Adobe Flash 11 Deployment via GPO

At last Adobe have come to the party and released Adobe Flash 11 that comes as 32-Bit and the long awaited 64-Bit versions. This is great news to me because I can now try to use IE 64-Bit browser as my main browser.
Now we have to understand how to deploy Flash 11 using Group Policy for both 32 and 64 bit versions to your clients in a manageable way. This guide will be about deploying Adobe Flash ActiveX version, however the plug-in version would work just the same.

There is a new article which covers the auto-updating aspect of Adobe Flash for enterprise. Read it here:
https://ivan.dretvic.com/2012/05/deploying-adobe-flash-player-11-2-with-auto-updating-in-an-enterprise/

I encourage you read my old article Adobe Flash 10.3 deployment via GPO (https://ivan.dretvic.com/?p=144) to familiarise yourself with deploying where the steps to deploy were correct for every version of Adobe Flash 10.

Downloading Adobe Flash

Download the .MSI from Adobe. Note you need to register to redistribute the software (quick form to fill out). It may take up to 24 hours to get the link sent to you via email.

http://www.adobe.com/products/players/fpsh_distribution1.html

There are also places that have advertised the direct link to download the software if you ‘misplaced’ your email with the link. Check the Useful Links section at the bottom for more info.

The files that I downloaded were:

  • install_flash_player_11_active_x_32bit.msi – Internet Explorer version – Ver 11.0.1.152
  • install_flash_player_11_active_x_64bit.msi – Internet Explorer version – Ver11.0.1.152

Deploying Adobe Flash 11 via Group Policy

In the past, Adobe Flash 10 MSI package used to break when you tried to modify it, and meant that we had to use alternate methods of configuring the install. In light of this I have a stable and efficient method of managing Adobe Flash without modifying the MSI or using a Transforms file. I have not bothered to modify the current MSI but I suspect it will break it just like most of the previous versions.

The new Adobe Flash 11 comes in the two variants being 32-Bit and 64-Bit.

The 32-Bit install is obviously for 32-Bit (x86) operating versions of Windows (that’s 32-Bit versions of Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008). It is not to be installed on 64-Bit versions of Windows. Flash will be installed in the following directories:

%systemroot%\System32\Macromed\Flash – 32-Bit version of Flash

The 64-Bit install is for 64-Bit (x64) operating versions of Windows (that’s 64-Bit versions of Windows XP Professional, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008). This package includes both 32 and 64-Bit versions of Flash, and will install them in the following directories:

%systemroot%\System32\Macromed\Flash – 64 Bit version of Flash 11
%systemroot%\SysWOW64\Macromed\Flash – 32 Bit version of Flash 11

Now that we are managing both 32-Bit and 64-Bit clients we need to make some slight changes to our deployment. Refer to the following article on how to How to deploy software via Group Policy and apply the below notes to the instructions:

https://ivan.dretvic.com/2011/06/how-i-deploy-gpo-software-in-my-enviroment/

Installation Notes:

32-Bit install

  1. Package Adobe Flash 11 32-Bit version as you normally would using your existing Adobe Flash Group Policy.
  2. On the General Tab make sure you change the name to contain ’32-Bit’ so you can distinguish it.
  3. You want this version to update all prior versions.
  4. Do not deploy this version to 64-Bit machines. This is because the 64-Bit package already contains the 32-Bit files. Set the following:
    Deployment Tab -> Advanced -> Uncheck ‘Make this 32-bit x86 application available to Win64 machines’

64-Bit install

  1. Package Adobe Flash 11 64-Bit version in the existing Adobe Flash Group Policy.
  2. On the General Tab make sure you change the name to contain ’64-Bit’ so you can distinguish it.
  3. This package must NOT update any prior versions. Remove all entries under the Upgrades tab
  4. In future versions of Adobe Flash 11, you must make sure you do not upgrade the latest 32-Bit version with the new 64-Bit version.

How to disable Adobe Flash AutoUpdate Using Group Policy Preferences

Although you cant change the MSI package to globally manage and configure (including prevention of Automatic Updates) you can use another method that Adobe have provided. What you need to do is place a configuration file that tells Adobe Flash to disable automatic updates.

There are user settings and computer settings. The user settings are set either within the browser or through the Windows Control Panel. The computer settings are set through the mms.cfg file.

The mms.cfg configuration override the user configurations. In Adobe Flash 10 Control Panel settings the mms.cfg file did not ‘grey out’ the Updates section on the Advanced tab however none of the settings would apply. This is meant to be resolved within Adobe Flash 11 however there have been some reported issues where this is not the case. Either way with the file in place, it will take precedence over user settings so you can manage your environment with this file.

The details  about the mms.cfg file are below:

Item

Details

Filename

mms.cfg

Encoding

UTF-8 or UTF-16
Reference: Flash Player 10 Admin Guide – Page 61

Contents

AutoUpdateDisable=1

Reference:  More customisation options (23 different options under version 10) are available in the Flash Player 10 Admin Guide – Page 61

Flash 32-Bit

Windows XP/Vista/7/2003 32-Bit

%systemroot%\System32\Macromed\Flash

Flash 32-Bit

Windows XP/Vista/7/2003/2008 64-Bit

%systemroot%\SysWOW64\Macromed\Flash

Flash 64-Bit

Windows XP/Vista/7/2003/2008 64-Bit

%systemroot%\System32\Macromed\Flash

Configure Flash Player auto-update notification

Does not include the 64-Bit file locations. Also appears to be incorrect on the 64-Bit operating system file location for 32-Bit installs.

