SEP 14.3 RU3 and later

In-built Application Control rule: Stop software installers [AC8], [AC8-3.1 - Block saving .exe, .dll and .msi files] is blocking the execution of .exe of Windows Patch/KB

This Rule Set (Stop software installers [AC8]) is not enabled by default.

As enabled and blocking, modify it as follows on Symantec Endpoint Protection Manager (SEPM) console:

• Click on Policies> Application and Device Control
• Right-click on the Application and Device Control being used and click Edit.
• Click on Application Control to get the list of Rule Sets applied
• Select "Stop software installers [AC8]" and click Edit
• Click on All Applications under Rules and add an exclusion for C:\Windows\SoftwareDistribution\*  as follows:
    
  
  

Note: In some scenarios, there will be additional exclusions required for certain Windows updates.
Example: Windows 10 servicing stack update (KB5054682)
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing updates.
This update uses "TiWorker.exe" and will get blocked. The details of it can be found under Control Log as follows:
[AC8-3.1] Block saving .exe and .dll files - Caller SHA256=77da08ee0fd4631a2e3239cd16f0aa304c3395796eee21068e8183272e21a4c6
All Applications | [AC8-3.1] Block saving .exe and .dll files
C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5547_none_7e02b5467c95ffef\TiWorker.exe
C:\Windows\SoftwareDistribution\Download\b0f02d17d323c4b231063dae09c0387f\inst\_SSU-19041.5676-x64.cab_\amd64_microsoft-windows-s..-installers-onecore_31bf38

For it to work, below exclusion needs to be added as well:
C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.5547_none_7e02b5467c95ffef\TiWorker.exe

Similarly, need to add the path of any other program which if getting blocked by this rule, such as C:\temp\sepclientinstaller.exe