I have never tried using TAGs for patch deployment. However, there are other ways that VSE Patch can be installed by passing ePO controls.
The first is the local auto update task, I believe a fresh install of VSE defaults to daily at 5pm. If that is enabled on the endpoints then Patch 5 will get installed regardless. In ePO, you can configure the option to disable any local update tasks.
Another way that patches bypass ePO controls is if the end user right clicks the VSE shield and selects update. These methods will pull the Patch if it is in the current branch only.
These are something worth checking. Having the patch in the Evaluation Branch stopped the two methods I describe from working.
twenden, thank you for your answer.
Right, that's what I missed, the default "Auto update" on the endpoints is configured to download "other updates" like "service packs, upgrades etc...
I had this same issue with patch 4.
Another thing to keep in mind is the McAfee agent policy in ePO is where you configure repository information for the endpoints. By default, the update tab in the McAfee agent general policy will update all pieces of software including DATs, patches and VSE engines from the current branch. So, if you put a VSE patch in the current branch, if you have an update task configured, say for example, to update the DAT file, it will apply the patch as well.
For my Patch 5 test deployments, I have the patch checked in to the evaluation branch, with an update policy to update virusscan from the evaluation branch applied by a tag.
Simple once you get used to the way ePO works.