Windows Server 2012 R2
HIPS V 220.127.116.111-2482
For reasons I won't go into, not all systems in our enterprise have HIPS installed. They all have VSE and all the laptops have EEPC. So of course, we do distribute the HIPS content from the current branch to all systems. The ones with HIPS use it, and the ones without it don't.
We don’t have any HIPS deployment tasks at all, although we do, or we did have a version of HIPS in the current branch (.2482) as we do have a task to remove HIPS on occasion. In addition,our Global update task is configured to only deliver HIPS content with Patches and service packs turned off for HIPS.
So you can imagine my surprise, when I am alerted yesterday morning that HIPS is being installed on all systems. I check all the tasks (Perhaps one is mislabeled). Nope, there are no HIPS deployment tasks. Maybe it’s being delivered as a patch or service pack from one of our update tasks? Nope both update tasks have HIPS unchecked in Patches and service packs. Could there be something with an agent policy? Pointing to the eval branch or something? Nope, only a small test group at a bottom level folder is getting anything from Eval.
What could it be? In a panic, I remove anything to do with HIPS from the current branch AND disable HIPS DAT distribution. It stops. OK, time to find out why, when this happened.
I create a report, “HIPS product deployment History” It looks like the image below.
Funny thing is, when I run the report. I don't show any installs prior to actions I've taken recently after the issue was discovered yesterday morning..No installs except like 2 I did months ago. If I remove the event ID part ofthis query, I see plenty of DAT updates (2401). The only uninstalls I can see are ones I did to remediate the issue.
So, am I to deduce that somehow, a recent DAT update caused an installation action on systems without HIPS? Could it be that the DAT itself. triggered a dependency installation from the version of HIPS located in the current branch?? Has anyone else seen this? Any ideas? At this time, I have suspended all HIPS Dat distributions till I can flush this out on our dev server. Perhaps I will have to configure EPO to only expose systems with HIPS to HIP Dats?
Message was edited by: awbattelle on 3/5/14 10:47:33 AM CST
HIPS Report.jpg 104.9 K