Capture all domain computers in AD by applying a WSUS GPO along with the default domain policy under the domain at the top of the Group Policy structure?

I link GPO to the top of the domain, and then I also link then to any OU where inheritance is blocked.

IMHO, yes you should link the GPO to the domain root. Also link to any OU where inheritance is blocked, but where you want to GPO to apply.

As a reminder, don't modify the default domain policy. I don't think that you did, but we should all be clear that it's bad practice to do so.

Leaving computers in the Computers container is not good practice. Move them to an OU.

A few dependency questions:

Do you have multiple operating systems that require patching?  

Is WSUS configured to apply these policies to different OS's represented? (Computer Groups) So that you can perform future patches, approve those patches per operating system, schedule the patching and reboots accordingly to match change management window(s).

If so, can like OS servers be moved to separate OU's with different policies with separate update policies?  Comes in handy if you don't want to apply blanket updates and reboot all servers at the same time where it doesn't correspond to some outage window.

Are all the servers located on the same physical LAN?  If you have separate sites, might need separate WSUS Servers.

Thanks Hypercat and kevinhsieh for replying. First, to be clear, I did not modify the default policy. I created WSUS - Servers and WSUS - Workstations policies. Also, I am kinda glad I didn't see these replies until after I did what I did (below) as the two different viewpoints would have made it more challenging to decide (though, I lean toward Hypercat's input - sorry kevinhsieh :-))

I ended up running a powershell script to find the server's DN from AD and piped that to a CSV. I then did a Find in Excel and looked for "CN=Computers" so I could determine which servers were in the Computers container. I went to AD and moved them to pre-existing Server OUs that already have the WSUS - Servers GPO. Though, there were only 25 servers in the Computers Container. Unfortunately, this still leaves 53 servers unaccounted for (at least until I look at that CSV for OUs where these servers reside).

Damn, Brian, you're killing me. One site NV one is TX. I do not have separate policies per OS and I have a mix of 08, 12, and 16 (though 08 will be going away over the next couple of months). I did create one WSUS group named Servers with subgroups named for each location (the server's names are based on their location). When I set up the WSUS - Server policy, I put in the client-side targeting setting the group name (Servers) but none of them went there by default (I did have WSUS set up before the GPO) so I just monitored and as they came in I manually moved them. I could likely redesign AD with OUs based on OS, or at least child OUs based on OS. I will need to think about that as well as how to go about reconfiguring WSUS and GPO after.

I was also planning on a downstream WSUS server at the other site (TX) for those but just started this entire thing last Friday.

This is brand new and can be tweaked / done over if needed.

Thanks for the input

King Daddy - I think Brian has covered it all in terms of the details of organizing and managing the different OS's and OU's.

Thanks everyone. I am going to go over Brian's links and proceed accordingly. We don't have bandwidth issues so may try one WSUS then add one if needed.