I have a AD environment with GPO for WSUS. I have a unique requirement, by default all systems should have WSUS service disabled. We will identify a few systems where we intend to install patches from WSUS and reboot the systems. After deployment again we need to keep the WSUS service disabled on these systems. How can I achieve this? It has to be done from GPO.