- SystoLOCK in review: Logging in to Active Directory with multi-factor authentication without passwords - Tue, Dec 5 2023
- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
The great success of Adobe Flash and its resulting widespread use has led to its presence in all sorts of versions on diverse platforms. On Windows, it is not only part of the operating system, but also comes as an integrated component of various web browsers, including the market leader, Google Chrome.
For this reason, most Windows PCs have multiple copies of the Flash player installed that need to be neutralized. In the case of web browsers, removing Flash is often not possible, but you can prevent the player from running using group policies.
Most browser vendors started disabling the built-in Flash module by default some time ago. However, users could still change this setting. Therefore, it is important to permanently block the execution of Flash on web pages via a GPO. Currently, you have to download the ADMX templates for all browsers except Internet Explorer and save them in the central store or the local workstation.
Blocking Flash in Chrome and Edge
The Chromium-based browsers offer a Content Settings folder under Computer or User Configuration > Policies > Administrative Templates in the Google > Google Chrome or Microsoft Edge section.
There, you'll find the option Default Flash setting (Chrome) or Default Adobe Flash setting (Microsoft Edge). By selecting Block the Adobe Flash plugin, you prevent the player from being run.
However, if old Flash applications still exist in the company, then this measure would be too radical. Hence, as an alternative, you can use a whitelist to allow Flash only for specific URLs. This option can also be found in the content settings and is called Allow the Flash plugin on these sites (Chrome) or Allow the Adobe Flash plug-in on certain sites (Edge).
GPO settings for Firefox
Mozilla also provides Flash blocking for Firefox under Computer or User Configuration > Policies > Administrative Templates > Mozilla > Firefox > Flash. You can switch off the player completely by deactivating the Activate Flash on websites setting.
If you want to enable individual websites for Flash, you can use a whitelist here as well. In this case, leave Enable Flash on websites set to Not configured and activate the Allowed Sites setting instead. There, you can enter the desired URLs for Flash.
For Internet Explorer, the Flash player is implemented as an ActiveX control. By default, ActiveX filtering is active for external websites, so Flash would not run there anyway.
If you want to block it globally, then the setting Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer will do the job. You can find it under Computer or User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.
Removing Flash from Windows
Adobe Flash is also included in the operating system, but cannot simply be uninstalled as an optional component. Rather, Microsoft provides a separate update (KB4577586) for this, which is available for all currently supported Windows versions.
At this time, it can only be downloaded from the Update Catalog, and then you import it into WSUS. Microsoft might deliver it directly to WSUS after the end of Flash support.
The update removes the Flash player from Windows but cannot be uninstalled itself. Thus, this process is irreversible. Another peculiarity is that it only works for the integrated Flash component.
If a user has installed the Flash player manually, then he needs Adobe's uninstall program. It can be downloaded from the manufacturer's website. With the command
Subscribe to 4sysops newsletter!
the program runs in the background, so that it is also suitable for logon scripts.