Controlled Folder Access (CFA) was introduced in the Fall Creators Update for Windows 10 (version 1709) and is part of Windows Defender Exploit Guard. As such, it requires Windows Defender Antivirus and real-time protection to be enabled.
A full description of CFA can be found on Microsoft's site at this url:
The key descriptive text from this page states:
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
In the first place, our tests have found that the default Windows 10 setting for CFA is 'Off' - as in, disabled.
Secondly, even with it switched on, the Software Update Wizard service is successfully able to save/update files in controlled folders, without any CFA notifications.
Therefore, although Microsoft does not publish a list of 'safe' applications, it appears that the Software Update Wizard application is currently deemed 'safe' by CFA.
Therefore no action is currently required to handle CFA in the Software Update Wizard.
At present (February 2018) it seems that CFA sees the Software Update Wizard as 'safe' and no action is required. Everything is as before. However, should this change in the future a simple ExecBefore command in your update script will add the Software Update Wizard to the list of safe applications on the target computer.
The Powershell command to add the Software Update Wizard service to the safe applications list is:
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Windows\SysWOW64\WebUpdateSvc4.exe"
Therefore the ExecBefore command in your script is:
ExecBefore=Powershell Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Windows\SysWOW64\WebUpdateSvc4.exe"
Adding the same application more than once using this technique will NOT cause duplication. The command will simply fail silently on the second and subsequent calls. It will also fail silently on prior versions of Windows.