Security best practices for Windows Server Update Services (WSUS)

Sorry if I wasn't clear, we use WSUS and it's my job to go through and approve/release/deny updates there on the server.  We also use it to tell us what is out of date for other things that we install manually as we cannot have unexpected/uncontrolled downtime.  We are able to control most of it and patching through our scripting, but for updates like MS SQL we install updates manually as we want to control exactly when it installs and reboots.  Luckily we only have a handful or two of those and it's not too difficult to handle manually.

My main concern was with how your table seems to indicate that WU+DO does not have this aspect, though perhaps I'm misunderstanding your table and what you've said.

Really do appreciate your feedback here, it'll help for sure if/when we want to see about using something besides WSUS to control how/when servers are updated and what shows up.

Also for a bit more detail on the issue we hit with error 0x800f0922 I posted here in the Reddit Patch Thursday thread for July 2020.
https://www.reddit.com/r/sysadmin/comments/hr2eav/patch_tuesday_megathread_20200714/fyd4ttu/?utm_source=reddit&utm_medium=web2x&context=3

Also interesting information on the Dual Scan issue, I'll have to see if that's something we're hitting on the Windows 10 boxes our developers use.

You seem to know a lot, have you figured out what causes the random 100% cpu/core use with the TiWorker process?  TiWorker is a process related to WU in case you're not familiar with that name.  It seems to happen randomly and I have yet to figure out why, though now that I know the WU logs better I need to take another look.  Normally it doesn't seem to happen outside of the weeks when we're doing patch Tuesday installs.  But it'll even sit there eating up a core with 100% use on a fully patched box.  😕  Mainly 2016 and 2019 but sometimes 2012 R2.