Deploy RSAT for Windows 10 1809 using SCCM

Starting Windows 10 1809 Remote Server Administration Tools (RSAT) is now included as a set of “Features on Demand”. In the following post we will show you how to deploy individual features with SCCM.

The RSAT tools are added using the “Add-WindowsCapability” cmdlet
Because we are deploying each feature with an appliction, we are going to use two parameters with the above cmdlet:-

1 . Online (Specifies we are adding the feature to the current Windows image
2 . Source (We need to specify the CCMCache as a source)

The challenge

The Features On Demand Pack is massive, 4.7GB. You can download it from the VLSC. You only need “Disk 1” for the RSAT features. Choose the correct version for the OS you are deploying the tools to.

After you have downloaded the ISO, extract the contents to a folder. If we used this as the source for our deployment, 4.7GB of content would make its way to the client. This will present lots of interesting challenges.

In the following steps, we will extract only the required files from the FOD pack for each RSAT feature. We will use the “DHCP” feature (language en-gb) for our example.

You will need the following:-

  1. The whole “metadata” folder
  2. FoDMetadata_Client.Cab
  3. Microsoft-Windows-DHCP-Tools-FoD-Package~31bf3856ad364e35~amd64~~.Cab
  4. Microsoft-Windows-DHCP-Tools-FoD-Package~31bf3856ad364e35~amd64~en-GB~.Cab
  5. Microsoft-Windows-DHCP-Tools-FoD-Package~31bf3856ad364e35~amd64~en-US~.Cab
Files in Explorer

You will need items 1 and 2 for every FOD application you build. Item 3 and 4 will be specific to the tool and the language of the OS.

Item 5 seemed to be a pre-requisite too, my assumption is the FOD media language cab has to be present when installing other languages.

Access to the Internet

When you use the “Add-WindowsCapability” cmdlet, if you do not specify a Source, the default location set by Group Policy is used. If that fails, Windows Update is also used for online images.

In this post, we will specify the Source as CCMCache using some PowerShell.


As already mentioned, we will use the “Add-WindowsCapability” cmdlet to install the RSAT Feature. We will also use the “Remove-WindowsCapability” cmdlet for uninstalling the Feature and the “Get-WindowsCapability” cmdlet for the application detection method.




Putting it all together

Our source directory (Content Location) for the DHCP RSAT Feature should now contain:-

  1. metadata (folder from the extracted ISO)
  6. Add-WindowsCapability_DHCP.ps1
  7. Get-WindowsCapability_DHCP.ps1
  8. Remove-WindowsCapability_DHCP.ps1
Files in Explorer

1 . Create a new Application. Choose “Manually specify the application information” and click “Next”

Choose “Manually specify the application information

2 . Enter a name for the application (and any other information you need) and click “Next”

Specify an application name

3 . Enter a “Localized application name” (and any other information you need – including a nice icon!) and click “Next”

Choose a localized application name (and shiny icon)

4 . To configure a “Deployment Type”, click “Add”

Click “Add” to create a Deployment Type

5 . Choose Type “Script Installer” and click “Next”

Choose Type Script Installer

6 . Choose a Deployment Type Name and click “Next”

Choose a Deployment Type Name

7 . Set the following information and click “Next”

Content Location = \\server\packages\Microsoft FOD\1809 – DHCP

*Installation Program = Powershell.exe -ExecutionPolicy Bypass -File “Add-WindowsCapability_DHCP.ps1”

*Uninstall Program = Powershell.exe -ExecutionPolicy Bypass -File “Remove-WindowsCapability_DHCP.ps1”

*Assumes you are not already bypassing the client execution policy

Specify Content Information

8 . Choose to use a Custom Script for application detection and click “Edit”

Choose a custom application detection script

9 . In the Script Editor dialogue, choose Script Type “PowerShell” and click “Open”

Choose the Script Type

10 . Browse to “Get-WindowsCapability_DHCP.ps1” and click “Open” and then “Ok”

Choose Get-WindowsCapability_DHCP.ps1

11 . Click “Next” to complete the Application Detection method

Application Detection Method

12 . I like to specify an “Installation Requirement” to ensure the OS is Windows 10 1809. For this we can query the OS build to ensure it is “17763”. Click “Add”

Add an Application Requirement

13 . Click “Create”

Create Requirement

14 . Enter the following information and click “Ok”

Name: Windows 10 Build Number
Description: Windows 10 Build Number
Condition Type: Setting
Setting Type: Registry Value
Key Name: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: CurrentBuild

Global Condition for Windows 10 Build

15 . Choose the Global Condition that we just created and in the value field type “17763”. Click “Ok”

Specify the Windows 10 1809 Build Number

16 . Click “Next” to proceed to Software Dependencies

17 . Click “Next” to read the Application Summary

18 . Click “Next” to create the Deployment and click “Close”

19 . The Deployment Type has been created, click “Next”

Deployment Type Created

20 . Click “Next” to confirm the Application Settings

21 . Click “Close” to complete the wizard

Rinse and Repeat

We can follow the same steps to create Applications for DNS, DSLD, FS, GPO and RDS RSAT Features. I have created an application for each RSAT Feature because each will use a different Detection Method.

