Did you have any answer to this post? I am facing the same issue with EPO 5.3.1 which reset the Exploit prevention dllhost.exe rule to disabled and excluded state, and put me into a situation where the rule wasn't active anymore and my win10 systems faced the problem described in KB89023
No updates. I even mentioned this to my support account manager. All I know is my change control team would not want me rolling a product where change controlled policies can update themselves thus negating the change control process. So for the short term Endpoint security is under limited testing and I'm riding VSE for as long as we can. Eventually I'll need an answer but don't know what will happen if I don't get one.