I am seeing that computers that I have not assigned a GPO to, download and install updates on weekends nevertheless.
I have a computer group called Domain Controllers and Critical Servers, that seem to have updated this weekend, based on the install timestamp, despite not having any GPO assigned to them for scheduling. Therefore, I have configured a GPO and attached it to the Domain Controllers OU and disabled "Enable client-side targeting", "Specify internet Microsoft update service location" and "Configure Automatic Updates", so that no action will be taken with servers residing in the Domain Controllers OU.
Is this the way to go when attempting to prevent these machines from getting updated?
When I want them to be updated in a staggered fashion, I simply move a single DC to a server group that I know has a configured GPO assigned to it.
As it is now, any computers assigned to a Computer Group, despite not having an GPO applied to them, update nevertheless by default.
Is this correct?