Firstly what version of LDMS are you running? Are you using autofix to repair patches?
In the agent you do get to set when a security scan will take place on the client. Most people are happy for scans to take place as this wont trigger any patches unless you have enabled autofix on the patches themselves.
The easiest way to make sure these 20 PC's don't get patches is to create an agent setting that has Enable autofix unchecked. The pic attached is from v9.6
