If a client is set to update itself in its policy, and it checks in, and it's unable to update itself, this should be a trouble condition. They should not display as Protected on the client. If a client is unable to update, this indicates a potential malware infection or protection issue. There is no standard by which a computer in this condition should be considered Protected.
Looping update failures can cause serious CPU, bandwidth, and hard drive storage problems. I've found clients with 5000 attempts to upgrade itself that ate the whole 150GB HDD whose user have just lived with because they thought their computer was just slow.