Had an ‘interesting’ day at the office yesterday – one of our SCCM administrators had pushed the SCCM client to a long list of clients by mistake.
Actions we took to halt any further depoloyments this were as follows:
- Blocked SCCM site server to client subnet traffic using Windows Firewall.
- Deleted files from the ccrretry.box invbox
The following reports allowed me to identify whom had performed this and to what machines:
- Reports | Client Push | Client Push Installation Status Details
- Reports | Status Messages | Audit | All audit messages for a specifric user
The latter report was run against all users, looking for MessgeID 30108 – as outlined here, this releates to client push.
The ccm.log will help you understand whether further deployments have stopped – meaning you can re-open the Windows Firewall.