something i’ve done is to just leave windows running on a vm, getting windows updates automatically, and having a scheduled upload task that runs every week. you’ll want to not install the vm tools for the machine, since they can seem to cause some odd behavior when the image gets deployed back to real hardware

I’m using the same Plus I use chocolatey to update some critical programs (schedule taskl) : https://chocolatey.org/