> > there isn't any real control over what can and can't be applied outside of a
> > WSUS-managed update environment.
> If you use WSUS to control what gets applied then you are putting yourself at risk.
> Using it to control when things are applied is bad enough.
That depends on the risk that you're willing to shoulder. In an enterprise environment, WSUS is pretty much a necessity - the risk of business stoppage due to an update or upgrade breaking clients may (note the conditional) be worse than the risk of potential vulnerability during a test period to evaluate the suitability of updates for the environment in which they are being applied.
In any event, that's neither here nor there. My point was that if you want the granularity previously offered in past Windows OSes as relates to updates, you're going to need to implement the AD + GPO + WSUS triad. Do not expect Windows 10 to roll back to an XP or even Windows 7 level of update selectivity any time soon, if ever.