I agree with what wroot stated. I see the same problems where the vast majority of clients update without any problems which is great but we are always left over with an amount of machines which don't take the update.
The "update failure" reason in the intune reporting is almost next to useless it most often gives a reason which is completely unrelated to the actual problem the device is having. Sadly for these machines it means someone has to remote on or get hands on with the machine to troubleshoot what the problem is so it can be rectified. I understand the reasons for an update not installing could be one of hundreds but I would of thought using all the telemetry there would be some better insight into whats causing them not to update.