The following error occurs during the Enforce server patching install attempt to either 16.0.1 RU1 HF4 or 16.0.1 RU1 MP1 :

install log points to the following error

MSI (s) (78!1C) [14:43:10:615]: Note: 1: 2205 2:  3: Error 
MSI (s) (78!1C) [14:43:10:615]: Note: 1: 2228 2:  3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 
MSI (s) (78!1C) [14:43:10:615]: Product: Symantec Data Loss Prevention 16.0.10000 HF4 Enforce Server -- The following database sessions indicate a Enforce service or job started by the Enforce service against the database is still in progress. Unable to install update until all activity has completed. If not already done, please shutdown all Enforce services and allow time for the outstanding jobs to complete. If job continues to run for hours then restarting the Oracle database may be required to force a hung job to exit. Installation is now rolling back.
 
The following database sessions indicate a Enforce service or job started by the Enforce service against the database is still in progress. Unable to install update until all activity has completed. If not already done, please shutdown all Enforce services and allow time for the outstanding jobs to complete. If job continues to run for hours then restarting the Oracle database may be required to force a hung job to exit. Installation is now rolling back.
Error occurred querying or updating database: 
SQL*Plus: Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

Enforce 16.0.1 RU1

an incorrect TCPS connection string in jdbc.properties file on Enforce, which required conversion back to TCP connection string to connect to Oracle DB to complete patching.

What worked was changing the connection string from TCPS to TCP in jdbc.properties on the Enforce Server as follows:

1) Stop running Enforce Services via services.msc in order as follows:

From the Services menu, stop all running Symantec Data Loss Prevention services in the following order:

SymantecDLPDetectionServerControllerService
SymantecDLPIncidentPersisterService
SymantecDLPManagerService
SymantecDLPNotifierService

2) Open jdbc.properties file in notepad as an Administrator 

default location of jdbc.properties file:

C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.x\Protect\config

3) and correct connection string as follows

from current:

jdbc.dbalias.oracle-thin=@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=EXAMPLE.COM)(PORT=1523))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=EXAMPLE.COM)(SSL_SERVER_CERT_DN="CN=example.com,OU=Customer OU,O=Customer Name,L=City,ST=State,C=CountryCode")))

Change to

jdbc.dbalias.oracle-thin=@(DESCRIPTION=(FAILOVER=on)(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)(HOST=example.com)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=EXAMPLE.COM)))

4) Save the jdbc.properties file.

5) Start the Symantec Data Loss Prevention services in the following order:

SymantecDLPNotifierService
SymantecDLPManagerService
SymantecDLPIncidentPersisterService
SymantecDLPDetectionServerControllerService

6) re-run 16.0.1 RU1 HF4 or 16.0.1 RU1 MP1 patch file on Enforce again to complete patching.

7) (if required) after patching revert connection string back on Enforce jdbc.properties file back to TCPS.

it is clear the "TCPS" setting is valid in some cases, but permissions on the DB might need to be confirmed. If this is true, also suggest to review the following article: 

TLS Listener fails with error "ORA-28864: SSL connection closed gracefully TNS-12560: TNS:protocol adapter error TNS-00542: SSL Handshake failed 64-bit Windows Error: 28864: Unknown error" after enabling TCPS (broadcom.com)