WSUS install error “Log on as a service”

Posted on

During installation of WSUS (a prerequisite for the ConfigMgr 2012 R2 SUP role), a GPO prevented the installation of WSUS on a Windows Server 2012 R2 system. The specific policy that caused the problem was for the “Log on as a service”.  In this specific instance, the GPO was restricting access to two AD groups. WSUS needs to create a local service and grant the logon rights during the install process, even if not selecting to use the Windows Internal Database (WID).

KB2832204 describes the issue precisely, even though it was written with regard to ADFS (and not WSUS). The workaround was to do the following:

  1. Move the server into the Computers container (so the GPO was not applied)
  2. Install WSUS (database on SQL Server, not the WID)
  3. Perform the WSUS server role post install tasks
  4. Uninstall Windows Internal Database
  5. Move the server back into the proper OU



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s