Hello,
There is distinction between the status reported by the Windows Update Agent to the WSUS Server, and the actual availability of
those updates to the client machines. The fact that an update is reported as NotInstalled is only half the process; the other half is ensuring that the update is approved for installation for the correct groups, that the client systems are assigned correctly
to those groups, and that the content associated with those updates has successfully downloaded to the WSUS server. Until all three requirements are met, the client will not be able to download/install those updates, and will report the machine as "up
to date".
More details, please go through the below similar thread:
https://social.technet.microsoft.com/Forums/en-US/714b2457-af10-4783-a889-70617d51696d/winupdate-shows-windows-is-up-to-date-but-wsus-shows-updates-needed?forum=winserverwsus
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
