Do you use a passcode policy to enforce passcodes on your devices? If so, the device will need to have the user of the device allow the update by entering the passcode. Otherwise it will fail.
Which OS are you starting with? Do you see commonalities in device type or network configuration? Can you describe more about the configuration you're using and what type of response the device is showing?
This recently came up in our environment. We have about 4,000 iPads as part of a special use case running a custom app in Single App Mode. We noticed recently a high volume of data going to some of the devices from this URL (updates-cdn.apple.com). Does anyone know if Apple routinely sends information to iOS devices using this URL when an iOS update has not been requested? One of the tablets in question was running an older version of iOS (I believe 14.x) but no update had been requested.