From the ePO on premise data base, you can select the Access protection policy that has been used and then for this rule, you might have two options. You will need to Uncheck report option and check Block option. This would prevent from getting messages frequently in the console keeping the rule in place.
Correct me if I'm wrong but wouldn't your solution block the behavior on the end user system? I'm not looking to prevent the action from occurring on the end user systems.
Since the exclusions are added for the particular file "C:\WINDOWS\CCMSETUP\(exclude all files and subfolders)" in the AP rule that is in place, the end users should still be having access to these exceptions. So the block action can be set up so apart from this exclusions, other files are blocked according to the rule. At the same time when report option is checked, the reports are included and being reported in the client console. If report option is unchecked in the console, End clients does not receive this reports and there should not be any events reported for this matching rule.
Your formatting for the last three exclusions are incorrect.
You are missing a "\" after %windir% as well as you need to end with a "\" in order to exclude the directory (otherwise the exclusion is treated as a file name):
You may want to check your path of the SoftwareDistribution directory as it may not be under the ccmcache directory.. its usually %windir%\SoftwareDistribution\