Share via

Computers Are Not Appearing In the Correct Computer Groups

Михаил Андросов 456 Reputation points
2025-12-01T10:30:53.63+00:00

Hi!

I am using WSUS on Windows Server 2019.

I created a group policy with a target group selection in WSUS. I have created target groups in WSUS. But the computers fell into the general group of Unassigned computers.

I found out that an option was incorrectly set in the settings on the WSUS server.

In Options > Computers Option, I have set the option to Use Group Policy or registry settings on client computers. After that, I applied the command:

wuauclt.exe /resetauthorization /detectnow

However, the computers remained in the Unassigned Computers group. Please help me, what is my mistake?

Windows for business | Windows Server | Devices and deployment | Install Windows updates, features, or roles
0 comments
Answer accepted by question author
  1. VPHAN 11,040 Reputation points Independent Advisor
    2025-12-01T14:59:33.38+00:00

    The registry configuration confirms that Group Policy is delivering the correct settings to the client, with TargetGroupEnabled set to 1 and the TargetGroup defined. The fact that computers are visible in the WSUS console under "Unassigned Computers" means they are communicating with the server, which rules out fundamental connectivity issues. The problem now is a synchronization failure between the client's reported group membership and the WSUS server's classification logic.

    The most likely cause is that the computers initially contacted and registered with the WSUS server before the server's Options > Computers setting was changed to "Use Group Policy or registry settings on client computers." When a computer first registers under the "Use the Update Services console" (server-side) setting, its record is created with a null or default group assignment. Changing the server option afterward does not retroactively re-evaluate existing computer records; it only applies to new check-ins. The client, despite now sending the correct TargetGroup in its subsequent reports, is being ignored because the server already has a stored group assignment for that computer.

    To resolve this, you need to reset the computer's membership on the WSUS server itself. In the WSUS Administration Console, navigate to "Unassigned Computers," select the problematic computers, and manually move them to the correct "GR-WSUS" target group using the right-click action. This one-time manual assignment overrides the stale record. After this, force the clients to check in again using usoclient StartScan and allow 15-20 minutes for synchronization. Future updates should then respect the client-side policy.

    If manual reassignment doesn't stick, you may need to clear the client's authorization store on the server more aggressively. On the WSUS server, you can decline the computer's updates and delete the computer record from the console (be cautious, as this will also remove its update history). On the client side, as a last resort, you can reset the Windows Update cache completely by stopping the wuauserv service, renaming the C:\Windows\SoftwareDistribution folder, restarting the service, and then forcing a policy refresh with gpupdate /force followed by a detection cycle. This causes the client to re-register with WSUS as a new entity, which should then adhere to the client-side targeting policy from the outset.

    Please test the above suggestions and confirm if they work or not.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-01T10:31:04.6+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems like you have set the WSUS server to use Group Policy for computer assignment, which is the correct approach for client-side targeting. However, if the computers are still appearing in the Unassigned Computers group, there are a few things you might want to check:

    1. Group Policy Application: Ensure that the Group Policy you created is properly linked to the Organizational Unit (OU) where the target computers reside. You can use the gpresult /h report.html command on the client machines to verify that the correct Group Policy is being applied.
    2. Group Policy Settings: Double-check the settings in your Group Policy to ensure that they are correctly configured for WSUS client targeting. The specific setting to look for is under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update. Ensure that the setting for specifying the WSUS server and the group is correctly configured.
    3. Client-Side Targeting: Make sure that the Group Policy is set to allow client-side targeting. If you have set the WSUS server to use Group Policy for group assignment, you won't be able to manually add computers through the WSUS Administration Console until you revert that setting.
    4. Re-registering Clients: After making the necessary changes, you might need to re-register the clients by running the commands you mentioned (wuauclt.exe /resetauthorization /detectnow). If issues persist, consider running gpupdate /force followed by wuauclt /detectnow again.
    5. Event Viewer: Check the Event Viewer on the client machines for any errors related to Windows Update or WSUS that might provide additional insights into why the computers are not being assigned correctly.

    By ensuring that the Group Policy is applied correctly and that the settings are configured as intended, you should be able to resolve the issue of computers remaining in the Unassigned Computers group.

    References:

    0 comments
  2. VPHAN 11,040 Reputation points Independent Advisor
    2025-12-01T11:06:31.1166667+00:00

    Добрый день, Михаил Андросов

    Your issue with WSUS client-side targeting is a configuration sequencing problem. The first answer correctly identifies the need to verify Group Policy application but misses the critical detail that the wuauclt.exe /resetauthorization /detectnow command is deprecated and largely ineffective on modern systems post-Windows 8. Instead, you should use the usoclient commands.

    The primary mistake is likely a mismatch between the policy configuration and the client's processing timeline. First, confirm the exact policy settings on a client machine. The required registry values are TargetGroup and TargetGroupEnabled under `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. Use gpresult /h gp.html or RSOP to verify the policy applies and shows the correct target group name. The name must match the WSUS target group "exactly", including case sensitivity.

    If the policy is applied but computers remain unassigned, force a policy update and a Windows Update detection cycle. On a client, run gpupdate /force followed by sc stop wuauserv and sc start wuauserv. Then, trigger the scan with usoclient StartScan. Wait at least 10-15 minutes, then check the WSUS console. The client must perform a full detection cycle and report its status to WSUS for the group assignment to reflect.

    Additionally, ensure the WSUS server's Computers option is set to "Use Group Policy or registry settings on client computers" before the clients evaluate policy. If you changed this setting after the clients first contacted WSUS, their existing records may be stuck. You can try moving a computer manually in the WSUS console to its correct group once, then see if subsequent policy-based assignments work. Also, check the WindowsUpdate.log on a client (via Get-WindowsUpdateLog in PowerShell) for errors during the detection process, particularly any mentions of authorization or group assignment failures.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to ACCEPT ANSWER then. Should you have more questions, feel free to leave a message. Have a nice day!

    VPHAN

    0 comments
  3. Михаил Андросов 456 Reputation points
    2025-12-01T12:54:37.6133333+00:00

    I followed the steps you provided. With no results. I see the correct settings in the registry.

    Без имени

    I have a situation where computers are in the Unassigned computers group. And then I adjusted the settings in WSUS to apply group policy.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.