Deploying Adobe Flash Player 11.2 with auto-updating in an enterprise

Adobe have come to the mercy of IT administrators by introducing an auto updating feature for Flash Player. This is excellent news but now we need to get it to work in the real world

With the below configuration the end device should be able to automatically update without granting users extra permissions. The service can automatically update the files without user intervention and even if a browser window is open, it will update as soon as the browser is closed.

How does it work?

A simple breakdown of how the new auto-updating system works is:

  1. Install Adobe Flash 11.2.x on a PC – this version contains the logic for the auto-updater.
  2. The install process creates a Scheduled Task that executes daily and checks for an update. This task is run as the SYSTEM account.
  3. If a new update is found, it downloads it, uninstalls the old version and installs the new version.
    If the PC is not online at the time of running the scheduled task, it will run every hour for 24 hours until it gets internet access.
  4. If a browser is open at the time – the old version of Flash is used, and when the browser is reopened it will load the new browser plug-in.

More detailed information:

  • The Scheduled Task has the following properties:
    • Task name is ‘Adobe Flash Player Updater’
    • Run as SYSTEM
    • Trigger = C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    • Schedule to run Daily – After triggered, will repeat every hour for 1 day until internet connectivity available
  • The installation creates a service with the following properties:
    • Service Name is ‘AdobeFlashPlayerUpdateSvc’ (Adobe Flash Player Update Service)
    • Manual startup
    • Runs as Local System Account
    • Path to execute = C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
  • A good resource to read the Overview of how the Background Updater works:
    Introducing Adobe Flash Player Background Updater for Windows

Problems in the enterprise

There are several problems at hand when it comes to the enterprise, some with a workaround but others that will hopefully be addressed with future updates.

Proxy server support

This has been asked for quite a bit on the forums. The underlying problem is that the SYSTEM account that is trying to access the internet does not know of proxy servers in your environment, in particular it does not know the proxy address or port number.
This configuration can be hard coded on a client using proxycfg.exe. The problem with this method is that if its a laptop that may connect to wifi outside the business, some internet access (where the system account is used) may not work.

My method of deploying Flash in the enterprise

There are several sections that we need to individually configure to get it all to work, and at the end they should all work together to give us the end result of auto-updating clients in the enterprise.

Deploying the client

Deploying the client in the enterprise is relatively straight forward and I have covered it in the a previous article:|

Adobe Flash 11 Deployment via GPO

A couple of points while deploying the client to help you:

  • Adobe Flash Player client needs to be version or higher to support the auto-updating feature
  • The GPO deployment can be an update to previous Flash versions

Pushing out mms.cfg configuration file to clients

Adobe provide specifications for an configuration file that configures Adobe Flash player. The user settings are set either within the browser or through the Windows Control Panel. The computer settings are set through the mms.cfg file. This configuration file overrides any user settings that are set in thefile and applies to the computer.

The details  about the mms.cfg file are below:

Item Details
Filename mms.cfg
Encoding UTF-8 or UTF-16
Reference: Flash Player 11.2 Admin Guide – Page 22
Contents AutoUpdateDisable=0
SilentAutoUpdateServerDomain=your.server.comReference:  More customisation options (28 different options under version 11.2) are available in the Flash Player 11.2 Admin Guide – Page 22
Windows 32-Bit %systemroot%\System32\Macromed\Flash
Windows 64-Bit %systemroot%\SysWOW64\Macromed\Flash

Screenshot of file on a Windows 7 32-Bit machine:

As you can see its a simple 3 liner cfg file that needs to be created\copied in the corresponding folder to force your desired configuration.

What I do is use Group Policy Preferences to copy a file from the network (I have saved to the GPO source location eg. \\Domain.local\DFS\Install\AdobeFlash\mms.cfg) to the client destination.

Note: I have attached a sample mms.cfg file which is included in the package at the bottom of this article.

Here is an article that specifically details how to deploy the files to your client computers:

How to deploy mms.cfg config file to your Adobe Flash Player clients?

