Updates publish without issue but they fail to install on the client.
This error has been shown on C:\Windows\CCM\Logs\WUAHandler.log
Failed to download updates to the WUAgent datastore. Error = 0x800b0109
Self signed certificates are not in the local computers Trusted Publishers and Trusted Root Certification Authorities store and you will need to enable Allow signed updates from an intranet Microsoft update service location.
Import the WSUS self signed certificate to the client computer's Trusted Publishers and Trusted Root Certification Authorities and to change this setting in GPO.
Create a GPO which will import this certificate and enable Allow signed updates from an intranet
To check this policy locally go to run and type in gpedit.msc
Then navigate to Computer Configuration > Windows Components > Windows Update
If the issue is still present add the following DWORD to the registry.
Modify and change the value to 1 in decimal.