Patches got installed automatically

Closing this thread with the information that was exchanged in a separate conversation:

Patch Manager provides supplemental functionality to the native WSUS environment. It does not replace or eliminate any of the native WSUS functionality. The Windows Update Agent continues to do all of the things it did before Patch Manager was installed; now you just have additional methodologies for controlling/managing what the Windows Update Agent does and when it does it.

Approving the update definitely triggered the ability of the WUAgent to install the updates. After you approve the update, the WUA becomes aware of this approval at its next scheduled detection event. This could be as soon as almost immediately, or as long as almost 22 hours, but on average half of your systems will be aware of the approvals within 9-12 hours. Once they become aware of the approval, they queue a download for the update installation file. When that download completes determines when the update will be scheduled for installation. So, if you're using the default installation time of 3am, and  you approve updates in the afternoon, then maybe 1/3 of your systems will download and install the update that night, and the other 2/3 will download it after 3am and schedule it for the next day. If you approve the updates in the morning, then closer to half of your systems will detect, download and install that night.

If you don't want the systems to install updates at a pre-determined (scheduled) time, then you should set the Configure Automatic Updates policy setting to Option '3', which will allow the clients to download the update files when discovered, but they will wait for something (a logged-in user or a Patch Manager task) to initiate the actual installation.