Repeat to create and Application for other RSAT Features

To help duplicating and modifying your installation, removal and detection scripts, the Windows-Capability Name for the other RSAT tools are:-

Rsat.NetworkLoadBalancing.Tools~~~~ Rsat.RemoteAccess.Management.Tools~~~~ Rsat.RemoteDesktop.Services.Tools~~~~
Rsat.Shielded.VM.Tools~~~~ Rsat.StorageMigrationService.Management.Tools~~~~ Rsat.StorageReplica.Tools~~~~
Rsat.SystemInsights.Management.Tools~~~~ Rsat.VolumeActivation.Tools~~~~


The (Add/Remove/Get)-Windows-Capability cmdlets require elevation. Consider this when deploying to Devices or Users.

With this in mind, you need to ensure that you have chosen to “Install as System” on the User Experience tab of the Deployment Type we created earlier.

Once deployed as “Available”, and after the client has run a Machine/User Policy Refresh, the application appears in Software Center.

New Application in the Software Center

Our Application Detection method has worked if we peek in appdiscovery.log on the client


Lets install the new Application

Installing the DHCP RSAT Feature

Appenforce.log on the client gives more information on the installation


The application should be available from the Start Menu after installation

Application Installation Successful


Some points to remember:-

  1. The EN-US cab files for each feature must also be present in your source directory for each Application you create
  2. The Application must be deployed to “Install as System” because the *-WindowsCapability cmdlets require elevation

Happy Feature deploying 🙂

4.7/5 - (3 votes)

19 thoughts on “Deploy RSAT for Windows 10 1809 using SCCM”

  1. Hi, This seems to fail for standard users when it’s doing the app discovery (see below) so fails for non admin users. I’m running the deployment type as system and deploying to users with non admin rights.

    In-line script returned error output: Get-WindowsCapability : The requested operation requires elevation.

    1. Hi Richard,

      As i point out in the summary, the Application must be deployed to “Install as System” because the *-WindowsCapability cmdlets require elevation. It must also be deployed to the device and not the user..reason being the application detection will use the user permission context when deployed to a user.

      1. Hi Ben,

        I do have it as “Install as system” but have it deployed to a group of staff which from what you’re saying is causing the issue.

        Thanks for your help.

      2. Hi Ben,

        It is set to “Install as System” but from what you’re saying the issue is with it being deployed to users. I’ll change that to target a group of devices instead.

        Thanks for your help.

        1. Hi Richard, correct. The detection method runs in the user context when deployed a user. When deployed to a device the application detection method will run in the system context. This is probably why you are seeing permission issues. Let me know how it goes when you deploy to devices instead. Ben

  2. hi, i followed this guide exactly and the app fails to install with error code 1, so just a failure. There is not much help in the log file. any ideas?
    if I ran the powershell script manually, it will install.

  3. I did check the DISM log, but it’s not giving me an errors that I can investigate. Would it be because the user is not local admin on the PC, or due to UAC?

    1. If you are following the post the Application is deployed to a user or device using the System context

      “With this in mind, you need to ensure that you have chosen to “Install as System” on the User Experience tab of the Deployment Type we created earlier.”

      Yes RSAT requires elevation. I would encourage you to check that your deployment is running as SYSTEM.

      1. Hi Ben, I did check through all the settings a number of times, it’s set to Install for system and the collection I am deploying to contains Win10 x64 PCs.

          1. yes, if I ran the command I can see bring run from the AppEnforce log, from an elevated PS window, the RSAT tool installs.

            Executing Command line: “C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe” -ExecutionPolicy Bypass “Add-WindowsCapabilityDHCP.ps1” with user context

            I see this in the DISM log, does it mean anything to you:

            2020-01-27 14:29:52, Warning DISM DISM Provider Store: PID=2952 TID=368 Failed to load the provider: C:\WINDOWS\TEMP\78CE8A2D-58FF-4112-9C77-8C10ED9A4DEB\PEProvider.dll. – CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)

            2020-01-27 14:29:52, Info DISM DISM Provider Store: PID=2952 TID=368 Failed to get and initialize the PE Provider. Continuing by assuming that it is not a WinPE image. – CDISMProviderStore::Final_OnConnect

  4. Hi Ben, I figured it out. I had made a mistake! I’ve read the article over 10 times but still managed to miss a key word. I didn’t have “-File” in my install command. As soon as I added that in it worked a dream.
    Thanks to your detailed post I spotted the mistake when I compared my AppEnforce log with the screenshot you have.

  5. Great guide, thanks.

    One issue I noticed was that RSAT DSDLS (Active Directory Users & Computers) seems to need additional files. I gte a source files error when I just use the files you listed above, even when I include all DSDLS languages and architectures it will still give the error. If I point to the the whole FoD folder it will work. Haven’t figured out what extra files it needs yet.

  6. Forgot to add, once you have installed RSAT DSLDS once on a system and then uninstall it, it will then allow you to install it using just those five files you mentioned

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.


This site uses Akismet to reduce spam. Learn how your comment data is processed.