As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, Microsoft has released an update to Windows 7 SP1 and Windows Server 2008 R2 SP1 on August 13th, 2019 where the Microsoft Windows Updates are now SHA-2 signed instead of SHA-1 signed.
Microsoft KB4512506/KB4512486 is not visible as an available download with currently available versions of Symantec Endpoint Protection Cloud (220.127.116.11 and earlier) installed.
Symantec has identified the potential for a negative interaction between Symantec Endpoint Protection Cloud and the contents of future Windows Updates as a result of the changes in this Microsoft KB.
Out of an abundance of caution, Symantec and Microsoft worked together to only allow the update to be visible to versions of Symantec Endpoint Protection Cloud that fully support SHA-2 signed Windows executables replaced by this and future updates to Windows 7 SP1 and Windows 2008 R2 SP1.
This issue is resolved in build 18.104.22.168, which began a phased rollout through LiveUpdate on August 27th. Only devices running on versions of Windows that are impacted by this issue will receive this update.
After receiving this update, devices will be required to perform a reboot to complete the upgrade. The reboot will not be forced and must be accepted by the user. Devices will remain protected before the reboot is completed.