Adobe’s Flash Player is still a requirement in many Enterprise Windows environments despite the number of critical security flaws present in the product. In this article, I’ll show you how you can augment your third-party patching strategy by enabling automatic silent updates of Adobe Flash on your Windows workstations.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Updating third-party products is a huge hassle, right? Chrome, Firefox, Java, Reader, Flash . . . the list goes on and on. System Center Configuration Manager can automate the process, but you typically have to pay for an add-on unless you want to build out the packages yourself. The good news is that Adobe Flash now supports automatic silent updates.

Which Windows OS and browser are you running? ^

The Windows OS version and browser on your workstations will determine what configuration is necessary. If you’re running Windows 8 or 10 and only using Edge/Internet Explorer, there’s nothing else you need to do. Flash updates are handled as part of your normal Windows updates. If you’re running Google Chrome, your Flash updates will install as part of Chrome updates.

If you’re still running Windows 7 with Internet Explorer and/or Firefox (including on Windows 8/10), you’ll need to either manually install updates (which isn’t ideal) or configure the updater to install them for you.

Manual configuration ^

When installing Adobe Flash using the exe installer, you will be prompted to select your update preference. If you use the “Allow Adobe to install updates” option, the Flash updates will install automatically.

Adobe Flash Player exe installer prompting for update preference during install

Adobe Flash Player exe installer prompting for update preference during install

If you go to the Task Scheduler, you can see that there is a new Adobe Flash Player Updater task that is scheduled to run daily. The task runs with System privileges. That means that even users without Administrator rights can have Flash updates installed silently without receiving prompts or requiring IT assistance.

Adobe Flash task in Task Scheduler to install updates

Adobe Flash Player Updater task in Task Scheduler to install updates

If you selected “Notify me to install updates” for “Never check for updates,” you can go to the Control Panel and access the Flash Player Settings Manager. Click the Change Update Settings button, approve the User Account Control (UAC) prompt, and change the setting to “Allow Adobe to install updates.”

Enable automatic silent updates in the Flash Player Settings Manager

Enable automatic silent updates in the Flash Player Settings Manager

The Enterprise gotcha ^

The only problem with enabling Adobe Flash silent updates at install time is if you’re a large enough organization that you’re using a tool like the Microsoft Deployment Toolkit (MDT) for OS deployments or System Center Configuration Manager. Silent installs of Adobe Flash using the exe installer and installs using the MSI installer don’t enable silent updates and, instead, use the “Notify me to install updates” option. If you’re an organization that doesn’t give end users Admin rights, you probably don’t want your customers being prompted to install something . . . especially if they won’t be able to perform the install.

Default update setting for Adobe Flash using the MSI installer

Default update setting for Adobe Flash using the MSI installer

Push out the configuration with Group Policy ^

Adobe Flash’s update configuration can be controlled with a text file named mms.cfg. To push the configuration out to a large number of systems, we can use Group Policy Preferences to copy the file from a network share to the local system.

First, we’ll need to create a text file named mms.cfg. In the text file, copy/paste the following text:

Next, save the file to a network share. For small files like this, I typically like to keep them in a folder in SYSVOL. Because the SYSVOL folder is replicated across all Domain Controllers (DCs), it ensures the client will always have access to the file. In my example, I’ll use \\domain\sysvol\domain\files\Adobe_Flash\mms.cfg.

In the Group Policy Management Console, edit a Group Policy Object (GPO) that applies to your computers. Go to Computer Configuration > Preferences > Windows Settings > Files. Right-click in the open white area on the right and choose New > File.

Create a new Files Group Policy Preference

Create a new Files Group Policy preference

In the New File Properties, set the following settings:

  • Action: Update
  • Source File(s): \\domain\SYSVOL\domain\files\Adobe_Flash\mms.cfg
  • Destination File:
    • For x86/32-bit systems: C:\Windows\System32\Macromed\Flash\mms.cfg
    • For x64/64-bit systems: C:\Windows\SysWOW64\Macromed\Flash\mms.cfg
  • Attributes: Leave the defaults

New File Properties to copy mms.cfg to x86 Windows

New File Properties to copy mms.cfg to x86 Windows

New File Properties to copy mms.cfg to x64 Windows

New File Properties to copy mms.cfg to x64 Windows

You can use Item-level targeting to ensure that only x86 systems get the x86 configuration and x64 systems get the x64 configuration. To configure the Item-level targeting, go back into one of the New File Properties and go to the Common Tab. Click the check-box next to Item-level targeting and then the Targeting button.

