Which is why business machines need to be running Win 10 Pro or Enterprise and pointed at a WSUS server for updates rather than directly to Microsoft, with the "Do not connect to any Windows Update Internet locations" group policy enabled.
This gives total control of which updates are downloaded on the WSUS server and allows you to control when and if they get pushed out.
Of course, if you don't have a WSUS server, setting the same GPO's and setting your server to 127.0.0.1 works quite nicely to block updates as well. And you can then use a tool like WSUSOfflineUpdater to download offline update installers and install them yourself on your own schedule. This method has worked very nicely for me on my HTPC's which are still running TH2 so that WMC keeps working. It also still works nicely on other machines I have that are running FCU and SCU.
So if you have one CNC machine you need a WSUS server as well as someone to maintain and administer it just to gain control over the updating process? Personally I think WSUS servers suck to administer.