> Turn off access to all Windows Update features" enabled. The reason we normally have that policy enabled is because it prevents Device Manager from automatically installing driver updates. We want to control the drivers installed in our environment.
PS C:\WINDOWS\system32> DISM.exe /Online /add-capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Deployment Image Servicing and Management tool
Version: 10.0.17763.1
Image Version: 10.0.17763.316
[==========================100.0%==========================]
Error: 2
The system cannot find the file specified.
The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log
Thank you, thank you, thank you.
I have been trying to solve this for weeks and finally did the right google search to find this post.
Thank you for this post i finally go them to install will also properly work via the GUI as well now
You're awesome!
Hmmm. I've enabled the "Specify settings for optional component installation and component repair," turned on "Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)," but I still get this error:
Deployment Image Servicing and Management tool
Version: 10.0.17763.1
Image Version: 10.0.17763.529
[==========================100.0%==========================]
Error: 0x8024002e
DISM failed. No operation was performed.
For more information, review the log file.
The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log
I'd recommend checking the log file to see what's going on.
Also, maybe try a "gpupdate /force" and restart. Then try again as well.
"0x8024002e" is usually a windows update error, so I'm wondering if the GPO hasn't been applied (gpupdate should fix this), or if your Windows Update components may be corrupted. You might have to reset your Windows Update. If you're managing your Windows Updates with a 3rd party application, this may also cause this issue.
Stephen
On item #4, using Windows 8.1 Home edition, “Specify settings for optional component installation and component repair” is not on the list. How can I update the list?
Hi Steve,
If it's not there, I'm wondering if you're administrative templates for your GPO are old and out of date.
I think you can either download the GPO Administrative Templates, or grab them off a Windows 10 computers (or newer Windows Server), and add them to your AD Template Store, then the option should become available.
Cheers,
Stephen
I've been having this problem for YEARS, and eventually just took it as a fact of life that I will need to specify source files from Windows Media in some WSUS environments. Thank you SO MUCH for this post.
There is truly no reason this policy should not be in the "Windows update" container in GPedit, or the repair/content files should be automagically imported to WSUS when you enable feature on demand.
What if your environment, including all domain controllers, WSUS, and workstations, are in a closed room with no possible internet access/connection? If the WSUS repository here has been manually seeded offline and works for other updates, will this solution work as long as "Feature Packs" is selected for an update classification? Are there any other update classifications required to be selected in addition to Feature Packs? We already have the other necessary ones selected and synchronized offline and working in the closed environment. I read somewhere else that "Updates" needed to be selected as well, but we are trying to avoid selecting unnecessary classifications in order to keep the amount of data down because it's a bit of a chore to get it into the closed room. It's for a military contract in case you are wondering.
Hey Vinnie,
That's a tough one. The resolutions I've posted allow the Windows workstations to bypass WSUS to install Features or Roles. Having them completely cut off kinda breaks that, lol.
If you're doing this for Features and Roles, I don't think this will work for your scenario. To load them offline, I don't even know if this is possible (I haven't Google'd it), but could you put a Windows ISO on a network share, and use DISM to install components or roles you need for your specific use case?
As for Updates:
Your case is interesting, because typically in most environments there's the master synchronization, and then as clients contact WSUS, admins approve updates that are "Needed". After an admin approves the "needed" update, WSUS will reach out and download the update making it available to the host.
For offline synchronization, in a use case where you can't have that back and forth communication to sync/download only "needed" and approve from there, technically you'd need to synchronization all categories, and then approve all updates which would probably be 100's of GB or even possibly TBs of data. In this case I'd highly recommend using WSUS with SQL, instead of the WID (Windows internal Database), and make sure your keep the WSUS database clean. In that case, you'd have all the updates but the problem is that they would all be approved and installed.
I don't even know if this is possible, but you might need to have two WSUS servers, one where everything is approved, so it offline downloads all updates, and then downstream have a secondary one that the computers report to so you can manually approve when you want.
I hope this helps, sorry I don't have more exact info.
Stephen
This does not work on 1909
Hi Jimmy,
It does work on 1909. I'd recommend checking your Syntax and trying again.
Cheers,
Stephen