Configure Item-level targeting for the file copy

Configure Item-level targeting for the file copy

Click New Item > Environment Variable. Use the following settings:

  • Name: Processor Architecture
  • Value:
    • For x86/32-bit systems: X86
    • For x64/64-bit systems: AMD64

Don’t get hung up on the fact that it is asking for processor architecture; the Processor Architecture refers to whether the operating system is 32- or 64-bit. You can run 32-bit Windows on a 64-bit processor and Windows will report X86 for the Processor Architecture.

The next time Group Policy refreshes on the client systems, Adobe Flash will be configured to update automatically without user intervention.

Use Item-level targeting to target the file to a x64 system

Use Item-level targeting to target the file to an x64 system

Win the monthly 4sysops member prize for IT pros

1+

Users who have LIKED this post:

  • avatar
Share
12 Comments
  1. Marc 4 years ago

    This only seemed to update the ActiveX version. Is there a different setting to update the NPAPI version too? Also, on a 64bit system, the installer will install 32bit and 64bit Flash. I checked both folders on my system and the update service exe is in the SysWOW64 location. That's where I ended up pushing the file to. Should I also put it in the System32 location?

    0

    • Author
      Kyle Beckman 4 years ago

      The NPAPI plugin won't update while a browser is active like the ActiveX plugin will. The documentation from Adobe says it should happen on reboot, but I've experienced the same behavior you have. I'm guessing the behavior may have been changed and the documentation hasn't been updated or it is just an oversight in the documentation.

      0

  2. Marc 4 years ago

    Very strange - I ran the update task again and now NPAPI isn't even listed as being installed however the plugin files are actually updated in the flash folders. Firefox doesn't complain either. I'm not sure if I just needed to wait a bit or if the updater needed to run twice. Looks fine now though. I do have a followup question. Is there a way to change the time the updater scheduled task runs at? Currently it's after 7pm but many of our users use laptops that they take home. I'd like to run this around noon instead.

    0

    • Author
      Kyle Beckman 4 years ago

      In theory, you should be able to edit the task with Group Policy Preferences, but I haven't tried it. The task will still run if it missed the normally scheduled time... It just runs when the system comes back up.

      0

  3. AFisher 4 years ago

    I think this article is a little incomplete, while the auto updating is a nice feature, do you really want 1000's of systems calling out to adobe to pull 200+ megs of data each? The Flash admin guide has a method to build a in house update server. this can be set up on any http server and is fairly simple. What we do is have a scheduled task that checks for new Updates from adobe, if then downloads and populates the web server. I can have 1000's of machines updated with in 24 hours (or sooner) and only download one small package from adobe!

    0

    • Author
      Kyle Beckman 4 years ago

      Both updates as of today are slightly less than 20MB, not 200MB. But yes, that is another way of doing it. In my environment (like many others), the majority of my systems are mobile and not on the corporate LAN at all times. Most of my systems do their updates while they are off our network.

      0

  4. Justin Gamble 3 years ago

    Can the same thing be done to address JAVA updates as well?

    0

  5. Edwin 3 years ago

    On a Windows 2012 domain with Windows 10 PCS, I cannot get past some obstacle.  The path to the cfg is good, as I can open it from a test PC.  However, the file is not being transferred to the appropriate Macromed/Flash folder.  I've double-checked everything over and over again.  I also tried pushing the cfg file to the Public Desktop without success; no errors in Group Policy.  Ensured that Windows Firewall is not the culprit and also disabled a/v; nothing.

    The cfg file is good, if I move it manually it gives me the results I want.  I just can't make GPP push it.

    Thanks.

    1+

  6. A. Tourist 3 years ago

    I was giving this some thought in regards to the enterprise
    problem.  If the user had the rights to install
    Flash, unless there was policy change, they’ll have the rights to update it.  What comes into question is, if they don’t
    select the recommended setting to allow Flash to be updated automatically.  At that point when they are notified for an
    update, they may contact the ‘help desk’ for support.

    Furthermore, say you want to force onto them – that flash
    does auto update.  You go ahead and set
    the GP pref and push the file. Okay, great.
    You still have to deal with creating a scheduled task(for everyone) ...because I’m guessing/assuming that task event won’t exist if the user didn’t choose to let flash update automatically.

    Anyway, enjoyed the article.
    Thanks.

    0

    • Matt 3 years ago

      A.Tourist I think you are missing the point. By setting the "SilentAutoUpdateEnable=" value to 1 the program automatically creates a scheduled task, so if you deploy the mms.cfg with that switch in there then it will create a scheduled task on any computers/users that you specify in your GPO.

      0

      • Nick 3 years ago

        "By setting the "SilentAutoUpdateEnable=" value to 1 the program automatically creates a scheduled task" -- This is incorrect, as I have updated the mms.cfg file to the specified values, yet there are no new Scheduled Tasks.

        0

  7. Nick 3 years ago

    The SysWOW64 mms.cfg is not updating.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account