Hello @Ataro ,
Thank you for posting here.
Based on the description "by default all systems should have WSUS service disabled.", what do you mean WSUS service?
As I understand, only the server with WSUS role installed will have WSUS service via services.msc.
For your request "We will identify a few systems where we intend to install patches from WSUS and reboot the systems. After deployment again we need to keep the WSUS service disabled on these systems.", if you want to these systems install patches from WSUS, you can configure the following GPO setting, then if you do not want to these systems install patches from WSUS, you can remove the following GPO setting.
For more information, we can refer to the link below.
Step 4: Configure Group Policy Settings for Automatic Updates
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates
Best Regards,
Daisy Zhou