I FINALLY FIGURED IT OUT!!!!!!!!!!!!! ![Image]()
I just kept messing with the errors and Goggling and finally came across a post that mentioned and additional WU security setting:
In Group policy: Computer configuration > Policies > Admin Templates > Windows Components > Windows Update
The setting is: "Allow signed updates from an intranet Microsoft update service location" - This must be set to Enabled otherwise the client will not accept it even if the signed certificate is valid and configured correctly.
This is one piece of info that might be good to put into the document just for users to check.
Hope this helps someone else.

I just kept messing with the errors and Goggling and finally came across a post that mentioned and additional WU security setting:
In Group policy: Computer configuration > Policies > Admin Templates > Windows Components > Windows Update
The setting is: "Allow signed updates from an intranet Microsoft update service location" - This must be set to Enabled otherwise the client will not accept it even if the signed certificate is valid and configured correctly.
This is one piece of info that might be good to put into the document just for users to check.
Hope this helps someone else.