Screenshot of file on a Windows 7 32-Bit machine:

As you can see its a simple 1 liner cfg file that needs to be created\copied in the corresponding folder to disable automatic updates. What I do is actually copy a file (that I have copied over to the GPO location eg. \\Domain.local\DFS\Install\AdobeFlash\mms.cfg) to the correct folder.

To do this copy process I use Group Policy Preferences. I used to only copy the file depending on the architecture type however I have since changed my ways. I now copy the files to the folder if the folder ‘Flash’ exists in any of the locations it looks at. Even if for some reason its copying files when Flash is not installed for that version I cant see the 1kb file hurting to just sit there. Here are the specific details:

STEPS – Flash 11 32Bit ONLY:

  1. Open you Adobe Flash Group Policy object. Expand Computer Configuration -> Preferences -> Windows Settings -> Files
  2. Right click -> New -> File
  3. On the General tab set:
    1. Action = Create
    2. Source file(s) = \\Domain.local\DFS\Install\AdobeFlash\mms.cfg (example)
    3. Destination = %WindowsDir%\System32\Macromed\Flash\mms.cfg
    4. Attributes = Archive
  4. On the Common tab set:
    1. Apply once and do not reapply = Ticked
      You can untick this if you need to change some configuration settings, then tick it after a period of time to improve logon performance.
    2. Item-level targeting = ticked
    3. Item-Level targeting conditions:
      Folder does exist = %WindowsDir%\System32\Macromed\Flash
    4. Description = “mms.cfg deployment to native OS”

STEPS – Flash 11 64Bit:

For Flash 11 on 64 Bit you need to deploy 2 files, because it installs 2 versions of the same flash, to support both 32 and 64-Bit.

FILE 1:

  1. Open you Adobe Flash Group Policy object. Expand Computer Configuration -> Preferences -> Windows Settings -> Files
  2. Right click -> New -> File
  3. On the General tab set:
    1. Action = Create
    2. Source file(s) = \\Domain.local\DFS\Install\AdobeFlash\mms.cfg (example)
    3. Destination = %WindowsDir%\System32\Macromed\Flash\mms.cfg
    4. Attributes = Archive
  4. On the Common tab set:
    1. Apply once and do not reapply = Ticked
      You can untick this if you need to change some configuration settings, then tick it after a period of time to improve logon performance.
    2. Item-level targeting = ticked
    3. Item-Level targeting conditions:
      Folder does exist = %WindowsDir%\System32\Macromed\Flash
    4. Description = “mms.cfg deployment to native OS”

FILE 2:

  1. Open you Adobe Flash Group Policy object. Expand Computer Configuration -> Preferences -> Windows Settings -> Files
  2. Right click -> New -> File
  3. On the General tab set:
    1. Action = Create
    2. Source file(s) = \\Domain.local\DFS\Install\AdobeFlash\mms.cfg (example)
    3. Destination = %WindowsDir%\SysWOW64\Macromed\Flash\mms.cfg
      Note the difference for 32Bit Flash to 64Bit OS version.
    4. Attributes = Archive
  4. On the Common tab set:
    1. Apply once and do not reapply = Ticked
      You can untick this if you need to change some configuration settings, then tick it after a period of time to improve logon performance.
    2. Item-level targeting = ticked
    3. Item-Level targeting conditions:
      Folder does exist – %WindowsDir%\SysWOW64\Macromed\Flash
      Description = “mms.cfg deployment to 64-Bit architecture for 32-Bit Flash”

The final view should look somehting like this:

Important Links

About Flash Player:
http://www.adobe.com/software/flash/about/
This link tells you the exact version you are currently running, along with the most recent version available for download.

Flash Uninstall Utility info:
http://kb2.adobe.com/cps/141/tn_14157.html
I have found that this still leaves old installer info in the registry on some machines. This obsolete data can cause errors with installing the new Flash.

Flash Uninstall Utility download:
32-Bit – http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player_32bit.exe
64-Bit – http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player_64bit.exe

AppDeploy Package Deployment info
http://www.appdeploy.com/packages/detail.asp?id=1382

Adobe Flash Player Administration Guide for Flash Player 10
http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html
Contains detailed information on mms.cfg configuration options.

Adobe Flash player distribution license
http://www.adobe.com/products/players/fpsh_distribution1.html

Adobe link for Enterprise deployment
http://www.adobe.com/devnet/flashplayer/enterprise_deployment.html
Did not find a lot of this information useful however its an official resource.

%WindowsDir%

IT Administration | Configure Flash Player auto-update notification
http://kb2.adobe.com/cps/167/16701594.html
There is incorrect information on this page referring to the location of  Windows 64-bit files. Through my testing it appears to be %WindowsDir%\SysWOW64\Macromed\Flash instead of %WindowsDir%\SysWOW64

Automatic updates management in Flash Player 11
http://forums.adobe.com/message/3980758

Feedback

If there is anything that needs more clarification/further explanation please leave a comment. Through your comments I can try and make this article as complete as possible.

