Disclaimer: This procedure is not supported by Microsoft and only describes how I managed to rename the computer groups in WSUS without having to create new ones. I cannot be held responsible if you break your WSUS Database even if you follow these instructions exactly. The core of this process I learned from this blog, but I’ve added all my additional notes and experiences.
WSUS (Windows Update Server) 3.0 does not allow the rename of the computer groups through the graphical interface. It makes sense that you can’t as if you use “Client Side Targeting” (generally set via Group Policy) if you rename a group and don’t update the related group policy, then clients stop talking and getting approved updates.
The official procedure to rename a WSUS Computer Group is simply to create a new group and then update your client side targeting and let machines populate into that group. However, you then have to go and re-approve all updates for that new computer group! If your in the situation we are in where in the past some select updates (due to technical issues, or product updates we don’t want, etc.) were not approved, you then would have to comb through an existing group and approve only what you already approved. With WSUS having and being aware of thousands of updates across a multitude of products, that’s a lot of extra work. So here we go!
This task is accomplished by making the changes directly in the WSUS Database, so first up you need to install Microsoft SQL Management Studio on your WSUS Server, and then we’ll connect to the database. Authentication should be “Windows Authentication”, and a word of warning, it appears in many cases only the User/Admin that installed WSUS in the first place has the necessary access. We initially connected as below with my co-workers Domain Administrator account, it connected fine and we could see the SUSDB Database and open it, but when he drilled down to “Tables”, it showed nothing. When we connected the exact same way with my Admin (but not Domain Admin) ID as the one who installed the services, I saw all the tables as necessary…
If your WSUS was setup using all defaults and the built in Database, then the “Server Name” is this convoluted thing: “\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query”
If you setup your own full or express edition SQL Database under it’s own instance, then you just connect to that like most SQL Instances, so “SeverName\InstanceName” (in my case “ServerName\SQLWSUS”). You can find this on the WSUS Server in this registry key:
Before making these changes once logged into SQL, you should also stop both the IIS Services and the Update Services on your WSUS Server, but of course don’t stop the SQL Services!
To rename a group, using Microsoft SQL Management Studio, navigate to Databases -> SUSDB -> Tables ->dbo.tbTargetGroup.
In this table you will find in the Name column your groups names. Using the SQL Mgmt Studio to Edit the rows you can now edit the Group names, by changing the desired field value. Another word of warning, it appears at minimum that the “&” character is prohibited. We changed a name to that and saved it in the database, and then we could not get into the WSUS MMC at all, no reboot or anything would get us back in. As soon as we changed the name to replace “&” with “And” and cycled the services, it all sprang back to life!
After this change if you refresh the parent node in WSUS MMC Console Snap-In you will get an “Unexpected Error” in that pane hit “Reset Server Node” and the tree will reload showing the renamed Computer Group(s).
Then go ahead if your using Group Policy and update your policies that have the “Enable client side targeting” rule with the new group names. As each machine gets updated group policy, and then sometime (usually several hours) after that policy does it’s next check in with WSUS, it should show up as contacting WSUS and in the updated group name. Their is a chance that a system will WSUS refresh BEFORE it does it’s group policy update, in which case you may see a group created in WSUS with your “old name”, that should be ok as it will have no updates approved (or denied/removal), and by the next day the machine will sort itself out, and that old name group should have 0 computers and can be deleted.