Hosting Flash Update files internally (web server)

This part is required for any organisation who want to overcome the following scenarios:

  • Internal network gains internet access via Proxy Server – Computer system accounts are not aware of proxy server configurations
  • Bandwidth concerns – do not want hundreds/thousands of users from downloading the latest version of Flash on the same day (even if it is staggered)

What we will have at the end of this is an internal web server which hosts the files for your clients to access, a DNS entry with a common name to access the files, and a scheduled task which runs a script to download the latest files every day (directly from the Adobe download site).

At the bottom of this article is the source files for the script, and the exe tools required for it to work. You will need these tools before you begin this section:

  1. Download the source files from the bottom of this article called and extract the contents to a working directory. I extracted mine to C:\FlashUpdate but any similar location is suitable (avoid using the IIS published folder directory)

Build your web server (IIS in my case)

Don’t think this is doom and gloom – its pretty straight forward and does not require a lot of configuration. I have not concentrated on security as is hosted internally and not published to the internet.

Find a suitable server that you already have in your environment that does not use any web service (in

particular does not use port 80 or 443 for any communication). Note: Its not hard to migrate this to another server if you follow my steps again, install IIS using these steps:

  1. Click Start, point to Control Panel, and then click Add or Remove Programs.
  2. In Add or Remove Programs, click Add/Remove Windows Components.
  3. In the Windows Components Wizard, under Components, select Application Server.
  4. Click Next.
  5. After the wizard completes the installation, click Finish

Install SSL Certificate

An SSL certificate is required for this to work. I have an SSL certificate that I installed, and an internal CA would work well for this exercise. If you do not have an internal CA, or a means of attaining a valid certificate I recommend generating your own self-signed certificate. To do this use the following:

  1. Navigate to your working directory: c:\FlashUpdate from within command prompt
  2. Enter the following command to generate and register your new certificate:
    [code]selfssl.exe / /K:1024 /V:900 /S:1 /P:443 /T[/code]

    To break this down:

    • /T Adds the self-signed certificate to “Trusted Certificates” list. The local browser will trust the self-signed certificate if this flag is specified.
    • /N:cn Specifies the common name of the certificate. The computer name is used if not  specified.
    • /K:key size Specifies the key length. Default is 1024.
    • /V:validity days Specifies the validity of the certificate. Default is 7 days.
    • /S:site id       Specifies the id of the site. Default is 1 (Default Site).
    • /P:port          Specifies the SSL port. Default is 443.
  3. Navigate to and validate that a certificate is installed (even if not trusted by that machine

Configure DNS

  1. Configure DNS to point to a friendly name using a new CNAME record. I personally used which directed to my actual server

    Adding CNAME record in DNS
  2. Test the new URL internally. It should work straight away with a basic IIS config and will display a basic page like below:

    IIS Under Construction

Configuring the automatic downloads script

  1. Go to the source files you downloaded earlier.
  2. Edit the batch file (getflashupdate.bat) with appropriate details under the Configuration section only. I have provided adequate instructions within the script.
    Here is the script if you want to view it online:
    [code lang=”bat” collapse=”true”]@ECHO OFF
    REM ================== About Script ======================
    REM        Author:    Ivan Dretvic
    REM        Email:    [email protected]
    REM        URL:
    REM        Date:    09/05/2012
    REM        Ver:    1.0
    REM        REFERENCES:
    REM        -wget.exe used for fetching files from internet
    REM        -Bulk of this script was written by Tyrone Wyatt of
    REM             Thank you for saving me from writing the script.
    REM         -All Adobe information in this script was attained from the Flash Player Administrators Guide
    REM ======================================================

    REM ================= Script Config ======================
    REM         Used to identify script name within the rest of script. Useful if using multiple instances of script for different sites in organisation.
    REM        Default setting is:
    REM            set TITLE=flash-update
    set TITLE=flash-update

    REM        The LOG option is the name and location of the log file.
    REM            This field must be populated otherwise the script will fail. Removal of  ">> %LOG% 2>&1" in the rest of the script would be necessary
    REM            to not produce log file. (not recommended)
    REM        Default setting is:
    REM            set LOG=./%TITLE%.log
    set LOG=./%TITLE%.log

    REM         The SOURCE option is the mirror on which you would like to download the flash files from.
    REM        Default setting is:
    REM            set SOURCE=
    set SOURCE=

