I just configure my router (firmware firewall) to block all of Microsoft's Update IPs, lol.
I don't trust Windows itself, too much dodgy Microsoft stuff (autoupdating, autoconfiguration, telemetry, and remote vulnerabilities) already happening under the hood. So Windows sometimes complains about being unable to update (and, according to my router logs, it tries to ping the Microsoft mothership every session even after it's been explicitly configured several ways to NEVER update anything), but it "cannot establish a connection" (router blocks all traffic to/from the IPs) so nothing can be quietly checked or downloaded or installed/changed/broken and it has no option other than scheduling another (clandestine) attempt after the current session ends. Microsoft might "secretly" have full control over my WinOS but they can't touch my hardware/firmware devices (which, incidentally, I only login admin while running a linux, that's how little I trust closed-source proprietary operating systems, haha).
I download/install updates manually from the
Microsoft Update Catalog when needed. As a bonus, they download hella faster (and only need to ever be downloaded once) and they install hella faster (by completely bypassing the usual bloaty component-driven WindowsUpdate kludge). Plus it's always convenient to archive a local copy of each version of each thing in case I need to rollback or apply updates to multiple machines - or in case Microsoft ever takes specific Updates offline (which they have done before, for whatever reasons, even when these specific Updates happen to work perfectly or work better than their newer counterparts on my machines).
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams
[/Korth]