SCCM 1710 with KB4086143 Hotfix Rollup, running on Windows Server 2012 R2, configured with a Software Update Point and WSUS on the same server.
Neither the SUP nor WSUS were ever configured to download Express Updates. Client policy is set to not use Express Updates.
A "baseline" Software Update Group and Deployment Package are created which - correctly - do not contain Express Updates.
An Automatic Deployment Rule is created and this is the one that persistently downloads Express Updates; a full set of updates for the previous month (only!) is 65gb. Fine-tuning it to only include Security Updates is 25gb.
Trashing and recreating the ADR makes no difference.
I'm not prepared to trash and recreate the SUP and WSUS unless I can have reasonable assurance that it will resolve; time is money and I've already wasted enough.
I've seem rumblings on TechNet that this is a bug that should be fixed in 180x; I am willing to upgrade to 1802 but we're in the middle of a deployment right now and team members would be annoyed. I'll take that on the nose if 1802 resolves, but can't find any indication in the release notes or KBs that it does.
A crazy idea is to build and configure another WSUS, use that as an upstream, and beat on it until it doesn't download Express Updates. I've no idea how it would work in practice, I'd prefer a cleaner fix, but I'm willing to try it as an interim measure.
Are any of these options viable, recommended, or is there another, better way of taming this beast?
Prospective answers may assume that this environment was built correctly and in accordance with documentation and recommended best-practices.