I have encountered the same issue with Java and a few other patches. You could do this using WSUS groups but for my environment I found it easier to manage using an AD group. Computers that are members of the group get a registry key created (ex. DWORD "PreventJavaUpdate" 1). I then built a rule into the update package that makes them not applicable if that registry key is set to the appropriate value. Machines not in that group have the same registry key but it is set to 0. This allows me to remove a computer from the group in the event updates can be applied. There may be a better way to manage these scenarios but this process has worked well for me.
Is there a good way to be able to approve these patches but selectively miss this random group of machines.
Yes, and I just posted a blog article in PatchZone yesterday that describes exactly how do to this.