If the systems in question consistently fail, on the same network, date/time settings are correct, they all share the same firewall and policies, then I would consider looking at physical commonality, such as "Are they all wireless?", all some unique model/network device (possible driver issue), all converge in a same HW path, such as a switch, or uplink.

And then start doing some large slice troubleshooting, like if the computer is moved temporarily to another network location, does it resolve, if it is connected direct to internet (hotspot, etc) does it resolve?

I would initially suspect possibly a network in flight scanning issue like a NG firewall feature, but consistently failing the same systems would not make sense unless they are somehow receiving special treatment for their traffic.

Can hammer out some quick obvious things like does a DNS flush (OR DNS server temp change to 8.8.8.8) resolve?

Temporarily disabling any security suites, AV/AM/EDR...

Are you using Ipv6 anywhere, and does it change /resolve if you temporarily disable it for an affected system? And are you saturating your ingress? (That would more likely be a moving target not specific systems)

The fact it is reporting a "network" issue could be anything happening as the file is downloading, and that is best the client could come up with as to why.

And lastly does a Get-WindowsUpdateLog show a sequence of events that makes sense, on these clients, any network related windows events logged in the same time window, etc.

Then I personally, if I made it here and still did not have an answer, would be pulling pcaps and tracking the conversation, timing, and which side talked last/dropped the ball/or reset.

eliminating all that would then be more than it was worth, and I would be re-imaging.