Skip navigation
Currently Being Moderated

Users Prompted to Manually Install 11.4 Despite Policy Automatic Silent Updates

Aug 22, 2012 8:32 AM

Tags: #11

Updates wre working fine silently until the last couple of weeks.  Now users are being promoted to manually install the latest update.

Some users are getting prompts saying they need to log in with adminstrator credentials to install it even though they already are.

Other users are not noticing the options to install Chrome and set their homepage to Google were preselected and didn't unselect it and then call the company help desk for help resetting their home page.

 

How can this be stopped and have updates to 11.4 install silently and not install Chrome or change IE settings?

 
Replies
  • Chris Campbell
    9,454 posts
    May 4, 2010
    Currently Being Moderated
    Aug 22, 2012 11:02 AM   in reply to web1c

    For regularly scheduled, major updates (like 11.4), users will be presented with a dialog allowing them to read about the new features available.  They then have the option to download and update immediately.  As you noted, the user does need admin privileges to install these updates. 

     

    You have the option to delay the update, in which case the silent auto update service will take kick in automatically either 30 days after release or sooner if a security patch becomes available.  In this case, the install does not need admin privileges.

     

    Thanks,

    Chris

     
    |
    Mark as:
  • Chris Campbell
    9,454 posts
    May 4, 2010
    Currently Being Moderated
    Aug 22, 2012 1:14 PM   in reply to web1c

    This is possible to do in an enterprise environment.  To deploy 11.4 via the silent auto update, you'll need to setup a server internally.  Please see our 11.4 admin guide (page 19) for details.  In addition, I'd recommend reading this blog post.

     

    http://blogs.adobe.com/spohl/2012/04/24/it-admin-deploying-flash-playe r-via-background-updater/

     

    You'll also want to make sure that you've signed our distribution agreement, if you haven't already. 

     

    http://www.adobe.com/products/players/flash-player-distribution.html

     

    Thanks,

    Chris

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 22, 2012 2:50 PM   in reply to web1c

    So I won't be silently updated to 11.4. I haven't been notified either. Guidance please.

     
    |
    Mark as:
  • Chris Campbell
    9,454 posts
    May 4, 2010
    Currently Being Moderated
    Aug 22, 2012 2:58 PM   in reply to VFNVFN

    Notification can take up to 7 days, and on Windows will appear after your system has been restarted.  If you'd like to immediately update, simply go to http://get.adobe.com/flashplayer and run through the installer.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 24, 2012 12:12 AM   in reply to VFNVFN

    ... I haven't been notified either...

    It'd appear it's not taking the full 7 days period to be notified as it did with version 11.3. I just rebooted the machine and was prompted inmediatelly thereafter. Do so now or go to http://get.adobe.com/flashplayer and install it manually from there.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 24, 2012 1:44 AM   in reply to web1c

    web1c wrote:

     

    We already had silent updates configured and working with 11.2 and 11.3.  We simply deployed a preconfigured mms.cfg file to our workstations that was set to install updates silently.  It worked fine until the 11.4.update.

    Yes, it was working fine as configured to work with v11.3 which updated -silently- 5 times within the last 2+ months.

     

    Please note however that Adobe can/may not use the automatic-silent background update channel for those new feature-bearing releases and/or any update that changes the default settings of Flash Player, which would require confirmation (acceptance of new terms) from end-users, even if they have already agreed to allowing background updates.

     

    For these new features and/or releases that require the acceptance of new terms of use, Adobe may need to notify users before an installation can be performed.

     

    You must therefore get the new 11.4 release installed first, and then re-enable the Background Updater to receive -silently again- further updates to this new version.

     

    Remember that to enable the Background Updater to your workstations, you would need to push an mms.cfg with AutoUpdateDisable=0 and SilentAutoUpdateEnable=1.

     

    Hope this helps.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 24, 2012 7:43 AM   in reply to web1c

    web1c wrote:

     

    Updates wre working fine silently until the last couple of weeks.  Now users are being promoted to manually install the latest update.

    Some users are getting prompts saying they need to log in with adminstrator credentials to install it even though they already are.

    Other users are not noticing the options to install Chrome and set their homepage to Google were preselected and didn't unselect it and then call the company help desk for help resetting their home page.

