If you fail to do so, the Automatic Updates service will fail to start with "Error 0x80004015: The class is configured to run as a security id different from the caller". This is discussed in detail here. Repeat these steps for the Background Intelligent Transfer Service (BITS).
On a related note, in order to test WSUS with a limited number of computers I employed the following approach. As Microsoft guides recommend, I created a separate WSUS policy GPO with WSUS settings in Group Policy Management Console. I linked it to the top-level domain, but using the Security Filtering feature I specified that it only applies to a few selected computers. Once testing is successfully, I will replace this list of computers with "Authenticated Users" group so that the policy applies to all.