SCCM and 'rogue update'

Sin_Chase · 23 Feb 2011 at 22:18

Evening all.

Recently an un-patched environment had upwards of 3 digits worth of security and vulnerability patches rolled out via SCCM and installed. In which an office service pack NOT DEFINED OR AUTHORISED FOR ROLLOUT got installed.

There is _no way_ that the SP came from SCCM, it's been checked and re-checked and not even in the scope of this patching project.

However, on some machines, at the same date/time as the SCCM deployed patches, an SP for Office has been installed.

I have been trawling through SCCM logs, Windows update logs, event viewer and will soon be going through WindowsInstaller logs and have yet not found anything.

Has anyone come across quirky Update behaviour with SCCM/Vista? As far as I am aware when SCCM is defined via a GP all update mechanisms and retrieval go via SCCM and SCCM only.

Right now I am working on a theory that had this SP somehow being cached on some desktops prior to the SCCM group policy definitions and has somehow only now been installed with the wave of updates deployed.

I'm open to any ideas!

brainchylde · 23 Feb 2011 at 22:43

Did you ever have WSUS installed on the same box and configured? (Before SCCM days).

It's possible the patch was approved with the old WSUS configuration and is still somehow lurking around.

Sin_Chase · 23 Feb 2011 at 22:44

As far as I am aware, nope. WCCM is the first push towards patch management. I will check up but if it was authorised on WSUS then I would have expected it would have actually installed it there and then.

PAz · 24 Feb 2011 at 18:31

No issues at all like you've reported and patching to ~ 30,000 clients between 2 sites.

If the patch definitely isn't in your update deployment list I can't see it being as part of the SCCM patch push. windowsupdate.log and updatehandler.log can verify for you. You could even look in the client cache and see if the file is in there I suppose.

Could someone have pushed it out as a standard software deployment? From reading technet I know a few people push service packs out using that over an actual patch deployment.

Trojan · 24 Feb 2011 at 22:57

We've had similar happen when the SCCM client has broken on a desktop and the PC is going out to the internet instead. That was just patches though, not a service pack; I can't see that coming down via auto updates.