Hello Svillar,
To clarify; the individual Software Update Policies merely deploy the packages to the client. Albeit a 'loaded gun' at that point; someone will still need to pull the trigger in order for the Software Updates to install.
You could work through the following:
1. Clone the Default Software Update Plug-in Policy (DSUP) found on the Console > Settings > All Settings > Agents/Plug-ins > Software > Patch Management > Windows.
a. Configure each cloned DSUP to target the individual groups needing the separate installation schedule.
b. Ensure the setting: 'Allow user to run' is disabled on each DSUP.
Caution1: Ensure the clients are only targeted by one DSUP, for as clients are included in multipled filters; it is possible for a client to be targeted by multiple DSUP Policies, and this will cause undesired behavior (install outside schedule etc.).
Caution2: If the Software Update Cycle is never to be ran on the client via automation; configure the DSUP to execute in the far future (e.g. 1/1/2030).
2. Configure the Software Update Policies to target the 'All Windows Computers with Software Update Plug-in Installed'
a. Configure the Software Update Policies by disabling any 'Run (other than agent default)' settings (i.e. 'As soon as possible' or 'On schedule') to ensure the client obides by the DSUP, for these settings on the Software Update Policy will override the DSUP schedule.
b. To control the deployment of updates to the controlled clients; you will still need to modify the targeted filter, for the DSUP merely 'pulls the trigger' and these policies get the updates in place.
This configuration should allow for each targeted client to download the vulnerable Software Update Packages. The client will hold the updates in a 'Scheduled' status until the Software Update Cycle executes as scheduled on the DSUP.
--BE SURE TO TEST THIS PROCESS; this will help you see the behavior and work out any glitches
As long as the user is not able to execute the Software Update Cycle, and the DSUP is scheduled appropriately; you should see the desired behavior. Additionally, these configurations of Patch Management, best practices etc., are outlined on KM: HOWTO56242.