I'm doing a rollout to a big group of users (1500) and we are being impacted by a lot of delays because of windows updates.
Is it possible to create a staging OU where newly built computer can be moved to and delivered to users without getting updates and then once delivered moved from this ou to another which has the normal scheduled updates applied. How do other people do this without being impacted by a lot of updates.
That's one key benefit of using a WSUS server. You either create these groups manually or by GPO. You then "accept" updates for your groups and only these computers will download / install updates.
In my organization I usually automatically approve all new updates for my testing VMs and some specific machines (my second "real" one, for example). If all goes well and all applications work as expected, I approve the updates in waves of approx. 25% of all computers in 2-4 days.
I'm using SCCM, but the key aspect remains the same.
The MS Technet articles also shed some more light on the issue.