Forgive me if my questions have already been covered, I performed a search but was not able to bring up answers I am looking for. I am running ePO 3.6.1, have deployed CMA 3.6, AV 8.0, and 8.5 to approx 3500 machines in enterprise. Machines are in groups in directory based on Dept/Roles, and IP Address Range. I would like to check in patches for CMA and AV to ePO without having them deployed to machines automatically. I would like to control the deployment to specific groups. In a sense, using the deployment first to non critical machines as a way of testing. Setup: -Deployment task on ePO has all components set to ignore, inherited throughout directory. -Agent update task is set to update DATS, Engine at various times with retries every 50 minutes. Patches, services packs on this task are all cleared, not enabled for updating. -Global updating is off. I have spoken with McAfee support many times, they all tell me the way I have it configured is correct and patches will not be deployed but I see otherwise in test lab. Dats are updated on schedule without any patches updating. But it seems at some time during the day the patches are downloaded to machines. Am I correct in assuming this is due to ‘Auto Update’ feature on AV client? Auto update on clients options: -Get newer definitions -Get newer engines -Get other available updates (service packs, upgrades etc)* The patch deploy happens about one hour after the schedule of the auto update on client. Is there a way around this? If I disable clients auto updates from ePO, is there a way to enable them again? Or am I thinking incorrectly and there is something else causing the patch deployments? Thank you in advance for any assistance and advice offered.