JJV,
It is not that SEP is doing anything to prevent patch installation. It is the metadata within the patch bundle from Microsoft that tells the Windows Update client that the patch is not appicable if SEP is installed (or perhaps only if it running at the time, not sure).
Using Altiris bypasses the logic associated with the metadata and effectively force installs the patch. This is basically equivalent to downloading the patch binary from the MS catalog and performing a (force) install.
Microsoft has explicitly stated that they advise against doing this, Systems may not start up after a reboot, or more likely a power off - on which is different than a warm reboot. Loss of data or complete inability to use systems may result.
See the MS KB articles for patches KB4512506 OS Monthly Rollup, KB4512486 OS Security Only and KB4511872 IE Cumulative.
e.g Look at the last row in the "Known Issues" table at:
https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486
Symptom:
Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Workaround:
Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.
Here "Symptom and Workaround" are really more like "Notice and Advice / Warning".
If you have seen no problems, consider yourself lucky. If you want to forge ahead be aware.
-Regards