    REM        The DESTINATION option is where you would like your downloaded files to go. If you will be testing package before updating the
    REM        masses, you must change the destination to not be in the default published IIS folder. If you did not configure IIS, and would like
    REM        the update to propogate to all users please leave the default settings.
    REM        Default setting is:
    REM            set DESTINATION=C:\inetpub\wwwroot
    set DESTINATION=C:\inetpub\wwwroot

    REM        The VERSION option is the current major version of Flash Player. (Eg. for Flash Player 11.2, the major version is 11).
    REM        When it comes to the major version changing, please investigate any changes that Adobe have made to their software and update system.
    REM        Default setting is:
    REM            set VERSION=11
    set VERSION=11

    REM        The Proxy settings for wget to use. This is an optional parameter that can be ommited if you run as a configured users context.
    REM        It is recommended to configure this field if you do use a proxy server.
    REM            Note: the required string here is: http:\\<<PROXYSERVERNAME>>:<<PORTNUMBER>>
    REM        Default setting is:
    REM            set HTTP_PROXY=
    set HTTP_PROXY=

    REM ================= Script Core ========================
    REM    This is the guts of the script. Please dont modify this section of the script unless its to improve it, in which case please let me know.
    echo =O====== %date% %time% ======== >> %LOG% 2>&1
    if exist %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml (
    echo Folders Exist. Skipping destination folder structure creation. >> %LOG% 2>&1
    ) else (
    echo Creating destination folder structure. >> %LOG% 2>&1
    mkdir %DESTINATION%\pub >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer\update >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer\update\current >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer\update\current\sau >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION% >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml >> %LOG% 2>&1
    mkdir %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install >> %LOG% 2>&1

    echo Downloading files… >> %LOG% 2>&1
    wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/xml/version.xml -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml\version.xml >> %LOG% 2>&1
    wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_ax_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_ax_sgn.z >> %LOG% 2>&1
    wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_pl_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_pl_sgn.z >> %LOG% 2>&1
    wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_ax_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_64_ax_sgn.z >> %LOG% 2>&1
    wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_pl_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_64_pl_sgn.z >> %LOG% 2>&1
    echo Script complete! See log file for more infomation %LOG%
    echo =X====== %date% %time% ======== >> %LOG% 2>&1
    echo. >> %LOG% 2>&1

    REM ================= Script End =========================

  3. Once your document is saved you are ready to schedule a task to run Daily. Ill assume the script is located at C:\FlashUpdate\GetFlashUpdate.bat and you are saving it directly to your IIS folder.
  4. Create the scheduled task to execute “C:\FlashUpdate\GetFlashUpdate.bat”, with user credentials (that has access to Proxy server), to run once a day. All other settings can be left as default.
  5. Right click on your new scheduled task and run it.
  6. Open IIS Manager, expand the server name, then expand the folder Web Sites. Right click on Default Web Sites and click Open.
  7. Here you should see 2 files (iisstar.htm and pageerror.gif) and a folder called PUB. Navigate through the folder and make sure you see all 5 files have been downloaded by the script.Further information on file names can be found under Background updates from an internal server, Page 10


You are done. If your clients are running a version of Flash greater than the auto-updating should update your clients as expected. If you want to force the updates on a client to test, you can:

  • run the scheduled task (as administrator because the task is a system task)
  • execute C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

Please let me know if i have been vague or inconsistent/inaccurate in any way so I can update it.


24 thoughts on “Deploying Adobe Flash Player 11.2 with auto-updating in an enterprise”

    I had a need for a internal Flash update server to update all my workstations as a requirement of the organization. Basically we could not allow our workstations to make the requests to the AdobeMacromedia Website to update flash. with some help from Ivan Dretvic standing up the IIS server, and configuring the workstations I was able to update all my workstations with a new version of flash within a 24 hour period, and control what/when it goes out. The code below is the simple download mechanism to build the local cache for the enterprise.

    I made the modification noted below. I would also be inclined to update the comments to advise folks that the VERSION should remain 11 as Adobe chose to continue using the current/sau/11/ folder path.