58 thoughts on “Adobe Flash 11 Deployment via GPO”

  1. Hi Ivan,
    I installed Flash Player 11.7 with GPO , and is working fine but the only problem is at W7 after each reboot is showing that the Adobe Flash Player 11.7 is installing. How can avoid this ?
    Thanks,
    F

    • Hi Fatoni,
      Is this still happening? you may get a prompt from Adobe when its the first minor release, i.e. first version of 11.7.x.x but the prompt should only occur once. If you are still getting the prompt on startup every time, on all machines let me know, but thats very strange.
      Ivan

  2. Hi Ivan

    Great write up and kudos to you replying to every ones posts.
    I wonder whether you might be able to assist with an issue I have had.

    I have managed to deploy Flash to a group of machines via GPO as a test roll out. I’ve copied the mms.cfg file to their machines via GPO also.

    However the users are still being prompted to update their Flash.
    Shouldn’t the mms.cfg file stop the prompt ?

    Workstations are mainly Win 7 64Bit
    Users aren’t local admins and UAC is enabled at level 1 or 2.

    Thanks

    • Hi F17th,
      If you configure the mms.cfg file correctly it will definitely work. Couple of things to configure:

      • make sure that the mms.cfg is in the correct location. Keep in mind that X64 machines location may be confusing. Double check it.
      • If having problems, try saving the file as UTF-8 format. It documented that it may be a problem, Notepad++ lets you do this easily.
      • When deploying a new major version of Flash, (11.5, 11.6 etc) Adobe decided to not deploy it silently, and instead present the user with a window for 30 days from the release date. The only documented page I could find is a post by Adobe staff member Chris Campbell (http://forums.adobe.com/message/4379612 – second last post). This may be what was occuring and confused you – got me the first time too.

      If you are still having issues please let me know.
      Cheers,
      Ivan

  3. Great instructions. Sadly I ran into a little snag. I registered with Adobe to distribute Flash player but when I click the link in the email and then on the .msi flash player download in the windows section it only downloads the 32bit version. Even downloading the .exe and trying to extract from the .exe failed.The version I’m downloading is the latest 11.6.602.171. I’m just wondering how you got to down load both the 32 bit and 64 bit versions.

    Best regards
    Silke

    • Hi Silke,
      Since Flash 11.3 Adobe have combined both 32bit and 64bit versions in the same installer. Sorry but I am not able to find the Adobe article that documents this. If you do find it please send it through.
      Regards,
      Ivan

    • Hi James,
      Sorry for editing your post but posting of that URL is against the Terms and Conditions from Adobe. I know the link and I access it directly now that I have agreed to the Terms and Conditions.
      The URL is easily found online with a search, but filling out a form one is not difficult and helps adobe better understand how many companies/systems deploy Adobe Flash using the MSI. Hopefully the more of us that do it the more priority they will give to resolving other issues with their product (from a deployment perspective)
      Kind Regards,
      Ivan

  4. Hi everyone,
    I’ve got a problem to deploy Flash Player with GPO from WinServer 2k8, and so a config file which have to automatically update flash from a local server every months.
    Here is my issue :
    I uninstall properly Flash Player 11.3 (*), to start from scratch and test my whole computer GPO, but the software is not deployed again, I have to install it manually.
    I don’t get it, because a gpresult /r says that it is applied, i tried both install the .msi with “Software Parameter > New > Package ” or with a startup script using msiexec /i file.msi /qn.
    And in every cases, rsop.msc show me an error to the deploy of the .msi, but there is a void log, except the date.
    i tried both computer and user strategy, and the file is allowed to be accessed.

    (*) : 1- Using the uninstaller of adobe for flash player
    2- Deleting registry keys bounded with Flash with a trusted software
    3- Deleting content of the directories %Systemroot%\SysWOW64\… etc etc.
    4 – i’m getting mad !

    And while I am there, I will add the content of my mms.cfg :
    AutoUpdateDisable=0
    SilentAutoUpdateEnable=1
    SilentAutoUpdateVerboseLogging=1
    SilentAutoUpdateServerDomain=10.0.0.5
    AutoUpdateInstallerUrl=flash_update/install_flash_player_plugin_latest_version.msi
    AutoUpdateInterval=30
    AutoUpdateVersionUrl=10.0.0.5/flash_update/latest_version_flash.xml

    (I will do a script later that find the latest version on Adobe servers.)

    Thanks a lot on advance, and even thanks for reading this !
    Best regards,
    Alex

    • Hi Alex,

      The thing that comes to mind is that the registry thinks that the software has been deployed already and wont. You need to clear out the registry key associated to that software for it to work. (i have an article on GPO deployments that covers this)
      Secondly it also seems as though you might have the good old Adobe Flash player problem where you get a random error code – The best thing i have found to fix individual clients is Microsoft Fix It. It detected and cleaned out the problem keys so it could install the software completely. I did go through and write up a list of registry entries that need to be cleared out but cant seem to find it.
      Thirdly, if you want to prevent problems don’t deploy software per user – it leads to more problems than what its worth. Use computer deployments, even for testing.
      Try and install the software manually, using the below command:
      msiexec /i file.msi /qn /l*v “%temp%\Install_AdobeFlash.log”
      You will see if there are any problems during the install.
      Lastly for the mms.cfg, use group policy preferences to deploy the file. I have an article dedicated on that one too.

