If an endpoint is communicating with the Replica WSUS it can take time to any group assignment changes to appear in the Primary WSUS.
In general, the following steps are needed in order to make it happen:
- The group assignment change should happen.
Note that it does not matter which group assignment type the Replica WSUS is configured to. In both types (Server-Side/Client-Side Targeting) the same steps should be performed.
- The endpoint should communicate with the WSUS.
- A synchronization should take place between the Replica WSUS to the Main WSUS
Here are the steps and commands to make it happen:
- Endpoint Communication - There are many ways to trigger communication between the Endpoint to the relevant WSUS that it is configured to. While some of them are dependent on Windows versions and services to be up and running, the most reliable way is to run the following Powershell command:
$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
This command will "check for updates" but won't do anything with the updates it finds.
After the command is finished, the "Last Contact" attribute for the endpoint in WSUS should be updated with the current time (you can add it to the table by "right-click" on the table headers):
Note - You can use JetPatch Run Task capability to run this command on your environment
- Replica Synchronization - Start a regular synchronization from the Replica to the Primary.
Note - The synchronization will also pull the updates and approvals from the Primary WSUS.
If you want to automate this process and can wait for a few hours
- Make sure your endpoints GPO configuration for "Automatic Updates detection frequency" is low as possible (1 hour)
- Have an automated synchronization policy 24 times per day. More information can be found in How often should I sync the WSUS replica to its primary server