I was experimenting with WSUS settings related to MDT and tried to use the underlying WSUS server that was used within SCCM. Not a good idea!!! The main reason is that when you decline an update in the WSUS console the update becomes expired in the SCCM console. How that looks like? See this article.
My first try to fix this was approving the update again in the WSUS console for a dummy computer group. But that didn’t work.
Besides approving the update in the WSUS console you must perform a full sync from SCCM. The easiest way to do this is to deselect all your classifications and perform a sync. You would see something like this in your wsyncmgr.log.
After changing the classifications back to their original settings and performing another sync the wsyncmgr.log would show something like this.
Refreshing the Windows Updates now shows normal icons… Whoohoo!