> Are you telling there's no way to install third party software then block Microsoft
> update domains?
Of course not. It also doesn't prevent someone from editing the hosts file, returning invalid DNS results, or any other number of workarounds or methods of breaking delivery.
However, if you want granularity of the updates that are delivered and installed, AD + GPO + WSUS are increasingly the only options that will give you that level of management, and even then they're dependent on the edition of the OS in use.
> It's not like you have to download hundreds of patches anymore, it's
> only one per month.
I (and my clients) beg to differ, particularly if a machine has been outside of the patch cycle for some time. It's even more fun if it hasn't received the Creators update yet, then suddenly realises that it's supposed to receive it.
Oh, and that 'one' patch? Yeah, that's effectively an update rollup. Everything might be in one package, but that package might update dozens of system components, just like all of the other 'single' updates do.