Starting with Endpoint Protection clients running 14.3 Release Update 6, provisioned virtual disk image (VDI) machines are upgrading unexpectedly to a newer available client patch.

There are no installation packages assigned to the client groups.
The Liveupdate policy has 'Download client patches' disabled.

Endpoint Protection 14.3 RU6 or newer.

The VDI images were prepared using the 'smc -image' option as per the 'Prepare Endpoint Protection clients for cloning' document.

Starting with 14.3 RU6, the 'smc -image' command, as part of the image preparation for the Endpoint Protection client, is setting an incorrect value in the registry for the 'Download client patches' option that the Liveupdate policy normally sets on the client.

This setting will allow the Endpoint Protection client to request the latest available client patch and then attempt an upgrade.

Our Engineering team is investigating this issue and will update this document when a solution becomes available. 


As a workaround while waiting for the fix, perform the following activities:
1. Update the gold image for provisioning to the latest Release Update client patch available. This will ensure there is no newer revision for the Release Update to request.
2. Uncheck the client patch content as a content download at the SEPM server. This will prevent the SEPM from downloading newer client patch versions.
3. (Optional) Ensure the Liveupdate policy in use does not make use of the public Liveupdate servers. The client may check for a client patch update if it cannot reach the SEPM server for content.

CRE-15507