When you try to install Windows Server Update Services (WSUS) on Windows server 2012 R2 you might get the error
The request to add or remove features on the specified server failed. The operation cannot be completed, because the server that you specified requires a restart.
Restarting the server does not change anything.
Looking at the event log will give us a good idea about the cause of the problem:
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICEMSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Domain and account: NT SERVICEMSSQL$MICROSOFT##WID
This service account does not have the required user right “Log on as a service.”
Assign “Log on as a service” to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
One typical reason could be a Group policy in Active Directory restricting the Log on as a Service right to something other than expected by Windows, as shown below:
Removing this policy or configuring it with the rights expected by Windows would be a good place to start.
Default Local security Setting on Windows Server 2012 R2 would normally be:
When you successfully install WSUS on a Windows 2012 R2 server with no GPO’s, the local Security Setting would change to: