cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
0
Upvote

Flash Player group policy installation

ord_2
New Here ,
Aug 03, 2009 Aug 03, 2009

Copy link to clipboard

Copied

Hi All,

Consider the following scenario:

BigCorp deploys thier Flash player the Group Policy Software Installation (GPSI).

BigCorp rolls out the latest version of Flash player to thier site.  Although BigCorp has followed all thier testing plans, and not noticed errors - users begin to report issues with a line of business app which uses Flash.

Admins at BigCorp disable the policy which installed the latest version of Flash payer, and re-enable the previous version.  Affected users reboot thier machines and they hang indefinatley at the GPSI instllation stage.

This behaviour appears to be by design, but the behaviour of the installer is not sane at this point.

I believe that this issue is caused by the feature noted at http://kb2.adobe.com/cps/402/kb402435.html - since removing HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\SafeVersions prevents this from happening.  (Specific versions are listed, and appear to work as one might expect; i.e. remove the DWORD value at HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\SafeVersions\10 and earlier versions can be installed)

The reason for the indefinate wait during installation of a downlevel version appears to be that the installer is displaying a dialog box that has been suppressed by GPSI since it is, I imagine, waiting for a response from the user that it will never recieve. At this point the only way to allow the machine to complete a reboot is to either a)disonnect the network b) force the policy to fall out of scope.

Evidence for this can be obtained from the %windir%\system32\macromed\Flash\install.log; specifically the line:

MessageBox: 12582960,"The version of Adobe® Flash® Player ActiveX that you are trying to install is not the most current version. Please visit http://www.adobe.com/go/getflashplayer to obtain the latest, most secure version."

Whilst I can understand (to some extent) the design of this feature - preventing the installation of an older client in this manner is disruptive to Adobe's clients.

It would be advantageous if we could override this using an MSI property. For example the Safe Versions features is in effect, unless the notional IGNORESAFEVERSIONS property is set to 'YES'. (Perhaps Adobe could consider this a feature request?)

This would afford protection for the maximum number of customers, but allow users with a business need to roll back to an older version of Flash player to shoulder the responisbility of running an older version.

http://kb2.adobe.com/cps/141/tn_14157.html is NOT a sensible solution for customer who are relient on GPSI for Flash Player installation. Repeatedly running the downloadable uninstaller is not a sane thing to do, as far as I can tell.

I've only tested this with the Adobe supplied MSI (not the in-browser installer) as I have thousands of machines to deploy this to.

Does anyone else have issues with this, and how do you get around them?

Views

9.5K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 1 Reply 1
latest latest Jump to latest reply
Zinc666
New Here ,
Apr 13, 2011 Apr 13, 2011

Copy link to clipboard

Copied

LATEST

Hi,

Apologies for digging up this thread but this issue has meant that I haven't deployed any updates to the Flash Player ActiveX since 10.0.45.2 for fear that it'll break my whole GP software deployment.


Firstly, I don't think Adobe will ever do 'the right thing' and introduce a new MSI property to make the install ignore any existing SafeVersions registry keys because I don't think they can; the actual ActiveX install is a custom action that calls an external executable embedded within the MSI that doesn't use Windows Installer technology so it wouldn't be aware of any MSI properties.

However, I've recently revisited this problem and I think I may have come up with a solution.

The trick I've employed is to ensure that the HKLM\Software\Macromedia\FlashPlayer\SafeVersions registry key gets removed during the MSI uninstall routine.  To do this you need to modify the MSI to add a new row into the Registry table.

You can do this by generating a transform using Orca, like so;

Registry = [any unique value you like]
Root = 2
Key = Software\Macromedia\FlashPlayer\SafeVersions
Name = *
Value = [Blank]
Component = ISRegistryComponent

The important bit is the asterix against the Name value.  This tells the MSI to always remove that registry key upon uninstall no matter what existing values are contained within the key.  Once that key is gone you can install any other version of Flash Player you like, even older versions.

This whole method of deployment relies on a couple of things to work though;

  1. You must ensure that Flash Player auto updates are turned off for all your workstations that have Flash Player installed using Group Policy. http://kb2.adobe.com/cps/167/16701594.html describes this method.  Note that for x64 machines you must place the MMS.CFG file under %systemroot%\SysWOW64\Macromed\Flash and not %systemroot\SysWOW64 like the document says.  This ensures that your users don't manually update Flash Player out of your control and with an MSI that doesn't employ the fix as above.
  2. Ensure that all future versions of Flash Player are pushed out using Group Policy and that you use the transform file above for each one.   If you do this you can roll back to a previous version without issue.
  3. Assign the MSI to your computers rather than users
  4. I've only ever 'replaced' Flash Player in Group Policy when rolling out a new version rather than upgrade it.  This means that the existing version is completely uninstalled before the new one.  That's not to say that upgrades won't work, it's just that I've never tried it.

    EDIT: 'Upgrading' previous MSI's works fine.


One last thing to note though is if you've already assigned Flash Player using Group Policy you can directly modify the install_flash_player_10_active_x.msi that was used to include the above registry row (ie, not using a transform) and then re-deploy it.  This ensures that the SafeVersions key will be removed right from the start if it is ever uninstalled.  Of course, if any of your users have manually upgraded to a newer version since then this won't work - in that case you'll have to remove the SafeVersions key manually, perhaps using a VB script (ideally at machine shutdown).

I hope this information helps anyone who's had a headache with deploying Flash Player through Group Policies.

Cheers,

Zinc

Message was edited by: Zinc666

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices