Microsoft is blocking Windows 7 and Server 2008 R2 updates from being installed if they are code signed using a SHA-2 certificate and the machine has Symantec or Norton antivirus installed. This is because the antivirus software is deleting the updates during installation and causing Windows to not start. The SHA-1 algorithm previously used to sign updates has been found to be insecure over time due to weakness discovered in the algorithm and increased availability of high CPU computing. Microsoft will end its migration by requiring Windows Server 2012, Windows 8.1, Windows 2012 R2.
Source: https://www.bleepingcomputer.com/news/microsoft/windows-7-sha-2-updates-blocked-if-symantec-norton-avs-installed/