By default GPO applies to all objects within the Organizational Unit, with the Authenticated Users group applied to the GPO.
To control or limit what groups, users or computers that a GPO gets applied to, security filtering can be changed to limit what the GPO is applied to.
In GPMC, select the GPO and in the details plane, select the Scope Tab.
Click Add in the Security Filter section and add the required user, group or computer
High light the Authenticated Users and click on remove, For the newly modified security filter to work, then Authenticated Users need to be given Read permissions on the Delegation Tab
To change the security filter by powershell the following command can be used.
Set-GPPermission -Name "WSUS" -TargetName "Domain Users" -TargetType Group -PermissionLevel GpoApply