Wix installer custom action for running dism failing

So this installer works fine until I add the following, strange part is after it rolls back the install due to the error the features I am adding via dism.exe are actually turned on like I want. Tempted to just add something to ignore the error but I would rather not have to hack that into it.

Relevant xml

<CustomAction Id="SetEnableWindowsFeatures" Property="BatchFeatures" Value="&quot;[System64Folder]Dism.exe&quot; /norestart /quiet /online /enable-feature /featureName:Client-DeviceLockdown /featurename:Client-EmbeddedShellLauncher /featurename:Client-KeyboardFilter" />
    <CustomAction Id="BatchFeatures" BinaryKey="WixCA" DllEntry="CAQuietExec" Execute="deferred" Impersonate="no" />

 <InstallExecuteSequence>
      <Custom Action="SetEnableWindowsFeatures"     Before="BatchFeatures">NOT Installed</Custom>
      <Custom Action="BatchFeatures"                After="InstallFiles">NOT Installed</Custom>
    </InstallExecuteSequence>

Error generated

Executing op: ActionStart(Name=BatchFeatures,,)
Action 11:16:48: BatchFeatures. 
MSI (s) (24:2C) [11:16:48:829]: Executing op: CustomActionSchedule(Action=BatchFeatures,ActionType=3073,Source=BinaryData,Target=CAQuietExec,CustomActionData="C:\WINDOWS\system32\Dism.exe" /norestart /quiet /online /enable-feature /featureName:Client-DeviceLockdown /featurename:Client-EmbeddedShellLauncher /featurename:Client-KeyboardFilter)
MSI (s) (24:2C) [11:16:48:831]: Creating MSIHANDLE (131) of type 790536 for thread 24108
MSI (s) (24:A4) [11:16:48:832]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSIC518.tmp, Entrypoint: CAQuietExec
MSI (s) (24!D0) [11:16:50:676]: Creating MSIHANDLE (132) of type 790531 for thread 29392
CAQuietExec:  Error 0x80070bc2: Command line returned an error.
MSI (s) (24!D0) [11:16:50:676]: Closing MSIHANDLE (132) of type 790531 for thread 29392
MSI (s) (24!D0) [11:16:50:676]: Creating MSIHANDLE (133) of type 790531 for thread 29392
CAQuietExec:  Error 0x80070bc2: QuietExec Failed
MSI (s) (24!D0) [11:16:50:676]: Closing MSIHANDLE (133) of type 790531 for thread 29392
MSI (s) (24!D0) [11:16:50:676]: Creating MSIHANDLE (134) of type 790531 for thread 29392
CAQuietExec:  Error 0x80070bc2: Failed in ExecCommon method
MSI (s) (24!D0) [11:16:50:677]: Closing MSIHANDLE (134) of type 790531 for thread 29392
CustomAction BatchFeatures returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (24:A4) [11:16:50:678]: Closing MSIHANDLE (131) of type 790536 for thread 24108
Action ended 11:16:50: InstallFinalize. Return value 3.

Summary: Looks like you need a reboot after Dism.exe has run (0x80070bc2 : ERROR_SUCCESS_REBOOT_REQUIRED). But there is more...

Error Reboot Required: The error 0x80070bc2 means ERROR_SUCCESS_REBOOT_REQUIRED (link to Magic Number database - some details on error lookup, what tools to use). In other words it looks like the installation was fine, but the custom action return code indicates a required reboot and you have set the custom action to check exit code. Can you just flush the error? You can. I wouldn't. What else is there? I suppose you could flush the error and inspect what features are installed afterwards? Not that nice either.

DISM API: You can access DISM via C++ APIs (Win32). I would honestly try that rather than command line tools due to the enhanced control of return values, error codes and the overall code flow. Once running C++ code is nice to debug as well (just attach debugger):

• Basic DISM API Sample (Microsoft)
• A github.com search yielded this: Dism.cpp (looks like high quality, check it please. I did not test it yet)

C#: It seems someone has created a C# wrapper for dism.exe pushing command lines (not tested).

Security and Windows Updates: Controlling Windows Features that are installed is not necessarily a good thing to do in a package. For one thing I would run a Windows Update right afterwards to check for any new security holes that may have opened.

Active Directory?: I would think this Windows Feature installation is better controlled from Active Directory (centralized control for all workstations), but I am not too familiar with that process either. Just wanted to mention it. By the looks of it this might be a corporate package for an SOE environment? If so I would have a chat with the senior system administrator guys? Also the security guys if there is a department for that? (audit). Sometimes they ask for such packages themselves...

Links:

• On the use of unattended.xml (an XML file to pass to dism.exe)
• WiX links and tips (recommended)