If you find the System Patches failing in an SCCM environment. Please follow the steps listed below:
1. Stop Windows update service, rename the C:\Windows\SoftwareDistribution folder to SoftwareDistribution.old.
2. Stop Cryptographic service, then rename C:\Windows\System32\catroot2 to catroot2.old.
Once the above steps is done, run these actions from the configuration manager:
Discovery Data Collection Cycle
Software Updates Deployment Evaluation Cycle
Software Updates Scan Cycle
The procedure above has taken care of the issue pretty reliably. If the updates still don’t install properly, you may have to download the specific updates and install them manually.