Windows Update of Windows Server 2016 against local WSUS server fails

Installing a new environment built around Windows Server 2016 that has some of the servers on a network that can't reach out to the internet, we installed Windows Server Update Services (WSUS) on one of the servers that has two Network Cards (dual NICed) one of the NICs can reach the internet to download updates and supply them to the rest of the servers VIA the other NIC (which is specifically configured to NOT route traffic). Once configured, all of the machines reported themselves to the WSUS server, but never downloaded updates.

We eventually found the "Do not allow update deferral policies to cause scans against Windows Update" policy which we Enabled that forced the servers and workstations on the non-internet accessible segment to make further use of the local WSUS server. In this configuration, our Windows 10 workstations fully worked, but the Windows Server 2016 machines still consistently failed.

We eventually found that the AppPool associated with the WSUS site had it's "Private Memory Limit" too small to allow Windows Server 2016 scans to complete. The default limit as installed by the WSUS was something like 2.8GB. The suggested setting is "0" (unlimited). Watching the scan of one Windows Server 2016 machine suggests that each Windows Server 2016 machine will take more than 6GB of memory during it's "Scan" phase of an update. There was some evidence that our server would not "page" this memory requirement to disk, so we also increased the physical memory as well. Once the scan phase consistently completed, the servers started to download updates but the OS cumulative patches consistently failed to apply. We used the Get-WindowsUpdateLog command to attempt to find out what was happening, but the produced log did not point to an issue. We looked through other logs and events, Googled the return code from the update failure (0x800705b4), but found no resolution/ pointers. Out of desperation, we postulated the update timed-out due to Windows Defender's activity. Note: We would eventually install these updates manually by downloading them from Microsoft and each time we attempted to install them manually, they installed without issue.

Based on the assumption that we were dealing with a timeout, we disabled Windows Defender's "Real-Time protection" which obviously slowed the install. Once the Real-Time protection was disabled, it seems to have sped up the install enough to allow the install to complete. This was done for one iteration, but we then re-enabled the Real-Time protection.

Finally the question: Is there a way to increase the time allowed for Windows Update to apply its updates? or is there a best practices on how to get these large updates to apply automatically?