     

    How can this be stopped and have updates to 11.4 install silently and not install Chrome or change IE settings?

     

    we also are in the same boat.  silent updates were working fine until the last release, 11.4.xxx (11.3.300.xxx were updating just fine).

     

    I don't think Adobe understands what its like to be an IT / Desktop Administrator.  In the 'real' world, a silent updating system is just that: it updates itself w/o ANY user interaction required.  If we are downloading and packaging the flash player updates via the distribution channel, i would think that Adobe made it part of the agreement that we can just push updates and not have to show the users the new changes/eula changes; isn't that the idea of a corp/redistribution license and agreement?

     

    i am getting so SICK of Flash updates and the inability to clearly state how the *$%#$ your supposed to configure it to do a true silent update.  I hope the web moves to HTML5 sooner than later so we can ditch the web's worst plugin that won't die.  Apple may have been onto something when they said NO to flash in iOS and Safari. 

     

    can we atleast get some clarifications or a form to request a change to the silent update process/methodology?  us on these forums are here for a reason, we have 400+ users asking why they keep getting prompts about updating.  The worst part of the update process is that it leads them to the consumer flash update page and not the corp/distribution channel build that is just flash and no chrome browser or whatever other program adobe is trying to push down the end users throat. 

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 24, 2012 11:48 AM   in reply to jimmy_selix

    Same problem here too. I have been deploying via AD GPO for well over a year and all of a sudden I get people trying to install the update and then chrome piggy backs. This is ridiculous.

     

    I deleted the installers from the GPO and added and assigned the new package like always and it won't deploy. It shows that it is installing the udpate on a reboot, but the version never changes from 11.3 to 11.4.

     

    According to the ADMIN GUIDE on pages 10 and 11, this should work (and it has been working until 11.4).

     

    ***EDIT*** - Even after uninstalling it from the desktop, it won't install the new version via GPO, even though it shows that it is installing it during boot.

     

    ADOBE Please let us know how to fix this. I have 80 desktops and I am the only IT guy here, so that would be about a day wasted...

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 24, 2012 9:13 PM   in reply to web1c

    web1c wrote:

     

    The prompts have only been appearing after a reboot, so computers that were not rebooted don't see the prompt to install manually.

    That's correct! When the update is made available for the notification updater only (i.e. not for the  Background Updater which is set to a 24 hour update check interval), the check interval defaults to 7 days. The notification updater also requires you to reboot your system before it displays the notification.

     

    Another element to remember about the notification updater is that it only updates one Player at a time (a shortcoming that was addressed in the Background Updater). The Player that will be updated first is the last one to perform an update check. The other Player (if installed) will check again based on the default interval of 7 days. Once you reboot your system after this second check has occurred, both types of Flash Player will have been updated.

    So at the end, you (your users) may probably see "2 notifications" - - (depending on how many players/browsers you're using).

     

    Also note that there is a time window after which quarterly updates to Flash Player are then made available for the Background Updater (currently 30 days). This means that if you didn’t get notified for both types of Flash Player installed on your system in 30 days, the remaining Players that weren’t updated yet will be updated silently by the Background Updater (if enabled).

     

    SOURCE: Courtesy of Mr. Stephen Pohl via his BlogPost (Comments) here >

    Post - Hello, Adobe Flash Player Background Updater (Windows)! > http://blogs.adobe.com/spohl/2012/03/30/hello-adobe-flash-player-backg round-updater-windows/

     

    Hope this helps

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 24, 2012 9:52 PM   in reply to RickCP

    Please note that even if you have been enrolled into the Background Updater to receive 'silent updates', NOT all updates going forward shall be completely silent (as with current version 11.4 over previous version 11.3 - same as it happened back in June when v11.3 was released as an upgrade of previous v11.2, and same situation shall probably be repeated in the future with next upgrade 11.5), even if you have already agreed to allowing background updates.

    Because of the requirement of previous acceptance of new terms of use in respect of new feature releases, scheduled updates, new builds and/or version upgrades, Adobe shall/may need to "notify" users before an installation can be performed.

    On a case-by-case basis for this type of releases Adobe may use the notification mode. However, please note that Adobe could apply a zero-day patch without requiring end-user confirmation, as long as the user has agreed to receiving background updates.