    [bat collapse=”true”]@rem wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/xml/version.xml -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml\version.xml >> %LOG% 2>&1
    @rem wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_ax_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_ax_sgn.z >> %LOG% 2>&1
    @rem wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_pl_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_pl_sgn.z >> %LOG% 2>&1
    @rem wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_ax_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_64_ax_sgn.z >> %LOG% 2>&1
    @rem wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_pl_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_64_pl_sgn.z >> %LOG% 2>&1[/code]

    [code]@rem 2014-06-23 Oliver Wilcock: add -N use -P instead of -O; use -x and -nH so that wget creates the path locally but doesn’t use the hostname in the path.
    @rem 2014-06-23 Oliver Wilcock: The -P method preserves the timestamps such that the files are not retreived unnecessarily each time
    wget.exe -N -x -nH -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/xml/version.xml -P %DESTINATION% >> %LOG% 2>&1
    wget.exe -N -x -nH -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_ax_sgn.z -P %DESTINATION% >> %LOG% 2>&1
    wget.exe -N -x -nH -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_pl_sgn.z -P %DESTINATION% >> %LOG% 2>&1
    wget.exe -N -x -nH -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_ax_sgn.z -P %DESTINATION% >> %LOG% 2>&1
    wget.exe -N -x -nH -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_pl_sgn.z -P %DESTINATION% >> %LOG% 2>&1[/bat]

    Oh, and thanks for the script and documenting the method!

    Oliver Wilcock

    • Thanks you for the update – I personally don’t use this solution as we use SCCM however I hope this may help others.
      NOTE: I have not tested your suggestion but based on the changes it makes sense.


  3. Ivan,
    I followed these instructions setting up my IIS and my Clients, on the Client side I continue to get errors
    “[error] 1223 1058”
    from the client in a browser I can actively “browse” every file with-in the folder stuctures (https://servername/pub/flashplayer/update/current/sau/11/)
    and so on, the files are there under the xml and install folders, I have added my self signed certs to the trusted store on the local system, and still it will not update.

    do you have any idea what these errors are? Adobes documentation is as lackluster as ever with this product, it is as bad as there Internal CS update Server

    • Hi Alan,
      I send you an email recently. Please send through the client logs with the error for me to look at.
      Also things to check:
      how was the client software deployed?
      What is the configuration of the mms.cfg file on the client, and in what location is it?
      What are the application event logs on the client? Are there any errors there?
      When you do a clean install of Flash player initially, are you using an MST configuration file? When you install the MSI can you run the install with VERBOSE logging so we can look into that more?


  4. This is a Pretty good Write up and helped me out getting everything up on the server side, but for what ever reason, My test clients keep getting an error of
    2013-5-3a+20-59-11.0 [error] 1223 1058
    they are not updating, and in my IIS logs I see no activity of any files being hit.
    I can use a browser to traverse the folder structure and grap files, but the FlashPlayerUpdateService.exe seems like it is not hitting
    no firewalls, or AV on my test machines

    any Idea of what these errors are pointing me too… Adobes Documentation is sparse at best (as always)

    • Hi Alan,
      Sorry for the late reply, and i hope i can be of assistance.
      Just to confirm your configuration, does the client use a proxy for internal and external sites? Is the proxy mandatory? If so you may struggle as the service runs under System account that wont have proxy settings configured. Please give me an update and ill get back to you more promptly,

  5. Thanks Ivan
    I’ve got this all set up and working. However it will only download v11.5. The latest 11.6 doesn’t seem to download. Any ideas why this would be the case?

    • Hi Andyturner,
      The script should work for 11.6. (I have not tested it on mine specifically as I use a new method.) The reason I say this is because the way Adobe Flash knows what to do is by navigating to the following XML:
      In that file you will see the following details:

      1. ActiveX major=”11″ minor=”6″ buildMajor=”602″ buildMinor=”171″
      2. Plugin major=”11″ minor=”6″ buildMajor=”602″ buildMinor=”171″
      3. MacPlugin major=”11″ minor=”6″ buildMajor=”602″ buildMinor=”171″
      4. SAUConfig checkFrequency=”1″

      Please try some more testing (especially updating outside of the enterprise proxy/internet connection) and see if it still works for you.

  6. Hi Ivan,

    Thank you for the effort and very useful information provided.
    In my case I had to fill Start in folder option in Actions tab of the task properties in order Task to run successfully. Before this, everything seemed OK, task was run but files weren’t downloaded neither log file generated. On the other side, when executing script manually from cmd, everything was OK.

