Symantec Endpoint Protection Block SCCM Office Updates

Recently I've got an issue with SCCM agent couldn't install any office update.
While investigating the issue, I saw other updates installed without any problem.
Looking at the event viewer reveal error 11406 - installation couldn't wright to Browser Helper Objects registry key:

After hours of searching, I saw the following policy in Symantec Endpoint Protection:

It looks like someone activate Prevent registration of new Browser Helper Objects under application and device control policy.
In order to resolve the issue, I created the following Registry Access Attempts condition to allow the installation to complete:

SCCM Client Installation Failures

The following list is some failures in SCCM client installations and the resolution:

Problem:
One or more certificate is missing on local machine (should be 2 certificates).

CertificateMaintenance.log shows the following entries:
Crypt acquire context failed with 0x8009000f

Cause:
Wrong permissions for machine key starts with 19c5.. located under the following path:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Use SCCM Compliance Settings To Find Service Running As Administrator Account

Sometimes you have to change password for important user (like administrator account).
Changing password for this kind of user is a project in its own and should be done with extra careful.
With Compliance Settings feature in SCCM, its easy to find where this user runs a service.

In this example I'm going to use PowerShell script to detect the present of administrator account under the services, so first, I'm going to change the execution policy to Bypass in client settings for the computers this script is going to run: