I’ve come across this for a couple of customers. During installation of prerequisites for ConfigMgr 2012 R2 Software Updates, it is necessary to have the server WSUS role installed. If any domain GPO for WSUS is being applied, it may prevent the installation of the WSUS role on Windows Server 2012 R2. The specific policy is for the “Log on as a service”, which in GPO can be set to restrict access to specific AD groups. WSUS needs to create a local service and grant the logon rights during the install process, even when not selecting the setup to use the Windows Internal Database (WID).
KB2832204 describes the issue precisely, even though it was written with regard to ADFS (and not WSUS). The workaround was to do the following:
- Move the server into the Computers container (so the GPO is not applied)
- Install WSUS (either as a database on SQL Server or the WID)
- Perform the WSUS post install tasks
- Move the server back into the proper OU