Support came back and just said "Because Talos determined it is malicious. You can whitelist the domain if you'd like."
While there is nothing technically wrong in that answer, it really isn't helpful. If Talos (and AMP by extension) is flagging false positives against Windows Update files, then that is a problem. Conversely, if MS is serving up malicious files, then that is also a problem.
Unfortunately, I do not have access to Talos Threat Grid to see anything further on this file.