Now that you have created an OU in AD, you can associate a policy that effectively denies patch acquisition to the devices contained in this OU.
To deny patch services to cloned desktops:
Follow the generalized procedure outlined in Assigning Policy to Directory Objects. However, in this procedure, which is specific to entitling a policy to devices that denies a service, note the actual values you must provide to achieve this goal.
This procedure has assigned a policy that denies patch services to the OU that contains the cloned desktops. Since the priority of this policy is specified as high, it will get resolved above all the other policies within its hierarchy. You can verify this by viewing the Entitlement list of policies for any one of the devices in the list.
Now when the patch connect is run on any of the cloned desktops contained in the specified OU, the patch service entitlement is not resolved, and the patch will not be installed. This does not affect other services which are entitled for the cloned desktops, and they are thus resolved.
You must ensure that only cloned desktops are contained in this OU. If any other device is added to this OU, it will also be denied patch services.
You can deny patch services through policy entitlement at any level; that is, it can be done at the container, OU, or device level.
Note: It is important to apply the policy at the correct level in the hierarchy so that its affects only the required devices and not all devices.