Hi Muhammed,
The .bat file shouldn't be an issue as SEP also uses batch files behind the scenes for certain tasks so no concern there,
To set the AgentInstall.msi as a trusted installer if you follow the below it should guide you through the process:
https://support.symantec.com/en_US/article.TECH203266.html
Pretty sure with SCCM deploying via Distribution Points and caching the installers into the CCM folders you will need to point the exception there as technically that is the location it will run from once downloaded,
I hope this helps, do let me know and if this resolves the issue please mark as resolved,
Kind Regards