ConfigMgr 2012 – Cannot install WSUS on Server 2012 R2

Posted on Updated on

I’ve come across this for a couple of customers. During installation of prerequisites for ConfigMgr 2012 R2 Software Updates, it is necessary to have the server WSUS role installed.  If any domain GPO for WSUS is being applied, it may prevent the installation of the WSUS role on Windows Server 2012 R2. The specific policy is for the “Log on as a service”, which in GPO can be set to restrict access to specific AD groups. WSUS needs to create a local service and grant the logon rights during the install process, even when not selecting the setup to use the Windows Internal Database (WID).

KB2832204 describes the issue precisely, even though it was written with regard to ADFS (and not WSUS). The workaround was to do the following:

  1. Move the server into the Computers container (so the GPO is not applied)
  2. Install WSUS (either as a database on SQL Server or the WID)
  3. Perform the WSUS post install tasks
  4. Move the server back into the proper OU

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s