     

    You may find some more info about Flash updates mechanism in this other thread of mine >

    http://forums.adobe.com/thread/1025067?tstart=0

     

    Additionally, If you had enrolled into the Background Updater since it was first introduced with version 11.2, your logs should show similar info as:

    *Upgrade 11.2.202.228 released 03-28-2012 prompted to install 04-05-2012,

    - Update 11.2.202.233 released 04-13-2012 silently installed 04-14-2012,

    - Update 11.2.202.235 released 05-04-2012 silently installed 05-04-2012,

     

    *Upgrade 11.3.300.257 released 06-08-2012 following a reboot - prompted to install 06-17-2012 [1] for the Firefox Plugin. Following a second reboot thereafter - prompted to install 06-26-2012 [1] IE ActiveX,

    - Update 11.3.300.262 released 06-23-2012 silently installed 06-23-2012 - for the Firefox Plugin 'only',

    - Update 11.3.300.265 released07-11-2012 silently installed07-22-2012[2],

    - Update 11.3.300.268 released 07-26-2012 silently installed 07-27-2012,

    - Update 11.3.300.270 released 08-02-2012 silently installed 08-03-2012,

    - Update 11.3.300.271 released 08-14-2012 silently installed 08-15-2012,

     

    *Upgrade 11.4.402.265 released 08-21-2012 following a reboot - prompted to install 08-23-2012 [3] for the Firefox Plugin. Following a second reboot thereafter - a new notification to update the IE ActiveX Control is expected some time [4] soon.

     

    [*] Notes:

    [1] Notice that after each reboot, it took exactly 9 days (not the default interval of 7 days) for each notification/player to install.

    [2] Players were not installed automatically within 24 hours due to a non-conectivity issue my side.

    [3] Now I'm confused! First notification got in inmediatelly after the machine was restarted, i.e. less than 48 hours of the release. The 'Prompt-window' only showed the 'Install' button, which did not open the installer dialog (therefore no new licence acceptance? and no new updates-setting options?), but redirected me instead to the download website to install it from there. Again, this online installer did not ask me to accept nothing or allowed me to change my options?

    [4] In view of [3] above, I'm not manually installing the second (IE ActiveX) player, to allow some more time to see what happens next...

     

    And to check if -

     

    (a) this may be a Flash updates mechanism policy change? or...

    (b) is it a case of Adobe applying a zero-day patch? in view of the 'critical' security updates included?

    I don't know but in either case, why then not using the background updates channel (but prompting users) if no need for users to accept new terms of use? 

     

    @web1c @jimmy @wrx7m

     

    Notwithstanding my own doubts above, and as it's the "true silent automatic updates" what you guys are really interested in, I may refer you to the following 'feature request' (There should be an option for silent (prompt-free) automatic update) which still open for you to place your votes/comments > https://bugbase.adobe.com/index.cfm?event=bug&id=3211239

     

    Good Luck!

     
    |
    Mark as:
  • Chris Campbell
    9,454 posts
    May 4, 2010
    Currently Being Moderated
    Aug 27, 2012 10:17 AM   in reply to web1c

    Yes, configuring an internal update server (Flash Player 11.4 Admin guide page 19, section Background updates from an internal server) will allow you to configure all of your client systems to download and silently apply all updates that are made available.

     

    We highly recommend all IT admins take a look at this feature, as we believe it will be the simplest, most straight forward way to making sure all of your client systems are running the latest Flash Player without any interaction from your users.

     
    |
    Mark as:
  • Chris Campbell
    9,454 posts
    May 4, 2010
    Currently Being Moderated
    Aug 27, 2012 10:35 AM   in reply to web1c

    In the case of the system being unable to contact your internal server, Flash Player will fall back to the old style notification mechanism for all updates.  Would this be a deal breaker for you?  If so, how would you expect it to behave?

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 27, 2012 10:53 AM   in reply to Chris Campbell

    Chris,

    Setting up an internal server to manage the updates and write custom scripts to automatically download the update files is fine; But why doesn't Adobe offer to host corporate versions of the update files on their own servers? That would allow companies that have systems with full web access to point to enterprise.adobe.com (or whatever) and allow business PC's to download updates SILENTLY IN THE BACKGROUND without ANY prompts or Google Chrome being bundled (some might call this adware).

