We have just spun up two WSUS Servers running on Windows Server 2016 (WSUS version 10.0.14393.2848). There is an Upstream server connecting to Microsoft and pulling updates with a Downstream server in a different, untrusted domain. These domains are managed by different entities so we don't have an option to create a trust between them.
All of the update stuff is working fine. I create groups in the upstream server and they are reflected on the downstream server. I have GPOs on the domain for the downstream server that is properly assigning clients to the WSUS groups and pointing them at the downstream server. I can approve updates at the upstream server, it downloads them from Microsoft during its next synch and the downstream server picks them up on its next synch. The clients then properly pull them from the downstream server.
What...