Why do Windows 10 hybrid AD clients with GP disabling Windows Update still get updates?

I have a large fleet of Windows 10 Enterprise clients which are Hybrid-joined to our on-premise AD and also connected to Intune for cloud-based management. These devices are purpose-built -- not quite suitable for LTSC but enough to require manual control of update deployment. They're also customer-facing so reboots and other servicing tasks need to be carefully scheduled. For a variety of reasons, we're not using WSUS or MECM to approve updates; we're pushing patch packages to the devices because of the need for control of bandwidth, customer experience, etc.

Previously, I was able to set up a Group Policy setting that blocks Windows Update, and that would be enough to prevent the machine from reaching out to the Internet to download updates from Microsoft. Recently, my machines (Windows 10 21H2) have been reaching out to WU and installing updates out of our normal cycle. This has led to issues with custom software and VPN clients failing to work properly.

1. What is causing the machine to reach out to WU even though the GPO blocks it? I've already checked the following -- the "Configure Automatic Updates --> Disabled" GPO does apply to the machine, the "MDM wins over GPO" setting is not set, and the machine is not in any Intune update rings, nor do any CSPs pertaining to updates apply.

2. Where's a good place to start troubleshooting this? The Windows Update log on the client is quite verbose so it would help to have a guide on what I'd be looking for.