    The issue with Chrome being set to download, install and become the default browser in the 11.4 Flash Player update is the last straw for our company and we are disabling the Flash "background" updater. If I had the power to ban Flash at our company I would.

    To all reading this thread I suggest you submit a bug/fix request for the issues with the Flash Background updater:

    https://bugbase.adobe.com/index.cfm?event=bug&id=3317738

    https://bugbase.adobe.com/index.cfm?event=bug&id=3211239

     
    |
    Mark as:
  • Chris Campbell
    9,454 posts
    May 4, 2010
    Currently Being Moderated
    Aug 27, 2012 11:21 AM   in reply to lmoore101

    Thanks for your input.  I'll forward this along to the team.  Part of the problem with us having two two different types of servers (one for the general public, the other for distribution agreement holders) is that there's no way to enforce which one is used.

     

    Chris

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 27, 2012 11:36 AM   in reply to Chris Campbell

    Thanks Chris, that makes sense.  I would suggest the default would be to forward all update traffic to the general public server and admins can point to/add the adobe corporate server in the MMS file as needed.  That wouldn't be as intuitive as a seperate setting (in the MMS or even better the GUI) but at least it would be an option that could be implemented quickly with no changes to the updater code.

     

    Heck Adobe already has the special corporate download site (won't post the URL per the EULA) for the redistributable versions of Flash. It seems like that site could be slightly modified to work with the Flash auto-updater.

     

    At our company of 4000 users, Flash is a fun little web feature (with the occasional significant security vunerability) that offers minimal business value in our professional corporate environment.  It really isn't practical that Adobe expects companies to setup their own internal update infrastructure for this auxilliry feature.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 12:42 AM   in reply to Chris Campbell

    Hi Chris,

     

    I appreciate you answering on this forum post however it is disappointing that you are not taking the extra time to clarify all the points that are being raised here, but rather relying on members of the public to provide the information.

     

    As to your question around potential improvements to your Internal Server Update architecture here are my suggestions on improving the system:

     

    MMS.CFG settings

    1. Allow the ability to include a SilentAutoUpdateProxy value so that smaller companies with unauthenticated proxy servers can still access your silent auto-updating mechanism without using an internal system
    2. Provide a fallback - SilentAutoUpdateServerDomainFallback switch to use the internal update server, and failing that for X days will try and access the Internet servers as well. This option should be enabled by exception. It would suit my situation where I have a handful of users who rarely VPN or are onsite, yet they still get my MMS.CFG config file.
    3. Change the switch SilentAutoUpdate to SometimesSilentAutoUpdate. Preferably make the auto update completely silent like it should be.

     

    Internal Update Server recommendations

    1. Provide a tool that sits on a server and configures the system to do the updates. It would be a simple tool to create and test.
      1. The install of the tool should install IIS (easy 3 lines in PowerShell)
      2. Create an internal DNS name that's friendly (to use in the MMS.CFG file)
      3. Allow the installation of a certificate, where either you can attach the PFX or your app creates a self signed one. (link it to Digicert and take a commission if you want)
      4. Configure the download location (major version number), destination location, etc
      5. provide logging functionality
      6. provide functionality where the latest version needs approval before installation (rolling basis) - this is something i would like to see, but doubt Adobe would implement.
    2. If you don't build a tool, at least document a tried and tested method for IT admin's to use (the scripts)
    3. Improve your documentation on how the system is designed to work, and what all the exceptions are. Provide a visual diagram of the entire process - you might then see where it can fail depending on circumstances.
    4. Hire me for 6 months to improve these processes, and for the other products as well

     

    Finally, I personally think the current updating system is by far better than what were were given before, the installations are more robust and leave less junk behind. We just need to tidy up the teething problems, or find workarounds.

     

    Regards,
    Ivan Dretvic

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 7:52 AM   in reply to Chris Campbell

    Chris,

     

    As long as users without admin rights are *never* prompted. There is no logical reason you'd ever want users without admin rights prompted for anything. Especially if your auto-updater is going to take care of it eventually anyhow.

     

    This is how all Adobe products should work. They should just update, so Admin can get back to the mountain of other work they have. It'd be really nice if Microsoft had a more built-in means of doing this, instead of every vendor creating their own pocket service for doing so.

