diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
index c9aaff5e36..720ce1f324 100644
--- a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
+++ b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
@@ -20,11 +20,9 @@
   # Ensure daemon-reload has happened before starting/enabling
 - meta: flush_handlers
 
-- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
+- name: Ensure apt-daily and apt-daily-upgrade services are unmasked
   systemd:
     name: "{{ item }}"
-    state: started
-    enabled: yes
     masked: no
   with_items:
     - 'apt-daily'
diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py
index 74bd99ab54..1c6d2b10bc 100644
--- a/molecule/testinfra/common/test_automatic_updates.py
+++ b/molecule/testinfra/common/test_automatic_updates.py
@@ -132,25 +132,37 @@ def test_unattended_upgrades_functional(host):
 
 
 @pytest.mark.parametrize(
-    "service",
+    "timer",
     [
-        "apt-daily",
         "apt-daily.timer",
-        "apt-daily-upgrade",
         "apt-daily-upgrade.timer",
     ],
 )
-def test_apt_daily_services_and_timers_enabled(host, service):
+def test_apt_daily_timers_enabled(host, timer):
     """
-    Ensure the services and timers used for unattended upgrades are enabled
-    in Ubuntu 20.04 Focal.
+    Ensure the timers used for unattended upgrades are enabled
     """
     with host.sudo():
-        # The services are started only when the upgrades are being performed.
-        s = host.service(service)
+        s = host.service(timer)
         assert s.is_enabled
 
 
+@pytest.mark.parametrize(
+    "service",
+    [
+        "apt-daily.service",
+        "apt-daily-upgrade.service",
+    ],
+)
+def test_apt_daily_services_disabled(host, service):
+    """
+    Ensure the services used for unattended upgrades are disabled
+    """
+    with host.sudo():
+        s = host.service(service)
+        assert not s.is_enabled
+
+
 def test_apt_daily_timer_schedule(host):
     """
     Timer for running apt-daily, i.e. 'apt-get update', should be OFFSET_UPDATE hrs
diff --git a/securedrop/debian/securedrop-config.postinst b/securedrop/debian/securedrop-config.postinst
index 4e3086d5f8..d75e8ed3b8 100755
--- a/securedrop/debian/securedrop-config.postinst
+++ b/securedrop/debian/securedrop-config.postinst
@@ -24,6 +24,9 @@ case "$1" in
     systemctl is-enabled fwupd-refresh.timer && systemctl disable fwupd-refresh.timer
     # And disable Ubuntu Pro's ua-timer and esm-cache (#6773)
     systemctl is-enabled ua-timer.timer && systemctl disable ua-timer.timer
+    # Disable the apt-daily services but not the timers (#7298)
+    systemctl is-enabled apt-daily.service && systemctl disable apt-daily.service
+    systemctl is-enabled apt-daily-upgrade.service && systemctl disable apt-daily-upgrade.service
     systemctl mask esm-cache
 
     ;;