If when you're building an image, like I did, and you don't want the current branch to automatically start downloading, you may consider checking the box that says "defer Windows upgrades" or something like that... when you do that your are enabling your computer to automatically download current branch for business which will automatically start downloading and installing on users' computers as soon as CB goes CBB even if you use WSUS or Configuration Manager. We learned the hard way and had to quickly change the Registry setting controlling this behavior. It's called dual scanning and it is not exactly communicated well that this behavior will exist regardless of whether you're using a management tool for patching like WSUS or Configuration Manager.
Hope this will help others avoid our pitfalls. We did not test 1703 in our environment when building images for our new school year because of the time window of our testing. So we built our images on 1607. Then in July when 1703 went CBB, all of our computers that had 1607 started downloading the new build... then as soon as the user rebooted, it started installing. At first people thought it was just updates... then they started reporting it was taking a really long time to update... as we investigated, we found this undesired behavior.
So if you want (or need) to be a build behind CBB, you cannot use the "defer upgrades" configuration in Windows 10. Just keep the computer in your VM off the Internet.
jcl