    Hope this can help somebody with similar problem.
    Thanks again for great explanation.


  7. Hi – could I just confirm:-
    setting the mms.cfg so that the AutoUpdateDisable=0 and SilentAutoUpdateEnable=1
    this will automaitcally auto-update the software on PCs even if the currently logged on user does NOT have any admin rights on that PC?

    • Hi Chris,
      After flash version 11.2 they implemented a scheduled task that activates an update service which runs under the SYSTEM account, thus making it possible to update.

      There are a couple of exceptions where an update popup may appear but they won’t do anything because they will run in the users context.


  8. Hey Ivan,

    I was just wondering how you would go about packaging a software for deployment when there are individual licences to be activated.

    For instance if we buy WinZip with 5 licneces, how can I package this so the correct users get the correct activation key?


    • Hi Marc,

      Non-constructive reply: Good Luck, cause you will need it!

      Somewhat-constructive reply: I dont even know where to start!
      Firstly I would suggest trying every effort for a volume license key.
      Failing that, you would need to repackage every MSI with the key built in and distribute each one individually. Not efficient and generally not worthwhile.
      Alternative would be to use a script to install it. It would go a little like this:
      1. Check if older versions are installed, and if so uninstall them.
      2. Check if the current version is installed, if so go to end.
      3. check computer name, reference CSV from network for the computer name and corresponding key.
      4. run installation with correct parameters and destined key.
      5. hope you don’t have too many of these as its very messy.

      The CSV can be locked down somewhat to prevent users getting their hands on it, and it may just work. This is of-course assuming that the software allows you to supply a key silently.

      In a business environment you tend to purchased licenses where the installation is not locked down, but rather you have a licensing agreement that states you will be honest with your installations, or provide a centralised activation method. For example Adobe Acrobat is based on the EULA model, whereas Adobe CS suites require packaging software with embedded information to activation but without user intervention.

      Hope that helps,

  9. Hi, Ivan!
    Thanks a lot for your series of articles about deploy flash player in enterprise!
    I have a question for you about this article.
    We deploy flash player with GPO, it autoupdates. Will GPO try to install an older version of flash player after reboot?

    • Hi Anton,
      The installation GUID will be the same, thus the install will not overwrite. Once the installation is successful, it will write some registry information to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt.
      If the key is missing then the update will automatically install again on next reboot.
      Lastly if you choose to redeploy the app, it will reinstall the old version on ALL machines – don’t recommend doing this.

      Hope that help.

  10. FYI:

    Special behaviour for “major” Update 11.3… just if someone wonders… AND they are providing only one MSI (1 for ActiveX and 1 for plugins) with 32bit and 64bit version inside.

    i made the update to 11.3 via GPO again, just to force the update and be sure it’s done.

    Attention: There’s an error if you try to install the update with the .msi-file manually or with GPOs… you have to replace the older version or deinstall the old version before you can update…
    if that doesn’t work you have to remove the appropriate RegKeys under HKLM\SOFTWARE\Classes\Installer\Products\ (depending on which version is actually installed on your system)…


    • Hi Stehpan, your comment is very interesting – I have not yet looked into 11.3 update yet so this will definitely come in handy.
      So to confirm you have to uninstall old version before installing the latest version (I recommend this for most applications) and 11.2 version of the software will not automatically update to version 11.2 through the silent update mechanism?

  11. So I suppose if you had previously deploy with a GPO, you just need to update your mms.cfg file to allow autoupdates, then you don’t need to deploy any longer?

    • John,
      Yes so long as the version of Flash you deployed was after 11.2.x which includes the logic of the auto-updating.
      Furthermore the MMS with the extra settings on older versions of Flash will simply be ignored so you can deploy in preparation.
      Kind Regards,

  12. If you use a self-signed certificate, it is necessary to add it into the machine certificate stores (trusts root certs). Otherwise the Adobe Flash Player Updater would not download the version.xml.
    I use certmgr.exe on Windows XP (certmgr.exe -add flash.cer -s -r localMachine root)

    • Hi Gernot,
      Thank you for providing the additional information that I had not included. Self signed certificates are not accepted if the client does not trust it – Adobe requires the certificate to be trusted for it to work.
      A good reason to have an internal CA working.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

QR Code Business Card