      Cheers,
      Ivan

  5. Once you deploy Adobe Flash in Group Policy,you will want to manage it using group policy but you can’t because Adobe Flash has no native Group Policy support with ADM or ADMX files to control these key settings as its settings aren’t stored in the Windows registry – they’re stored in a file.

    There is a solution that integrates Adobe Flash and Group Policy called PolicyPak. It is a group policy based desktop management system that delivers and locks down application settings using Group Policy Administrator or SCCM for that matter. You can even use it in two free modes, trial mode or community mode to try it out and see if it works for you. Go here for more information on it

    http://www.policypak.com/products/manage-flash-player-using-group-policy.html

    • Hi Brad,
      Appreciate your comment regarding PolicyPak however in my opinion PolicyPak is overkill for a product like Adobe Flash. An mms.cfg file is more than adequate to force those settings, and applying them via Group Policy (https://ivan.dretvic.com/2012/05/how-to-deploy-mms-cfg-config-file-to-your-adobe-flash-player-clients/) is all that is needed. If your users have local admin rights to change the settings – well Flash is the least of your worries.

      Your product is a nice successor to Desktop Standards (if anyone remembers them) and really provides extended capabilities for third party products however it requires client side extensions (not favourable) and is not a free product (understandable) which can be tough at times to justify the purchase of. Lastly for the task at hand with Adobe Flash, its not necessary.

      Kind Regards,
      Ivan

  6. Don’t know if i’m wrong… but while preparing everything to deploy flash 11.4.4, i noticed the adobe let me download only a single msi – not two as previously, for 32 and 64 bit versions.
    Is it normal?

  7. Tried changing the permissions of the Flash 10 package and removing Authenticated users. Problem is, when my computer rebooted, it displayed the message “Installing Flash 10” for at least 20 minutes. I thought it would eventually timeout, but I had to give up and get on the server and change the permissions back, then reboot my box so I could at least log in.

    And now, it won’t install Flash 10 because of the “not marked” error. I’ll email you the .reg file I’m using, and I’ll also check the AppMgmt key in the registry (though I’ve never reployed this GPO).

  8. Hey Ivan,
    AWESOME site. Anyways, I’m having a problem with deploying Flash 11 on a 64-bit 7 machine. I had the “InstallAX.exe is not marked…..” error and so I’ve deployed a shutdown script to remove all offending registry entries. It removes them, but upon reboot, for some reason, the Flash 10 installer is running, entering those registry entries, and therefore causing the Flash 11 install to fail. I’ve run the “Group Policy Results” wizard on my domain and it shows both (Flash 10 and Flash 11 64) being assigned. My question is, why is GP trying to push Flash 10 when I’ve already told it that the Flash 11 32 MSI upgrades it? Many thanks.

    • Hi Phil,
      Glad you like it here.
      1. I had the “InstallAX.exe is not marked…..” error and so I’ve deployed a shutdown script to remove all offending registry entries….
      Please email me (ivan-A-T-dretvic.com) the reg keys and script/steps you have done. I am writing a ‘Troubleshoot Adobe Install’ blog and would love as much detail as possible. Note i have been collecting all the problem REG keys for some time now so will be interesting to see what you have. (all credit will be passed where due 🙂 )
      2. upon reboot, for some reason, the Flash 10 installer is running, entering those registry entries, and therefore causing the Flash 11 install to fail…
      Do you have multiple entries in your registry under:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
      I have seen this when:
      a. packages are redeployed via GPMC
      b. packages are deleted from the GPO but clients still have them in the registry
      c. inconsistency with GPO order – there is an app (and i will write an article on its use soon) which will allow you to move the installation order of packages with a single GPO. 🙂

      Couple of things you could try is deleting the culprit GUID key on your shut-down script, changing the order of the GPO installs, or probably the easiest would be to change the permissions of the Flash 10 package – remove authenticated users from the list and the client wont even try to install it.

      Please reply with what works. 🙂

  9. Hi Ivan

    As for your first response; The Adobe Flash Player Updater service (installed with Version 11.2.202.233 already) was still providing a window asking the user to update flash, was uninstalling if accepted by the user but then asking for admin credentials in order to install. But anyway, I don’t like the fact very much that flash player would update my whole enterprise automatically. Very uncomforting that! We know from experience that a foul flash player update can mess up entire systems.
    To response#2: It uninstalled perfectly on all systems! 😉 It just did not re-install within the same installer session, so we would have needed to re-deploy the application package again. However, re-deploying is not an option because we now always have some systems with, some without flash.
    What we have done now is that we have written a startup script, which first checks the version present on the client, and, if older, de-installs the old flash player and then install the new one. This works fine for us, it is just that we will have to modify the startup script every time we want to update. However, this is OK for me since I very much like to have exact control about when to update what on all our clients.

    What has occurred to me now is since we have disabled the auto update function with a customized mms.cfg file, the “Adobe Flash Player Updater” task is still present and enabled in our systems and seems to be running regularly. I would have expected it disabled once the value “AutoUpdateDisable=1” is set in the mms.cfg! So is it now auto-updating or not???
    And to anticipate your question: Yes, I have checked within the control panel settings for flash that the “Never Check for Updates” option is really checked and it is even greyed out.

