Can any one provide me the best practice for turning on/off the windows updates.
Do we need enable windows update by default as best practice in prod environment.
What I have done in my current new prod setup, I have installed all windows update till today in all server and done the necessary restart in the server. Now I have disabled like below. Please correct me if I am doing any wrong so that I can learn new thing.
You really don't want to block updates all together on a production server as you will leave your system exposed to security issues.
However, as Microsoft is now pushing SharePoint CU's (Cumulative Updates) through this avenue, you don't want them to install automatically either as this could break your production SharePoint instance! You can set up your server to "download only" and then you can manually choose which updates to install.
Here is a really good article I'd recommend so you are more informed about what process you should follow that is the best practice for your organisation.
https://redmondmag.com/articles/2015/02/13/pushing-sharepoint-server-updates.aspx