Create computer groups for WSUS

This post will cover how to create and manage computer groups in Windows Server Update Services (WSUS) for Windows Server 2016.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Overview of Computer Groups

A computer group is used in WSUS as a method of applying the same set of updates to all machines within the computer group. For example you may have a computer group called “Test Servers” which you will first approve a set of updates for, and then after adequate testing the same set of updates will be approved for the computer group called “Prod Servers” which contains your production servers.

This simple example should illustrate that you can create computer groups to contain what ever set of machines you want which makes sense to you within your environment.

If you open the WSUS console and look under Computer > All Computers, you will see one default computer group called Unassigned Computers. This group is where all computer objects will end up unless you specify otherwise.

WSUS Unassigned Computers Group

Create WSUS Computer Groups

To create a new computer group, simply right click All Computers and select Add Computer Group and then specify the desired name for the group.

WSUS Add Computer Group

WSUS new computer group specify name

There are two different methods we can use to specify which computer group a particular machine will be part of known as server side targeting or client side targeting.

  • Server Side Targeting: The WSUS console is used to create the computer groups as well as assign the computers that should be a member of the group. This may be a good option if you only have a small number of machines to manage that are not domain joined using WSUS as it’s all done manually.
  • Client Side Targeting: This is the option you’ll likely want to use in a larger environment. Group policy is used in an Active Directory based environment to automatically place specific machines into defined computer groups. The group policy option can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Enable client-side targeting. Simply set it to enabled, and enter the group name that you created in the WSUS console. Once the policy has been applied when the client computer goes to perform an update, WSUS will automatically place it into the correct computer group.

In order to use either client side or server side targeting you must go to the Options > Computers section of the WSUS console. Select “Use the Update Services console” to specify that you wish to use server side targeting. Alternatively select “Use Group Policy or registry settings on computers” to enable client side targeting.

WSUS Select Client or Server Side Targeting

Note that you will still need to initially create the computer group in the WSUS console manually, regardless of whether you are using server or client side targeting.

This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

  1. Great post about creating computer groups for wsus.

  2. Article falls short on how to configure the updates for the test group then onto the prod group.

  3. what if i have different active directory server and how can the computer group from active directory can communicate with wsus server. I mean i have differenct wsus server with same domain controller. I have also different active directory server. But the computers from active directory server can not communicate with wsus servers. Any reason why?

  4. it was very helpful.


Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>