can the setup.msi file distributed when the console updates a client be signed? process gets flagged by endpoint protection.

This is so incredibly important.  It is even more important because the installer loves to violate up to 8 TTPs.  

• - UNKNOWN_APP (gotta give you a pass on this one)
• - MITRE_T1003_OS_CREDENTIAL_DUMP
• - MITRE_T1005_DATA_FROM_LOCAL_SYS
  
• - MITRE_T1057_PROCESS_DISCOVERY
• - RAM_SCRAPING
• - ENUMERATE_PROCESSES
• - READ_SECURITY_DATA
• - POLICY_TERMINATE  (That was probably our EDR killed the process because it attempted to read the memory of LSASS.)

Most of these are understandable and could be accepted if the installer was signed.