The Windows Update Service needs to be either started or set to manual, it cannot be set to disabled. If using a Distribution Server, make sure it's synced with the Protect Console. Also, does the Tracker show failures for these machines?
Other than that, a reboot of the target machine is a good indicator all the services and ports require for a deployment are open.
You could take a look at the logs on the target, they are located here: C:\Windows\ProPatches\Logs STDeploy.log and STDeployCore.log would be a place to start. Just look for anything obvious. (you can attach them here too)