Since Vista the MS OS patches (.msu) are installed by Wusa.exe.
As you can see from this doc Wusa needs access to the "Windows Update Agent API"
What you actually need to make sure is that the Service "Windows Update" is started. The description of this service states
Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API.
Windows Update itself can be configured to "Never Check for updates (not recommended)" and as long as that service is running Wusa can still apply .msu patches to the OS. I recommend you enforce this in Group Policy as well as enforcing that service is started and this will prevent you from