Note: You may see both Install-WindowsFeature and Uninstall-WindowsFeature referenced elsewhere; as Add-WindowsFeature and Remove-WindowsFeature. There is no difference; the later two are aliases for the first two.
Adding the GUI
At the most basic level, you need the following command to add the GUI on server core Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra . Unfortunately, this doesn't take into account the fact that the binaries we want aren't included on server core. (we'll get into this a bit more under removal) To re-mediate this, insert the Server2012 installation media or an equivalent source and modify the command with the -source parameter accordingly.
powershell
Install-WindowsFeature -source:D:\sources\sxs\ Server-Gui-Shell, Server-Gui-Mgmt-Infra
shutdown /r /t 0This will work if you are NOT using a WSUS server, which I suspect alot of you are. More on that below. This install may take awhile, so be patient.
Removing the GUI
Powershell
Uninstall-WindowsFeature -remove Server-Gui-Shell, Server-Gui-Mgmt-Infra
shutdown /r /t 0By using the -remove switch you will delete the binaries rather than just deactivate them.
Troubleshooting/Dealing with WSUS
So this procedure is not without its flaws. Unfortunately if your server is pointed to a WSUS server you'll have problems. Note that this is a different issue than the one experienced with using Server 2012 against a WSUS 3.0 server; in this case we're using a new WSUS 2012 server. The error you'll see will be 0x800f0906, which has to do with getting updates for the binaries. It seems there is an issue retrieving those binaries when pointed to said WSUS server. The entries in the %SystemRoot%\windowsupdate.log file look like this:Not Connected to WSUS/ Successful Update:
2013-01-23 12:17:45:088 748 7bc Agent *************
2013-01-23 12:17:45:088 748 7bc Agent ** START ** Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-23 12:17:45:088 748 7bc Agent *********
2013-01-23 12:17:45:088 748 7bc Agent * Include potentially superseded updates
2013-01-23 12:17:45:088 748 7bc Agent * Online = Yes; Ignore download priority = No
2013-01-23 12:17:45:088 748 7bc Agent * Criteria = "CategoryIDs contains '75f164f7-89ef-4f1c-add4-c5404c8c117f' and UpdateID='20b172e5-d0aa-4721-8186-debafe5dc89f'"
2013-01-23 12:17:45:088 748 7bc Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2013-01-23 12:17:45:088 748 7bc Agent * Search Scope = {Machine}
2013-01-23 12:17:45:088 748 7bc Agent * Caller SID for Applicability: S-1-5-18
2013-01-23 12:17:45:541 748 7bc Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\wuredir.cab:
2013-01-23 12:17:46:088 748 7bc Misc Microsoft signed: Yes
2013-01-23 12:17:46:088 748 7bc Misc Infrastructure signed: Yes
2013-01-23 12:17:46:103 748 7bc EP Got 9482F4B4-E343-43B6-B170-9A65BC822C77 redir Client/Server URL: "https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx"
2013-01-23 12:17:46:463 748 7bc PT +++++++++++ PT: Starting category scan +++++++++++
2013-01-23 12:17:46:463 748 7bc PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx
2013-01-23 12:17:47:954 748 7bc PT +++++++++++ PT: Synchronizing server updates +++++++++++
2013-01-23 12:17:47:954 748 7bc PT + ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://fe1.update.microsoft.com/v6/ClientWebService/client.asmx
2013-01-23 12:17:49:032 748 7bc Agent * Added update {20B172E5-D0AA-4721-8186-DEBAFE5DC89F}.200 to search result
2013-01-23 12:17:49:032 748 7bc Agent * Found 1 updates and 4 categories in search; evaluated appl. rules of 163 out of 309 deployed entities
2013-01-23 12:17:49:063 748 7bc Agent *********
2013-01-23 12:17:49:063 748 7bc Agent ** END ** Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-23 12:17:49:063 748 7bc Agent *************Connected to WSUS/ Failed Update:
2013-01-25 00:02:42:866 756 6d8 Agent *************
2013-01-25 00:02:42:866 756 6d8 Agent ** START ** Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-25 00:02:42:866 756 6d8 Agent *********
2013-01-25 00:02:42:866 756 6d8 Agent * Include potentially superseded updates
2013-01-25 00:02:42:866 756 6d8 Agent * Online = Yes; Ignore download priority = No
2013-01-25 00:02:42:866 756 6d8 Agent * Criteria = "CategoryIDs contains '75f164f7-89ef-4f1c-add4-c5404c8c117f' and UpdateID='337d9460-e236-40a9-91f3-a6831e113867'"
2013-01-25 00:02:42:866 756 6d8 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
2013-01-25 00:02:42:866 756 6d8 Agent * Search Scope = {Machine}
2013-01-25 00:02:42:866 756 6d8 Agent * Caller SID for Applicability: S-1-5-18
2013-01-25 00:02:42:866 756 6d8 EP Got WSUS Client/Server URL: "https://wsus.internal.lan:8531/ClientWebService/client.asmx"
2013-01-25 00:02:42:882 756 6d8 PT +++++++++++ PT: Starting category scan +++++++++++
2013-01-25 00:02:42:882 756 6d8 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = https://wsus.internal.lan:8531/ClientWebService/client.asmx
2013-01-25 00:02:42:913 756 74c AU Triggering Offline detection (non-interactive)
2013-01-25 00:02:42:913 756 6d8 Agent * Found 0 updates and 0 categories in search; evaluated appl. rules of 0 out of 0 deployed entities
2013-01-25 00:02:42:913 756 6d8 Agent *********
2013-01-25 00:02:42:913 756 6d8 Agent ** END ** Agent: Finding updates [CallerId = TrustedInstaller FOD]
2013-01-25 00:02:42:913 756 6d8 Agent *************Note that no updates were found.
Work Around:
We're going to use group policy to work around this issue. Assuming you have access to do so or can convince those responsible to do so, perform the following: (note that the GPO containing the setting below cannot be overridden by a higher level GPO or this will not work)You have two options, enable an alternative install location as outlined in this article from Microsoft, or temporarily override the WSUS setting by doing the following:
- Without binding it anywhere, create a new group policy object called Computer_Settings_WSUS_Disable or something similar that adheres to your naming standards.
- Navigate to the "Scope" tab on that group policy object and remove the "Authenticated Users" principal under "Security Filtering"
- Click "Add..." and add the computer object in question. You'll have to change the object types to include computers.
- Right click the GPO object and select "GPO Status->User Configuration Settings Disabled".
- Edit the GPO and set the setting "Computer Configuration->Policies->Administrative Templates->Windows Components->Windows Update" and change "Specify intranet Microsoft update service location" to "Disabled". This will revert it to Microsoft.
- Right click on the OU you would like to bind it to and click "Link an existing GPO..." and select your newly created GPO.
- Do a gpupdate /force on your target server and execute the command again. No reboot should be necessary.
After completing the update feel free to un-link or delete the GPO object.
Hopefully that gets you GUI-ing. Here are some additional links below for more reading if you desire. Feel free to leave questions in the comments!
Microsoft Ask the Directory Services Team: "Windows Server 2012 Shell game"
How-To Geek: Turn the GUI off and On in Windows Server 2012
Yung Chou: Windows Server 2012 Installation Options
Jason Yoder: Error when moving from Core to full GUI in Server 2012
No comments:
Post a Comment