ConfigMgr : Bulk Client Push Mistake

Had an ‘interesting’ day at the office yesterday – one of our SCCM administrators had pushed the SCCM client to a long list of clients by mistake.

Actions we took to halt any further depoloyments this were as follows:

  1. Blocked SCCM site server to client subnet traffic using Windows Firewall.
  2. Deleted files from the ccrretry.box invbox

The following reports allowed me to identify whom had performed this and to what machines:

  • Reports | Client Push | Client Push Installation Status Details
  • Reports | Status Messages | Audit | All audit messages for a specifric user

The latter report was run against all users, looking for MessgeID 30108 – as outlined here, this releates to client push.

The ccm.log will help you understand whether further deployments have stopped – meaning you can re-open the Windows Firewall.