Because of critical operational damage done by KB4056892, we Disabled the wuauserve aka Windows Update service. This KB corresponds to Windows 10 1709 Build 16299.192.
In the last few days, KB4088776 corresponding to Build 16299.309 was installed anyway.
The systems are left with wuauserve aka Windows Update service in the default Manual setting.
Fortunately, the only damage this time was that the Cortana icon no longer launches anything and the Cortana search box can't be typed into. Perhaps there are other things but they haven't been found yet.
How is one to maintain system configuration management under these circumstances?
I've not found anything but "delay" methods re: Windows updates. That seems risky in the extreme.