In view of KB40568902 damaging our computers, we first took to hiding it. Then, to be more conservative and not knowing what's coming next, we turned off Windows Update service.
Today I'm looking at a computer that had the Windows Update service Disabled and Not Running.
It got updates last night and, I'm rather sure those must have included KB4056892 as the computer appears to be among those most damaged. We are going to have to reinstall Windows 10 Pro on this one - to follow the many we've already had to do.
This is a big deal. It appears that the Windows Update service state didn't protect us on this one. So the others must be unprotected as well. That's a surprise. Should it be a surprise? What else can we do?
I don't *like* turning off Windows update because I fear it will interfere with installing printers at times, getting .NET Framework 3.5 turned on (meaning installed really) when necessary, etc.