You do not need to reboot to disable an IPS policy.
Three options:
1) Use the policy override tool (requires hands on keyboard and rights given to user/group), Select duration of override. Perform system updates. Reboot. The policy will auto-revert to enforce mode after the choosen duration. Note any violations to the policy will be logged, but allowed.
2) Add the orchestration tool process or user to the Trusted Updaters/Full Privilege sandbox. That process/user will always to be able to update the system. Reboot. I suggest allow-but-log everything in this sandbox for forensic purposes.
3) Allow the user that is doing the updates to run the DCS tools via the policy. Have the user run "sisipsconfig -r" command in Windows, "sisipsconfig.sh -r" in -nix. Then perform updates. Then reapply the policy "sisipsconfig -s" or "sisipsconfig.sh -s" and reboot. Note that this method will NOT log anything, so while it can be handy to use from a script or tool, it is the least secure (no forensic data as to what actually happened)