During installation of WSUS (a prerequisite for the ConfigMgr 2012 R2 SUP role), a GPO prevented the installation of WSUS on a Windows Server 2012 R2 system. The specific policy that caused the problem was for the “Log on as a service”. In this specific instance, the GPO was restricting access to two AD groups. WSUS needs to create a local service and grant the logon rights during the install process, even if not selecting to use the Windows Internal Database (WID).
KB2832204 describes the issue precisely, even though it was written with regard to ADFS (and not WSUS). The workaround was to do the following:
- Move the server into the Computers container (so the GPO was not applied)
- Install WSUS (database on SQL Server, not the WID)
- Perform the WSUS server role post install tasks
- Uninstall Windows Internal Database
- Move the server back into the proper OU