I have a fresh 2008 Server running PM 1.85. Registered all the downstream servers, set up the approvals on the latest round of updates. Everything's working pretty great (minus a ticket open for some reporting issues from custom generated reports), until I start gettign calls that a 3rd party update is installing and it shouldn't be based on our approvals.
We have multiple groups based on spcific needs (Adobe group, Apple group, Java Approved group, Java Not Approved group, etc). The Java Not Approved has, you guessed it, Java 7u25 Not Approved (Inherited) and Java Approved set to Approved for Install. This is shown on the Patch manager server as well as the downstream server that reports to it. However, pc's are getting the Java update. In the windowsupdate.log it show's it's coming in from WSUS.
Any ideas or need more info? This is boggling my mind.