I can't think of anything that would cause the agents to deploy patches without some form of configuration.
From the Agent machine:
It's possible the Agent installed on these machines are out of date. Log onto these machines and view the Patch tab in the agent UI. Do you see any tasks that you don't recognize?
Does the Agent UI indicate scan and deployments are happening at that time?
From the Protect Console:
There is a chance the scan/deployment is agentless. Do you have scan/deployments setup in Managed > Scheduled Tasks? A scan with automatic deployment would show under the Protect console name.
I think the easiest way to ensure the agents have the correct policy is to 1) verify the policy is correct and then 2) re-install the agent on the client machine.
Nice find, thanks for taking the time to post the answer.