Hi everyone,

I’m testing Patch Connect Plus in a multi-tier WSUS setup, and I’ve run into an issue where third-party updates published to the upstream WSUS do not appear on the downstream WSUS servers after synchronization.

Here’s my setup and what I’ve observed:

Topology:

Microsoft Update → Upstream WSUS (with Patch Connect Plus) → Downstream WSUS #1 → Downstream WSUS #2

All servers communicate successfully over port 8530.

Connectivity:

The upstream WSUS has internet access and successfully downloads both Microsoft and third-party updates.

Downstream servers sync normally and can see Microsoft updates from the upstream.

Third-Party Publishing:

I’ve published several third-party apps (e.g., 7-Zip, Chrome) using Patch Connect Plus.

The updates appear correctly in the upstream WSUS console and can be deployed to clients.

However, the same updates don’t appear on the downstream WSUS servers after synchronization.

Certificates:

The WSUS publishing certificate has been imported into both Trusted Root and Trusted Publishers on all WSUS servers.

The “Allow signed content from intranet Microsoft update service location” policy is enabled.

Testing Notes:

In a single-server environment (Patch Connect Plus directly publishing to a standalone WSUS), everything works perfectly.

The issue only occurs in the connected WSUS hierarchy.

Question:

Are there known limitations or additional configuration steps required for Patch Connect Plus–published updates to replicate to downstream WSUS servers in a connected hierarchy?

Do these updates require manual publishing or approval steps on the downstream WSUS instances?

Any insights, configuration examples, or known workarounds would be greatly appreciated.

Thanks in advance!