Windows 10 allowed the Meltdown patch to install after I removed FortiClient 5.6.3 from the machine.
EDIT: Note that the registry key Microsoft requires was properly set on the system but it still wouldn't update until I removed FortiClient.
Actually a bit messier than that. Just unregister of the FortiClient, stop services, and uninstall (with reboot) wasn't sufficient. Running FCRemove.exe also not sufficient. Removing the directories the uninstall had left behind also didn't do it. Finally had to hunt through registry entries and do some of the cleanup by hand before Windows considered FortiClient gone enough to allow the patch. Ugh. I really hope those of you managing lots of FortiClients through EMS have an easier way to deal with this, or that my case was a fluke.