I just finished upgrading my infrastructure to CM12 R2 CU4, With the release of the patches this week, our client machines are getting the updates through Microsoft as opposed to WSUS.

I have not changed anything in the environment except for upgrading to CU4.

Would this upgrade now change how the clients receive their upgrades?

I have confirmed the reg entries are directing clients to the proper WSUS server. Why are the clients now ignoring WSUS?

Would this upgrade now change how the clients receive their upgrades?

No. How did you determine this fact? 

No changes have been made to the environment with the exception of the CU4 upgrade.

I have not yet downloaded or deployed any patches. Normally we deploy to a handful of people to test against our suite of apps.

None of this has been done as yet.

We now have a large number of clients that were patched and rebooted last night. Looking into this - they all reached out to Microsoft and downloaded, installed and rebooted..

I am going through all the setting in the console and out WSUS server and not finding any changes

Installed what?

Can you please provide specific evidence so that we can perhaps provide some diagnosis (simply saying something happened doesn't help us much to help you).

Installed KB3045685 - NOT approved through WSUS - not downloaded

Installed KB3042553 - NOT approved through WSUS - not downloaded

Installed KB2990214 - NOT approved through WSUS - not downloaded

Installed ...... there were 7 patches installed - none of which were downloaded or approved through SCCM / WSUS

Servers are also receiving these unapproved patches and are pending forced reboots in 2 days - we do not manage server patching through WSUS... These are all patches released April 14

The machines (workstations and servers) that are patching without approval are all R2 - all have R2 Clients installed...

That still does not answer where/what/why the installation was kicked off. Search the eventlog and WindowsUpdate.log if you can find any hints. 

Torsten, I have checked all the logs already... the only thing I have found in the windowsupdate.log file is that automatic updates triggered this on April 15 at 3 am....

The question I have (which I am now having Premier Support look into) is why this behavior after R2 implementation... there have been no changes to our environment other than R2 CU4... No policy changes, windows update policy is set to NOT CONFIGURED which has been set that way since we implemented WSUS years ago...

I appreciate any answers, hints, ideas that can point me to why this is now happening.

I appreciate the help, and I do not wish to come across as arrogant, but, if I knew the where/what/why, I wouldn't need to ask, this would not be an issue...

My only question was - with the upgrade to R2, would any settings get set back to default in SCCM (I could see no changes from our SP1 configuration), the only other thing I can think of is - would the upgrade to R2 to the client on the client machine change the behavior of the update service?

Any ideas that I can check on would be of great help

If the Windows Update log shows this as being triggered at 3AM, then the only possibility here is that the update was approved directly in WSUS. Don't confuse anything you do in ConfigMgr with approvals in WSUS. To check, you need open the WSUS console explicitly and find the update.