Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 – Pro/Enterprise/Education/Pro for Workstation – basically everything except Home edition. You can select which types of updates you would like – Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.
Whilst you don’t approve/deny each update as you’d have done in the past with WSUS, you can specify update deferral periods. For Quality updates this is 30 days or less, and for Feature updates it’s 365 days or less. You can create multiple policies, for example one targeting a pilot group with 0 day deferral, one with 5 day for a wider group, and a 10 day deferral for the rest of your devices. If you find an issue with an update installed by the pilot group, you can pause updates for up to 35 days on the other policies. The devices should then resume at the end of the 35 days and skip the missed update, moving on to the next cumulative update.
Device driver updates are enabled by default, but can be turned off, and Microsoft Product updates are disabled by default, but can be turned on. I tend to leave these at the default settings – as the trend with recent Microsoft products has been for them to look after the updating process themselves (e.g. Office 365 Click-to-Run, Edge etc) rather than using Windows Update.
You don’t need Intune or Config Manager for this, and you don’t need your devices to be Azure AD joined – it can even be a PC in a workgroup – although it’s a lot easier to manage if you have some central control over the client side settings.