If you have deployed a Windows Server 2012 R2 generation 2 virtual machine on 2012 R2 Hyper-V server you may find that Windows Update fails on any generation 2 virtual machines.
Generation 2 virtual machines use UEFI rather than BIOS. UEFI is a firmware interface to the hardware that will gradually replace BIOS on newer hardware. It is more secure than BIOS and designed to protect pre-boot prcesses from attack, improve startup times and support larger disks, as well as a number of other enhancements.
So a Generation 2 virtual machine uses UEFI, and therefore has the Enable Secure Boot option enabled by default.
Below are lots of WindowsUpdateClient event id 20 error messages. I recieved on my first generation 2 virtual machine.
Shutdown the virtual machine in question, then select Settings.
Next, run Windows Update, patch the server and once the updates are completed, shutdown the server so you can re-enable the Secure Boot option.