Ok, after spending 3 weeks with Microsoft's technical support department we have solved the problem.
The problem is with Dual Scan trying to connect to Windows Update (online) and failing. When it fails the system just stops trying and refuses to connect to WSUS.
The added problem is the server install media has a bug in it which prevents the Dual Scan from changing. It just ignores the policy and keeps the default update source Windows Update.
Here is what you have to do to fix it:
Run the following commands in Powershell on the offending server
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.Services | select Name, IsDefaultAUService
You will get something back like this:
Windows Update Standalone Installer - False
Windows Server Update Service - False
Windows Update - True
If it says "Windows Update - True" Then that is your default source, no matter what your GPO says...
The first thing you have to do is make sure the following patches are installed on your server.
kb4103720 and kb4462928
You need them BOTH. They are both huge, they both take forever and a day to install and they both require a server reboot.
These KBs fix the dual scan issue so the server will respond to the GPO telling it which default source to use.
Now you need to configure Group Policy to tell the server to only use the WSUS server. Per Microsoft these are the required settings (I am dubious on some of them, but I haven't tested each one... I am just happy the thing is finally working)
Computer Configuration > Policies > Administrative Templates > System > Device Installation
Specify the search server for device driver source locations
Set to "Enabled"
Select search order: "Do not search Windows Update"
Specify the search server for device driver updates
Set to "Enabled"
Select Update Server: "Search Managed Server"
Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Turn off access to all Windows Update features (In Microsoftspeak that means their online server, not 'make so it can't get updates')
Set to "Enabled"
Turn off access to the Store
Set to "Enabled"
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
Do not allow update deferral policies to cause scans against Windows Update
Set to "Enabled"
No auto-restart with logged on users for scheduled automatic updates installations
Set to "Enabled"
Specify intranet Microsoft update service location
Set to "Enabled"
Set the intranet update service for detecting updates: "http://[YOUR SERVER]:8530"
Set the intranet statistics server:"http://[YOUR SERVER]:8530"
Set the alternate download server: "http://[YOUR SERVER]:8530"
Uncheck the box Download files with no Url in the metadata if alternate download server is set
Move your servers into an OU with this GPO enabled. I created a separate OU in my Servers OU just for 2016 server and linked this GPO to it.
Run the above powershell commands again.
It should now say
Name IsDefaultAUService
------- --------------------------
Windows Server Update Service True
Windows Update False
If you get "Windows Server Update Service" True, then it should work!
I hope this helps someone else. This has certainly been a frustrating issue...
I accept donations in unmarked bills, gold bars and scotch.
Best Answer
To directly answer your question, the "Windows Server 2016 and Later Servicing Drivers" product category does contain updates that might be applicable to your servers, but they are all device drivers, so they will not affect the build number.
You can look up an arbitrary build number for Windows Server 2016 by looking at the list of builds shown in KB4000825, or it is often easier to just Google the build number.
In this case, the particular Windows build you are interested in was released as KB4519979, on October 15. I've checked my WSUS server (which has all products and classifications enabled) and this update is not present, nor was any other Windows 2016 update released on or near that date. So it appears that it simply hasn't been released via WSUS.
Occasionally non-security updates do get left out of WSUS, for reasons that are unclear. Don't worry about it; when the November updates are released they should bring your DCs back in line with your other servers.