    Again, thanks for sharing your thoughts; this exchange is inspiring!

    Best
    Daniel

    • Hi Daniel,
      #1:The Automatic updating is really not that bad. Remember you can determine yourself when you want it to go to the masses. You have two groups – one that you test with, and deploy the updates to it for testing. Once you are happy you can run my script on the web server, it will update the files and within a few hours all your clients will automatically update.
      #2:I do not recommend updating the MSI and redeploying the package. My recomendation is to add new packages to upgrade existing ones. The way my article is written. This method assures correct deployment (in most cases), granular control for testing new applications and ability to manage multiple version in the enterprise (if needed).
      The script is good to keep it clean but from there it becomes hard to manage.

      The mms.cfg file is read every time the update scheduled task runs (which runs FlashPlayerUpdateService.exe). Every time you update Flash it will recreate the scheduled task.
      When the Flash utility is open (via control panel) it will grey out the settings if the mms.cfg is present (and you are not a local administrator). If you are a local administrator the correct setting will display buy you could modify it.
      Hope that helps,
      ivan

  10. Hi Ivan

    Thank you for constantly updating us with the newest developments of that issue. Very helpful indeed!
    We have deployed Adobe Flash Version 11.2.202.233 (install_flash_player_11_active_x_64bit.msi) via AD Computer GPO, which worked very well so far. We right now want to update our installations with the Version 11.2.202.235 by just redeploying it with our existing AD GPO (right click on the package and click “Redeploy Application).
    What happens now is that once the deployment runs on the computers, the msi uninstalls the old version of flash but does not install the new one, so that in the end, we are having our computers without flash player at all. Very annoying that!
    Do you have an idea why flash is not re-installing correctly?

    Best
    Daniel

    • Hi Daniel,
      Interesting symptoms you are having there. Ill break this response into two sections:
      1. You should have waited for my new article on deploying Adobe Flash in the enterprise. It explains how to take advantage of the Flash auto-update system which, even though it looks confusing it is really straight forward. Please look at my new article https://ivan.dretvic.com//2012/05/deploying-adobe-flash-player-11-2-with-auto-updating-in-an-enterprise/ and let me know what you think.
      2. Your problem still needs to be fixed. Without looking myself it is hard but i suspect that the uninstall may not have successfully worked. My steps would be in this order:
      2.1. Check application event logs. If GPO is trying to install and it fails, it will be in here. Investigate what it says.
      2.2. If event logs dont hold much info, try deleting the regkey from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\{GUID} where GUID is the one referring to your Flash install. This will initiate the client install on that machine. If that fixes it for 2-3 machines, then all you need to do is Redeploy the package from within GPO.
      2.3. Check the Flashinstall.log file. This may give some more clues to fixing it.
      2.4. Run the setup manually to see if it works. This will almost definitely produce event logs – investigate them.
      2.5. If its only a handful of clients, and they are now going nowhere, try going to Microsoft Support and download Mr Fix It Portable. This is surprisingly excellent and has resolved every Flash Installation issue I have had to throw at it. I’m talking about clients that have not been updating since version 8!!! (i need to thank my colleague for that one)

      Hope that helps,
      Ivan

  11. When I deploy the mms.cfg, all it does it gray out the updates section, under Advanced. The Check for Updates is still ticked. Does the section being grayed out mean Auto Updates are disabled, even though check for updates is ticked?

    • Hi Carl,

      Up to version 11.1.102.63 I can safely say that is correct. The updates should not go through with the mms.cfg file.

      Note: Settings in mms.cfg override the users settings and users cannot change it through Settings Manager. Settings Manager, as viewed by the user, doesn’t reflect configuration settings set by mms.cfg.
      http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html

      The most current version, 11.2.202.228 is a new variant of Flash that includes an auto-updating mechanism. This is very interesting to me as I am hoping it updated based on user context that does not require admin rights. If that is the case it means we can safely reduce the need to package every latest version. I cant give more information as I’m waiting for the first version to be released so I can test the update process.
      I will be creating a new post on that version of Flash.
      Regards,
      Ivan

  12. Hi Ivan,
    Great tutorial indeed!
    I’ve came across this link when documenting to setup up properly our deployment GPO:
    http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html
    and found this interesting setting: SilentAutoUpdateEnable
    If set to 0 allegedly allows player background update. I’m testing it right now, but won’t know if it works until next flash release.
    Any thoughts?

    Thank you

    Cheers

    • Hi Makeijan,
      I too have eagerly been waiting for the first updating release to test. This would mean that hopefully we need to update less frequently.
      The only way to be sure, and to test thoroughly would be with the first update release which is why i cant be certain it will work as they say it will (especially with Enterprise Group Policies).

      I will be writing a new article specifically on this once I get more information.
      Regards,
      Ivan

  13. This was a really great article. Very easy to follow. Thank you!

    I had a question about the 64-bit installs. We have a mix of 64 and 32-bit machines. I put the x64 and x32 package in my Flash GPO, and the only problem I see is that on the x64 machines, only the x64 version of flash gets installed. I thought the x64 bit msi installed both x32 and x64? What did I do wrong?

