I use WSUS and have 4 rings of updates starting with a test group week 1 and 3 successive groups each week after to hopefully avoid causing my most critical users any problems. However, shelter-at-home has thrown me a curve as almost none of my Test or Group 1 machines are being used right now. There is no good time to brick a pastor’s laptop but now seems especially bad.
So, with the mess that is currently (and always) Windows updates I’m curious if there are opinions or experience on what is generally safe to install? Every Cumulative Update for the past three months comes with warnings of blue screens and slowdowns and I’m reluctant to install any of them.
I know my mileage may vary based on what I’m using but I don’t have custom apps and am generally MS software and Adobe. All machines are either 1903 or 1909.
This would be a great time to research transitioning away from legacy WSUS and toward Windows Update for Business. It won’t give you quite the controls you are used to, but honestly you really don’t want them. You can likely achieve everything you need to do and you’ll know your. machines are getting patched no matter where they are. Combine that with moving toward Hybrid Join and InTune management and you’ll be in a much happier place. Unfortunately a transition/migration to that would be tough to pull off in the current disconnected state. 
Like Chris, migrating to Windows Update for Business via Intune has been a great experience. I’ve mostly only run into issues with it when drivers were enabled, so we handle drivers/BIOS updates via the manufacturers’ tools where available. One thing to keep in mind is that it’s very valuable to settle on one manufacturer and as few models as possible so you decrease the likelihood of running into issues. That, and try not to do anything too far outside of the recommended best practices because a lot of the issues that get public attention have actually been edge cases.