Symantec Endpoint Protection for Windows 7 and Server 2008 R2 is blocking Windows updates since August 2019.
Back in April 2019 we reported that Microsoft planned to amend the way it digitally signed Windows updates in order to protect against supply chain attacks and ensure only valid, unmodified Microsoft issued patches are installed. This change went live at the end of July with the August patch Tuesday delivering the first patches with the SHA-1 signature removed and only SHA-2 digital signature available.
It turns out that Symantec Endpoint Protection and Norton Anti-Virus were attempting to protect systems by also checking the SHA-1 signature of Windows updates before allowing them to be installed on Windows 7 and Window Server 2008 R2 systems. When the August patches were released without the SHA-1 signature, these Third Party Anti-Virus tools blocked the installation of the Windows updates.
Microsoft warns that:
Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Affected customers need to obtain updated versions of the Symantec and Norton AV software with support for SHA-2 signatures.
Symantec has published a support note for their customers with an update.