Sometimes Windows installs an upgrade that insists I must connect my user account to a Microsoft account. It will not let me boot the OS if I don't. Only hell if I know what my Microsoft account is. I never use it. I need to use my web browser to find out. But I can't, because I need to set up my Microsoft account first. So I have to use another computer which will let me use it even without a Microsoft account, and then try to figure out my Microsoft account password. Then boot into Windows, let it connect the accounts, go into account options and try to find the hidden dialog to separate them again because hell fucking no I don't want Microsoft to associate my user account with my email address.
Being shafted like this every now and then has eroded my trust for Windows' updates.
Remember that security vulnerabilities in Windows are discovered all the time, so it's dangerous to use Windows without installing the updates. If you (rightfully) don't want to install the updates, then you should switch to an OS that actually respects your freedom instead, like Linux.
Because working in security sometimes I want to test malware on outdated AV, blocking full internet causes command and control failures, creating a weird spot to analyse traffic. Disabling Defender is not persistent (it seems to switch itself on, etc).
Would you like to describe your standard practice? I am interested in implementing this after windows updates have killed our workstations multiple times.
Is there a nice description / workflow / tutorial / script / community where I can learn how to do that?
I did not find any recommended workflow for this by Microsoft itself, but maybe I was searching for the wrong things - windows updates are generally a bad thing to research anything related for. I expected to find some standard workflow description plus tools on some MS website, but no success. Does that exist?
You are looking for WSUS (Windows Server Update Services). If you have Windows Server somewhere, you can add WSUS role to it and use group policies to point your clients to it for updates.
Then, in WSUS console, you set up approvals for updates and then the updates will be offered to clients only once you approve them. You can divide the clients into groups and manage the approvals for these groups individually, so you can have a separate testing group.
Being shafted like this every now and then has eroded my trust for Windows' updates.