     

    *cough* Third-Party WSUS *cough*

     

    -- Brandon

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 8:13 AM   in reply to Chris Campbell

    Chris Campbell wrote:

     

    For regularly scheduled, major updates (like 11.4), users will be presented with a dialog allowing them to read about the new features available.  They then have the option to download and update immediately.  As you noted, the user does need admin privileges to install these updates. 

     

    You have the option to delay the update, in which case the silent auto update service will take kick in automatically either 30 days after release or sooner if a security patch becomes available.  In this case, the install does not need admin privileges.

     

    Thanks,

    Chris

     

    Chris, as @RobertBMills stated, our users do not have admin rights...users should never (ever) be prompted.

     

    Don

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 9:02 AM   in reply to Don Montalvo

    Agreed, a "good" user should never click on a random update prompt, but many do and this is how malware is spread.  How can the user know that the official Adobe Flash update prompt is valid or a spoof?  Heck if I was a virus writer why not make a pop-up that looks exactly like the flash update prompt to get my malware installed....

     

    As all others have stated, users should NEVER be prompted for these types of updates  and they should install silently in the background and not require administrative credentials (when configured to be silent via the mms.cfg).

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 12, 2012 11:35 AM   in reply to lmoore101

    Note to Adobe Support Team:

     

    Just copy and paste the 5 following files on your ******* servers so we can get the 11.4 update instead of thousands of popups on users screen each morning and hundreds of service call

     

    OK here we go:

     

    1st file: install_all_win_64_ax_sgn.z

    2nd file: install_all_win_64_pl_sgn.z

    3rd file: install_all_win_ax_sgn.z

    4th file: install_all_win_pl_sgn.z

    5th file: version.xml

     

    GOD this is painful, it's cleary the most expensive freeware ever.

    Thanks Adobe.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 20, 2012 1:19 PM   in reply to etienne1234

    This not a good situation.

     

    Any updates from Adobe?

     

    When you combine this with the "NOT MARKED FOR INSTALLATION." error upgrading from 11.3 to 11.4 http://forums.adobe.com/message/4672483  You are stuck in a situation where flash wont update automatically becuase 11.4 is a major release and you can't deploy 11.4 via a GPO because of leftover registry keys.

     

    I deployed 11.2.202.228 via group policy and it succesfully silently updated to 11.3.300.271, but it wont go any higher.

     

    Will this 11.3 build never silently update to 11.4?

     

    I am trying to be proactive and keep our enviroment current, but it is extremely dificuly.

     

    Thanks

     
    |
    Mark as:
  • Currently Being Moderated
    Mar 12, 2013 2:31 PM   in reply to Chris Campbell

    I'm having this problem too, but we use SCCM SUP to roll out flash updates. Why would it check in when the mms.cfg says: (copying and pasting here)

     

    AutoUpdateDisable=1

    AutoUpdateInterval=0

     
    |
    Mark as:
  • Currently Being Moderated
    May 15, 2013 11:35 PM   in reply to Skuld-Chan

    Hello everyone,

     

    Apparently I'm in the thread which fits the better my issue. Currently, we deploy FP v11.6 on our user's computers, but recently, a bunch of users has been prompted for a flash update, despite the fact I've configured a system which worked (until the last weeks), to silently update for our internal web server, FP.

     

    2 questions are haunting me :

     

    - Why, magically, the internal silent auto update decided to not work again ? (from the 11.6 version ?)

    I almost trust that Adobe made on purpose a prompt to end users in order to install Chrome at the same time, because of a strong commercial contract with Google.

    - Why the version.xml files available at http://fpdownload2.macromedia.com/pub/flashplayer/update/current/sau/1 1/xml/version.xml and http://fpdownload.adobe.com/pub/flashplayer/update/current/sau/11/xml/ version.xml are not up-to-date with the last version ? Because it's a beta version ? Not safe ?

     

    EDIT : Ok, the files are now up to date, it's perfect, te silent autoupdate worked again. But I'm still wondering why it asked for the update on some computers, in spite of the mms.cfg were correctly configured on it ...

     

    Thanks a lot for the care, and to fill the blanks in my mind.

    Regards,

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points