    • Hi Micah,
      Sorry for the late reply – been busy with work.
      When installing the 64bit version of the MSI, it will install both versions to their respective browsers, however it should only display the one entry in Add/Remove Programs.
      I recommend loading http://www.adobe.com/software/flash/about/ on both browsers. You should see the version number on the page when its loaded. If they both display a version number then it has successfully installed on both versions. If you still have me problems please give me more information as to what is happening.
      Cheers,
      Ivan

  14. I am so frustrated with installing Flash with GPO. I dont know what else to try to get it to work. I’m using Flash 11 32bit version and users still have version 10 installed, if I do rsop.msc it still shows version 10 on the precedence tab. I know for SURE that the GPO is setup correctly. I’ve pushed out GPO installs many times and they all work fine but with this Flash 11 it just wont push out.
    If the 64bit of flash contains the 32bit files why cant we just use the 64bit for everyon ein my environment since we have windows xp and windows 7?

    • Hi Tolinrome,

      Sorry for the delayed reply – I have been sick this week.

      Firstly i understand the frustration you are experiencing – i think we all have at one stage with GPO. Looking into your actual problem a bit deeper i would need more information.
      1. Can you check the security tab of the actual software deployment and make sure the computer accounts (or authenticated users) is in there with read access?
      2. Can you check the security of the entire GPO and make sure the appropriate computer accounts (or authenticated users) are set correctly?
      3. validate that the OU the GPO is in is actually correct (the computers OU).

      Feel free to save the reports of the GPO’s and the RSOP data and im happy to have a look into it for you (offline).

      The 64bit installer will only install on 64bit OS’s and this is by design. It is a limitation with MSI’s (from what i am lead to believe). That is why you generally have 2 MSI’s and setup.exe with software bundles. The setup.exe detects the OS type and executes the appropriate MSI. Asside from the annoyance of packaging both MSI’s everything else should work well.

      Last question is what is the client telling you about the MSI trying to install? Do the logs provide a sign as to why it fails?

      Regards,
      Ivan

  15. The Flash Uninstaller link is a bit dated. A more accurate link should probably point to this kb article: http://kb2.adobe.com/cps/141/tn_14157.html#main_Download_the_Adobe_Flash_Player_uninstaller

    Thank you for a clear guide on how it is supposed to work. The problem is that when things go wrong, Flash can be rather stubborn to get uninstalled (more than negating the point of using GPOs).

    I have a W7 x64 computer that keeps trying to install Flash 10.x and reporting the “‘xxx’ is not marked for installation.” error. And it also does it for Flash 11. It’s not even in the groups for these GPOs anymore, but just keeps trying. And can’t install them manually either. I’ve tried the uninstaller and removing registry keys, but it just keeps doing the same. It is too frustrating for something that should be simple and reliable. Is Adobe doing something too risky? Or is it that the whole GPO/MSI is just too fragile and easy to break. Heck, MS itself stopped using it for Office.

    • Links updated – thanks for that.

      It sounds like you are having a GP install problem with a single machine. This can happen when the GPO install does not complete and the client may get into a loop. Generally caused by the MSI wanting to do a self healing installation step. I would recommend trying the following:

      1. Run GPUPDATE /FORCE on the client and reboot (suspect you have done that already)
      2. backup and delete all related GUIDs from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
      3. look into the event logs of the client for more clues
      4. GPRESULT to see what is actually being applied on the client
      5. install Flash 11 manually, then uninstall manually. Let GPO try and install the client automatically after that.

      Adobe MSI is quite complex and I along with may others still wonder why they have make it so complex. GPO as a solution is only as good as its packages (i.e. the msi’s created).
      Microsoft Office is a beast of an application with over 15 years worth of constant development, and is also the most complex application in the world – Excel. Deploying it via GPO just doesn’t make sense any more, although I believe you can still do it.

      Hope that helps,
      Ivan

  16. Ivan,

    Love the post, I am deploying the mms.cfg now after I have been deploying flash via GPO since 10.1 . The only issue I have is that in the write up (which is awesome) the environment variable is listed as “%WindowsDir%” it should be “%WinDir” (no quotes).

    • Hi COnley,
      Thank you for your comment. Appreciated and glad it helped.

      Regarding the syntax what I originally entered is correct, and in fact the preferred syntax to use in Group Policy Preferences. Although Group Policy Preferences (GPP) does use the system variables of each client machine the GPP has its own set of variables that they prefer you use. From memory it had something to do with both performance and error handling. The list of syntax used within GPP can be found here:
      http://technet.microsoft.com/en-us/library/cc753915.aspx

      So in summary, %WindowsDir% is a GPP environment variable and %windir$ is a Windows variable. They both redirect to the active Windows directory.

      Hope that helps,
      Ivan

      • I appreciate the education RE the GPO environment variables (Why in the world would MS usual 2 different ENV VARs? (I understand about the performance and error handling – but really!! lol)).

        • You are welcome.
          Although it seems inappropriate to create yet another standard for variables I understand the reason Microsoft did what they did. The environment variables are generated using different methods (and at a different time) and thus can produce different results depending on the situation. I cant find the document that details this but it said that there were situations where one vas more beneficial to use than the other.

