Security best practices for Windows Server Update Services (WSUS)

mle_ii  Hello, Mike. Thanks for the tip about 0x800f0922. It was driving me crazy for a while, and now, I know why it is not happening: The COVID-19 quarantine has brought that chance down. I'll make sure it'll never happens ever again.

As for the admin approval mode:

• The default WSUS settings make it check for updates (the term is "synchronize" in WSUS) round the clock and immediately install them, so that you won't end up installing WSUS and accidentally keep your network out of date. (Better to run up a huge Internet bill than have your latest military drone drawings stolen.) But immediately after the initial setup, you can delete all auto-approval rules, so that no update gets installed without your consent. Personally, I'd add an auto-approval rule for Windows Defender (and maybe MSE) only.
• The bad news is that there are a huge lot of updates that you don't need and want to deny, e.g. 32-bit, prerelease, farm, failover cluster, security-only, and ARM64 updates. The good news is, after a year, my PowerShell script did all the denying with impeccable accuracy.
• You can keep the rest of the updates in the pending state until your departments are ready to receive them, e.g. until midnight or whatever. I had schedules for them.
• The most annoying part is remembering to disable Dual Scan.

You can see all of this as either flexibility or complexity; I think it is both. But with WU+DO, none of them is possible; updates come whenever Windows Update (a piece of code that is dumber than soup) decides.