Updates publish without issue but they fail to install on the client.
This error has been shown on C:\Windows\SysWOW64\CCM\Logs\WUAHandler.log
Failed to download updates to the WUAgent datastore. Error = 0x800b0109
Self signed certificates are not in the local computers Trusted Publishers and Trusted Root Certification Authorities store and you will need to enable Allow signed updates from an intranet Microsoft update service location.
1) Import the WSUS self signed certificate to the client computer's Trusted Publishers and Trusted Root Certification Authorities and to change this setting in GPO.
NOTE: Make sure that you are checking the client's Local Computer account and not the client's User Account stores in MMC for the certificates. If it is in the User Account, the issue will still be present. It must be in the Local Computer store.
2) Create a GPO which will import this certificate and enable Allow signed updates from an intranet Microsoft update service location.
Please refer to Page 39 of the Administrator Guide
To check this policy locally go to run and type in gpedit.msc
Then navigate to Computer Configuration > Windows Components > Windows Update
3) If the issue is still present add the following DWORD to the registry.
Modify and change the value to 1 in decimal.