          I personally use GPP variables and have had no problems with them so far.
          Cheers,
          Ivan

    • Hi Gerard,

      This is an annoying task that means you have to run both an MSI package and a startup script to execute both. There is no logic in the uninstall to not remove the current version so that will have to be added yourself.

      The flow of this process would be:
      1. startup script and package deployed to machine
      2. if gpupdate processed before the reboot , it will try and install the package, otherwise only the startup script will run
      3. if the msi tries to install it will it may be successful in removing old settings
      4. the script will run – the script should do an error check in it to check if the latest version of Flash is installed. If so it should not run the uninstall. This check can be as simple as making sure the correct version number of the flash ocx file in c:\windows\system32\macromed\flash location.
      5. Flash may be installed and the user is happy. Otherwise Flash may not have installed due to group policy, but the uninstall did run – this means that the PC is without flash. This is where you remotely run GPUPDATE/FORCE on their machine and get them to reboot (while plugged into the network).
      The last scenario is that the msi tried to install but failed due to old Flash files/registry being present. In this scenario you will need to remove a particular registry key from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt so that the software can be redeployed.

      The above is quite cumbersome and messy. A software deployment solution works much better, or scripting the uninstall and install of the current version in a batch file would also give you more consistent results. I hope this has given you a better insight into how to deal with this problem.

      Regards,
      ivan

  17. I successfully deployed and upgraded flash player 11 but the mms.cfg file did not get copied to the directory. How do you get Windows XP to copy a file using GPO. I setup the GPO on a Windows 7 computer because I couldn’t find the option to create the mms.cfg when editing the GPO from an XP machine. Does that functionality even work in XP?

    • Hi Evan,
      I’m glad the group policy deployment is working well. As for the other problem (file copy of mms.cfg to client) this is done using Group Policy Preferences (GPP). It is a new feature introduced to Windows Server 2008 (after Microsoft purchased a company called DesktopStandards and embedded their product).

      To get this new functionality on the older Windows XP machines you will need to install a separate package – which of course can be deployed via Group Policy. This package can be found here:
      http://www.microsoft.com/download/en/details.aspx?id=3628
      Once all your clients get this package installed, you will be able to apply all the GPP settings on Windows XP, Vista, 7 and Windows 2008 machines.

      If you have further problems please don’t hesitate to contact me.
      Regards,
      Ivan

  18. I trying to deploy flash player through GPO, but it gives the following error on client computer:

    The install of application Adobe Flash Player 11 ActiveX from policy Flash 11.1.102.55 IE x32 failed. The error was : %%1612

    Can anyone tell me how to resolve this?

    Thanks
    Arif

    • Hi Arif,
      That is a problem i have seen several times. The resolution is to actually remove old registry keys that were left from older versions of Flash installation.

      Here are the steps:
      1. Run Regedit.exe
      2. Navigate to HKEY_CLASSES_ROOT\Installer\Products
      3. There will be Products keys with GUID values. Go through these and only delete the keys (The long HEX numbers) associated with Adobe Flash. You can verify each key by looking at the ProductName values.
      This will, of course, delete all the values under it, so be sure you are deleting the right keys.
      5. Close Regedit
      6. Re-install.

      If that resolved the problem for one of your clients, you can then run a modified script that will resolve this problem for you, on mass.
      (Source)

      Ivan

  19. Thanks for the excellent blog Ivan. This is about the clearest set of instructions for Flash and GPOs that I have come across. I had worked out most of this before finding your site and have the issue that when I unlink the GPO for flash, flash does not uninstall. I do have the GPO configured to uninstall when out of scope.

    Have you run into any issues with having flash uninstall when you unlink the GPO from an OU?

    • Hi Merlin,
      Thank you for your comments. Regarding your question about uninstalling Flash, I need you to check something
      Do the clients have event log entries where Group Policy tried to initiate an uninstall? If so the problem is with the flash uninstallation, it is common for Flash to cause these problems. The main issue i have encountered is that you have the remains of old Flash installations on the PC, and the install is failing because of this. I will see if I can dig up a good article that goes over this.
      I personally don’t ever uninstall out of scope app’s as I have never needed to do it widespread. My second question is why are you uninstalling it for some machines, as opposed to installing the latest version?
      Regards,
      Ivan

  20. Hi Ivan!

    I’m starting the deployment of flash 11, but i’m still confused.
    I assigned flash 10.3 as you explained in your old article, but now to deploy F11 what should i do?
    A new package ina new policy? The F10.3 package should be revoked?
    Thanks in advance for your kind help.

    • Hi Enrico,

      Follow the steps below to package Flash 11. NOTE: I am going to assume you do NOT have any 64-bit operating systems in your environment as yet.

