It could do, as windows commonly doesn't digitally sign the update files, not to mention when these updates come out the files won't have been seen before.
I have no idea how you might be able to exclude windows updates (WU) as there wouldn't be a common file name as such you would have to find where WU places these temp files and do an exclusion on the folder. But that can leave a hole in your security.