I've actually figured out what happened. The setting we use is under: Computer Config - Policies - Adminstrative Templates - System - Internet Communication Management - Internet Communication Settings.
We enable the setting: Turn off access to all Windows Update features. That setting makes it so they can't get to the website in any way, and when they look at Windows Update, the link to Check online for updates (paraphrasing) is not there. What we found here, was that the machines that were affected were getting their settings from a policy that did NOT have the above configured (important info...) What happened here: I'm in the middle of setting up a test domain. Completely separate from our production environment, no touching. Yesterday, I was configuring roles in the test domain's SCCM. I was setting up the SUP, and having some issues getting it to work. So, I opened up the production SCCM and was comparing settings. I decided to remove the role in test, then remove WSUS, and start from scratch. Well, you can guess which SCCM console I was actually in when I removed the SUP role. (Production, in case anyone didn't catch it). I realized it within seconds, and reinstalled the role, but the damage was done. SCCM had already sent out the message to everyone that it was no longer in charge of Windows Updates. So, all the PC's in my environment (desktops and laptops) went out to Microsoft for updates. The laptops' GPO had the above setting correct. The workstation GPO did not. So, a bunch of my workstations had the opportunity to download and install about 12-15 updates, including IE10 and IE11. I found a command line, using wusa.exe, that we have thrown into a batch file, that will quietly uninstall both IE11 and IE10, so that the user is back to IE9. Only downside is that it does require a reboot, which will need to be done manually, so that the user doesn't lose anything they're working on. So, that's my one major screw up allowed for the year. I still have a couple minor ones left to use though, lol. Thanks to everyone for the tips and advice. It's good to know that I was looking where I should have been for solutions. Thanks, Joe From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Thursday, January 30, 2014 10:29 AM To: [email protected] Subject: Re: [NTSysADM] Windows Updates went crazy last night I had a small business client recently that suddenly jumped to IE11 even though updates are supposed to be notification only. And then one of their LOB apps wouldn't work. We had to leverage in a guy from Microsoft who I got in contact with via Twitter to get them back up and running - it wasn't a trivial thing. I'm still trying to work out how the IE11 install was triggered - they said they didn't do it, but I was starting to doubt them, until your email came in. On 30 January 2014 18:19, Heaton, Joseph@Wildlife <[email protected]<mailto:[email protected]>> wrote: They do now, that IE 10 or IE11 has been installed. Working on creating a package in SCCM to uninstall to get them back to IE9, which is our standard. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of James Rankin Sent: Thursday, January 30, 2014 9:42 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Windows Updates went crazy last night They haven't got the "Install Updates automatically" box ticked in IE have they? [Inline images 1] On 30 January 2014 17:38, Heaton, Joseph@Wildlife <[email protected]<mailto:[email protected]>> wrote: We're running SCCM 2012, which manages all updates for our workstations. It's been working great for well over a year. Users have not been able to manually install updates, etc. This morning, I come into the office, and within the space of 15 minutes, 3 different people contact me saying they were updated to IE 10 or 11 overnight. Looking at their update history, they actually received quite a few updates overnight. I'm the only one here that packages and pushes updates through SCCM. I did nothing of the sort within the last couple of weeks. I'm trying to figure out why a large portion of my workstations suddenly decided last night to go out, download and install Windows Updates. SCCM - 2012 SP1 CU3 on the server, but most clients are still at base SP1. Anyone have any ideas? Did anyone else see this type of behavior last night? Thanks, Joe Heaton -- James Rankin --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk -- James Rankin --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk
<<inline: image001.png>>
