diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
index c9aaff5e36..b5d55aa37e 100644
--- a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
+++ b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
@@ -20,11 +20,11 @@
   # Ensure daemon-reload has happened before starting/enabling
 - meta: flush_handlers
 
-- name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
+- name: Ensure apt-daily and apt-daily-upgrade services are unmasked
   systemd:
     name: "{{ item }}"
-    state: started
-    enabled: yes
+    # We disable the service unit and enable the timer
+    enabled: no
     masked: no
   with_items:
     - 'apt-daily'
@@ -33,10 +33,9 @@
     - apt
     - unattended-upgrades
 
-- name: Ensure apt-daily and apt-daily-upgrade timers are started, and enabled.
+- name: Ensure apt-daily and apt-daily-upgrade timers are enabled.
   systemd:
     name: "{{ item }}"
-    state: started
     enabled: yes
   with_items:
     - 'apt-daily.timer'
diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py
index e9d76ac869..5d71fe5451 100644
--- a/molecule/testinfra/common/test_automatic_updates.py
+++ b/molecule/testinfra/common/test_automatic_updates.py
@@ -163,25 +163,39 @@ def test_unattended_upgrades_functional(host):
 
 
 @pytest.mark.parametrize(
-    "service",
+    "timer",
     [
-        "apt-daily",
         "apt-daily.timer",
-        "apt-daily-upgrade",
         "apt-daily-upgrade.timer",
     ],
 )
-def test_apt_daily_services_and_timers_enabled(host, service):
+def test_apt_daily_timers_enabled(host, timer):
     """
-    Ensure the services and timers used for unattended upgrades are enabled
-    in Ubuntu 20.04 Focal.
+    Ensure the timers used for unattended upgrades are enabled
     """
     with host.sudo():
-        # The services are started only when the upgrades are being performed.
-        s = host.service(service)
+        s = host.service(timer)
         assert s.is_enabled
 
 
+@pytest.mark.parametrize(
+    "service",
+    [
+        "apt-daily.service",
+        "apt-daily-upgrade.service",
+    ],
+)
+def test_apt_daily_services_disabled(host, service):
+    """
+    Ensure the corresponding services are disabled
+    """
+    with host.sudo():
+        print(host.run("systemctl list-units").stdout)
+        print(host.run("systemctl list-timers").stdout)
+        s = host.service(service)
+        assert not s.is_enabled
+
+
 def test_apt_daily_timer_schedule(host):
     """
     Timer for running apt-daily, i.e. 'apt-get update', should be OFFSET_UPDATE hrs
diff --git a/securedrop/debian/securedrop-config.postinst b/securedrop/debian/securedrop-config.postinst
index d70a66ac2f..017c003f1d 100755
--- a/securedrop/debian/securedrop-config.postinst
+++ b/securedrop/debian/securedrop-config.postinst
@@ -28,6 +28,9 @@ case "$1" in
     # And disable Ubuntu Pro's ua-timer and esm-cache (#6773)
     systemctl is-enabled ua-timer.timer && systemctl disable ua-timer.timer
     systemctl mask esm-cache
+    # Disable the apt-daily services but not the timers (#7298)
+    systemctl is-enabled apt-daily.service && systemctl disable apt-daily.service
+    systemctl is-enabled apt-daily-upgrade.service && systemctl disable apt-daily-upgrade.service
     # Migrate the ssh group to sdssh
     securedrop-migrate-ssh-group.py