Hoping someone can help. I’m new to this and it’s my first GPO in a live environment and of course it’s not working!!

The goal is to do Windows Updates on my servers. But I seem to have an Issue with security that I just can’t work out.
In AD I have 3 Server OU’s “Domain Controllers”, “Exchange Servers” and “Servers”. The GPO has been linked to all 3 OU’s. If I set the Security Filtering to “Authenticated Users” it will report all server in the 3 OU's to the WSUS server. But I need to have the Security filter pointing to a Security Group so that I can make each server a member of the group or not a member when I don’t want it reporting. Every time I test it I get Denied GPOs “Access Denied (Security Filtering)” in reference to the Security Group.
-------------------
Security Group “ Server Windows Updates” has been given Read and Apply Group Policy rights. Authenticated Users has been change to read.
-----------------
Computer Configuration\Administrative Templates\Windows Components\Windows Updates
>>>Configure Automatic Updates = Enabled
>>>Specify intranet Microsoft update services location = Enabled
>>>Automatic updates detection frequency = Enabled
>>>Allow non-administrators to receive update notifications = Enabled
-------------------
How can I find out where it is being blocked? If I missed anything please let me know. Thanks!