How to apply group policy to computers

After installing WSUS on a server, creating computer group in WSUS, creating a group policy to use WSUS, you also need to add computers to the group policy so that the policy to apply to those computers. Here is how.

  1. Login DC.
  2. Open Group Policy Management.
  3. Navigate to the computer group policy, in our case it is EHC for WSUS.
  4. Click Add under Security Filtering. 

5. Make sure check Computers in Object Types.

How to add a computer to Group Policy so that the policy can apply to the computer

  1. After installing WSUS on a server, creating computer group in WSUS, creating a group policy to use WSUS, you also need to add computers to the group policy so that the policy to apply to those computers. Here is how.
  2. Login DC. Then open Group Policy Management.
  3. Navigate to the computer group policy, in our case it is EHC for WSUS.
  4. Click Add under Security Filtering.

5. Make sure check Computers in Object Types.

7. After adding the computer into a group under group policy Management, you also need to create a OU to match the computer group name, for example EHC.

8. Now move the computers you want to be in EHC group from Computer.

9. Run gpupdate /force on the server and worksttaions. That should add those computers into WSUS. Or we can wait for 30 to 90 minutes.

How to configure Group Policy to download and install updates from WSUS

Configure client systems to download updates from WSUS – SolarWinds Worldwide, LLC. Help and Support

  1. Login DC.
  2. Open Group Policy Management.
  3. In the left pane, expand Computer Configuration > Administrative Templates > Windows Components, and then select Windows Update.
  4. In the right pane, select Configure Automatic Updates, and then enable the policy: 1) Click the Action menu, and then select Edit. 2) Select Enabled. 3) In the Options section, under Configure automatic updating, select the appropriate download and notification option. 4) If you selected option 4 – Auto download and schedule the install, select the appropriate options under Scheduled install day and next to Scheduled install time. 5) Click OK.
  5. In the Group Policy Editor window, select Specify intranet Microsoft update service location.
  6. Enable the policy.  1) Click the Action menu, and then select Edit. 2) Select Enabled. 3) In the Options section, under Set the intranet update service for detecting updates, enter the URL for the WSUS server.
    For example, enter http://wsusServer[:port], where wsusServeris the name of the WSUS server and port is the port number, if the WSUS server uses a port other than port 80.

4) Under Set the intranet statistics server, enter the same URL.

5) Click OK.

How to create computer groups in WSUS

Create computer groups for WSUS

  1. Run the WSUS console.
  2. Go to Computer > All Computers, you will see one default computer group called Unassigned Computers. This group is where all computer objects will end up unless you specify otherwise. 
3. Right click on All Computers and select Add Computer Group. 

4. You will have two options  to specify which computer group a particular machine will be part of known as server side targeting or client side targeting.

  • Server Side Targeting: The WSUS console is used to create the computer groups as well as assign the computers that should be a member of the group. This may be a good option if you only have a small number of machines to manage that are not domain joined using WSUS as it’s all done manually.
  • Client Side Targeting: This is the option you’ll likely want to use in a larger environment. Group policy is used in an Active Directory based environment to automatically place specific machines into defined computer groups. The group policy option can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Enable client-side targeting. Simply set it to enabled, and enter the group name that you created in the WSUS console. Once the policy has been applied when the client computer goes to perform an update, WSUS will automatically place it into the correct computer group. 

in our case, we select Use Group Policy or registry settings on computers. 

5. Click Apply to complete the configuration.

How to remove a computer from WSUS

 If for some reasons, you want to remove a computer from the WSUS, you may have these options.

Remove WSUS Settings via PowerShell

1.Click Start and open PowerShell as Administrator (Right Click > Run as Administrator).

2.Stop the Windows Update Service by entering the command Stop-Service -Name wuauserv.

3.Remove the Windows Update registry key by entering the command Remove-Item HKLM: \Software\Policies\Microsoft\Windows\WindowsUpdate -Recurse.

4.Finally, Start the Windows Update Service again by entering the command Start-Service -name wuauserv.

Remove WSUS Settings Manually

1.Click Start and type regedit into the start search box, then Right Click and Run as Administrator.

2.Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\

3.Right Click and Delete the registry key WindowsUpdate, then close the registry editor.

4.Open the Services Console by entering services.msc in the start search box.5.Locate and Restart the Windows Update Service

Manage User’s Azure Security Verification

Situation: Normally, a user can manage his/her Azure Security Verification by login Office portal. However, in a case, the user change or losses his/her phone and can’t login Office, IT manage may help the user to change the Azure Security Verification contact info.

Here is how.

  1. Login Azure portal with admin account.

2. Go to Azure Active Directory>Users>All Users.

3. Find the user you want to manage, and click Edit. You will have these options: Identify, Contact info, Authentication contact info.



4. If Contact info is grayed out, you may change this info from your local AD.

5. If the Authentication contact info is grayed out, click Access Panel Profile. 



6. in the Profile, click Additional security verification.