PENDING SCCM Software Updates Compliance Unknown

[cminner]

Hello,

My company supports around 2000 Windows 10/11 desktops and 80 Windows Servers 2012 R2, 2016, and 2019. We are using a single SCCM Server 2012 R2 with Configuration Manager v2309. We are utilizing the Software Update Point with WSUS and deploying updates to collections using Software update groups and deployment packages.

I’m having an incredibly hard time figuring out why SCCM can push Microsoft Update packages to some devices but others sit in the “Client Check Passed/Active” Unknown state. This is happening to both servers and workstations. For reference I have two Server 2016 devices in the same subnet and one is showing compliant and the other unknown.

Here is the troubleshooting I’ve done in reference to these two servers.

• Verified Boundary using IP range which covers a /24 subnet.
• Removed and reinstalled the following: Software Update Point component, WSUS role, WSUS database and IIS site completely.
• Disabled Windows Firewall, also checked our firewall/proxy logs to verify traffic on 8350/8351 was not being blocked.
• Verified registry/GPO settings for Windows update were equal. We are letting the CM Client control the policy “Specify intranet Microsoft Update service location”.
• Verified both servers can access the selfupdate/iuident.cab, ClientWebService/client.asmx, and SimpleAuthWebService/SimpleAuth.asmx sites on port 8350 of our SCCM server.
• Deleted GPO settings using:
  del /a /q C:\Windows\System32\GroupPolicy\Machine\Registry.pol
• Deleted the contents of C:\Windows\SoftwareDistribution
• Reinstalled the CM client
• Checked the logs wuahandler.log, updatesdeployment.log, deployment updatestore.log
• Verified DNS is resolving hostnames between servers.
• Verified Dual scan is not active.

At this point I don’t know what else to check. Can anyone offer some insight or other troubleshooting steps? I’ve attached some logs from our working and non-working servers. It would be much appreciated!