      1. Open you Flash Group Policy, where you have Flash 10.3 deployed.
      2. Expand Computer Configuration -> Policies -> Software Settings -> Software Installation. Right click on Software Installation -> New -> Package…
      3. Select the location of where you have your software. I personally keep my software in a DFS share, that is replicated to all my sites. This way the software does not drag data over the network for every install)
      4. Select Advanced and click ok
      5. GENERAL TAB – Change Name to Spay Adobe Flash Player 11 ActiveX – COMPANYNAME. This ensured that you know easily that its your version that was deployed to the PC by checking Add Remove Programs.
      6. DEPLOYMENT TAB – Advanced… – UnCheck “Make this 32-bit X86 application available to Win64 machines. We do this so that it only installs to your 32BIT Operating Systems. If you have 64-Bit operating systems we will deploy a different package.
      7. UPGRADES TAB – Add ALL Previous packages to upgrade because this is the latest version. If its already populated then leave it as is. Note if you manually add them it will give you an option to specify if you uninstall or upgrade the old package. I recommend uninstalling.
      8. SECURITY TAB – Click Advanced -> uncheck Include inheritable Permissions. Click Add. Click OK. Under the list of user names\Groups, select “Authenticated Users” and click remove.
      Now select Add… and add the COMPUTER NAMES that you want to test this application deployment.

      Now you are done. Do your testing on a handful of applications. When you are satisfied you need to do the following to push it out to all your clients.
      NOTE: Once you are satisfied with the testing, go back into this Package, go tho the SECURITY TAB, Remove your manually added computers. Then click on Advanced and tick Include Inheritable permissions from this objects parents. This will mean that the package will be available to all domain PC’s (in the OU’s that your GPO is assigned to).

      Hope that helps clarify it better. Please let me know if you require more info.

      Kind Regards,
      Ivan

  21. Hey, thanks for the blog. A lot of your posts are super helpful, and for the first time I actually understood how to apply and upgrade deployed software via GPO.

    I’ve started testing our GPO upgrade from previous versions of Flash to Flash 11 with 32- and 64-bit deployments like you showed. Unfortunately, with a number of computers, we’re getting an error in the Application logs:

    Product: Adobe Flash Player 10 ActiveX — Error 2753.The File ‘InstallAX.exe’ is not marked for installation.

    Google has been less than helpful, short of a regedit to remove the GUID keys (http://faultbucket.ca/2010/12/adobe-flash-gpo-deploy-error-installax-exe/). We can use the Windows Installer Cleanup Utility to remove Flash 10 ActiveX and the GPO will deploy on reboot, but I’m obviously loathe to have to install and run that on every desktop we have. I was hoping you might have a slightly more elegant solution.

    • Hi Rick,
      Thank you for your comments.
      Regarding your problem, I was contemplating writing an article about it however I didn’t have enough trouble clients to test my solution.

      The article you have found is the best one of its kind that I stumbled on so far, however I have found more registry keys to remove. I will try and dig them up later on.

      How I recommend to deploy solution:
      Option 1. Change the script to only uninstall Flash, and use GPO to install the new Flash. This is problematic because start-up Scripts run after GPO software installations, so you would have to run it as a shut-down script which comes with its own problems.
      Option 2. Package the removal of the files/folders/registry keys associated to Flash Installation into an MSI and run that before the install of the latest Flash Player. (there is a util to change the order in which Packages within a GPO are installed) The problem you have with this method is the time to get the package right and getting it to work in the correct sequence (without destroying the latest installed Flash11 – if its there)
      Option 3. Run a simple startup/shutdown script to delete the culprit registry keys for all machines, and if a user has issues with Flash, a second reboot should then allow the successful install of Flash 11 (because the culprit keys are missing).

      All in all there is not real easy way to resolve this (unless Adobe internally decided to tackle this problem and release a package that removes the keys in their pre-flight checks).

      I hope that helps,
      Ivan

  22. Great thanks. Another question, so if a 64bit pc had flash 10.3 assigned then went out and upgraded to flash 11 on their own that should be the 64bit version (which also contains the 32 bit version) and i should’t have any problems with assigning the new flash 11 to them in this guide?

    • Hi Justin,
      Thats a great question you have there. I should have covered it in my article – thanks for bringing it up.

      In my testing which was considerably limited due to the number of 64-bit machines available to me I came to the following conclusions:
      * Installing Flash 11 over Flash 10 on a 64-Bit version will automatically upgrade the 32-bit install.
      * you dont have to include the 32-Bit upgrades in the GPO because it will automatically upgrade it when it installs the 64-Bit version. That means that when you package your Flash11 (for 32-Bit OS) you need to upgrade your old flash installs (you can still use the same GPO). When you package Flash11 (for 64-Bit OS) you don’t need to upgrade older packages, but you can still use the original GPO to deploy it.

      Hope that clears it up.
      Ivan

  23. So in my existing gpo for flash deployment, create an upgrade package for 32bit clients and a new package for 64bit? I dont need to create a new gpo for 64bit? will 32 bit machines not try (and fail) to install the 64bit version?

    Thanks,

    • Hi Justin,
      Yes you create and package both 32 and 64 bit packages in the same Group Policy Object.
      Group policy is intelligent enough to determine the platform of each package when it is added to a GPO. You can easily see what platform each package is by looking at the General tab of the package properties dialog.
      Group Policy knows the following:
      * 32 Bit can be installed on 32 bit platform
      * 32 Bit can be installed on 64 bit platform (provided you check “Make this 32-bit X86 application available to Win64 machines under package properties -> Deployment -> Advanced… -> Advanced Deployment Options section)
      * 64 Bit cannot be installed on 32 bit platform

      Hope that clarifies your query. Any more questions please feel free to ask.
      Ivan

Leave a Reply to Ivan DretvicCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

QR Code Business Card
%d bloggers like this: