If you work in a large enterprise you will have had to deploy Flash Player to your workstations and if you have, you will know that it has more security holes than swiss cheese and needs updating very often. Trying to keep control of this is the road to madness so let’s automate the sh#! out of it.

In the past I used to disable the auto update as it just annoys the end user and would try to keep it up to date but this causes more problems than it solves.

Controlled automation is the solution.

Broadly what i did

  • Create an application and deployment for Adobe Flash Player(IE and Firefox versions).
  • Create a Configuration item to make sure it’s set to auto update.
  • Create and deploy a Configuration Baseline.
  • Update the Adobe Flash Player scheduled task.
  • Never have to worry about flash again until Adobe retire the product.

Update existing versions

In my environment we use SNOW Licence Manager, this can give a detailed reports of all software and more importantly what versions of said software. What i found was not encouraging, the versions ranged from 9 to 22.

It was important to update all installations to the latest version and that can act as my baseline to work off for the future.

This was before, pretty bad.

Application Name Installation
Adobe Flash Player 9 42
Adobe Flash Player 10 89
Adobe Flash Player 11 368
Adobe Flash Player 14 97
Adobe Flash Player 17 1203
Adobe Flash Player 18 437
Adobe Flash Player 19 868
Adobe Flash Player 20 1489
Adobe Flash Player 22 107


Download Flash Player MSI

Go to the flash distribution page found here – https://www.adobe.com/uk/products/flashplayer/distribution5.html


1Downloads Flash Player (Win & Mac) Operating System Windows Windows Windows Flash Player Type Internet Explorer-Active X Firefox and Netscape Plug-ln compatible applications WAPI Opera and Chromium based applications — PPAPI Languages All supported languages All supported languages All supported languages Installers Download EXE Installer Download MSI Installer • Import SCCM/ConfigMgr SCUP Catalog* Download EXE Installer Download MS' Installer Download EXE Installer Download MSI Installer


  • You will need to apply to Adobe for a distribution license to access this site
  • As of windows 8 flash has been embed into IE and Edge
  • Chrome has flash built in and its better to let chrome update itself rather than deploy the PPAPI version

Create and deploy Adobe Flash Player

Using the voodoo power of PowerShell create the adobe applications and deploy them to all workstations, obviously change as needed



Once you have deployed the latest version of flash everywhere you should end up with a baseline to work off, some clients won’t want to update from let’s say version 11 to 23 My buddy MVP Nickolaj Andersen has a good post about this – http://www.scconfigmgr.com/2013/05/23/upgrade-adobe-flash-player-11-7-x-fails-with-error-1603-in-configmgr-2012/

Creating a Configuration Item

Create a Configuration Item to ensure Adobe flash player updates itself:




Discovery Script

This script looks for the existence of the “mms.cfg” file, in this file you can enable or disable update and even more importantly make them silent. More details here http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html


If the script runs and doesn’t find the files it will return false(this is important later)


Remediation Script

This script creates the files and writes the entries;





Compliance Rules

This means if the discovery is false it will run the script to create the files.



Creating a Configuration Baseline

Now create a configuration baseline




Deploy Configuration Baseline

Now deploy the baseline


Baseline deployment in action

If you delete the mms.cfg file or if you change any settings, discovery will report that something is wrong and the remediation script will repair it.



Click evaluate in the configuration manager client:


Within seconds the file is back:



Scheduling the automatic updates

When you install flash and allow it to update itself it creates a task schedule which runs once an hour every day which is nuts.
So either using a GPO or use PowerShell, for ease i used a GPO to change the schedule task.


This is set to run way too often, adobe reader suffers from the same issue.




Group Policy

I run the updater twice a day three days a week, the reason we need to run it twice is the updating service can only update one component at a time. Use item level targeting as the updating files are located in different areas depending on your OS.



 Pat Yourself On The Back!

When you take the steps above you can ensure that flash player is up to date on all workstations until the day Adobe retire the product.


Any questions you can catch me on twitter – @terencebeggs


There are no comments.

Leave a Reply