Like many other applications, Adobe Flash has built-in update functionality that checks for updates and will prompt the end user to install the update. Unfortunately, these updaters are not always smart enough to know whether or not the user has Admin rights. In a very small environment, this may not be a problem since users may [*shudder*] have Admin rights; however, in a larger environment, this can generate a lot of unnecessary support requests when a user that doesn’t have Admin rights gets a UAC prompt that wants Admin credentials… especially if you’re using some kind of systems management software to push out updates to your computers.
In this post, I’ll detail how you can configure Group Policy to disable the Flash update checks so that your end users don’t see messages like this:
If you’ve read any of my previous posts about disabling software updaters, I’m hopefully preaching to the choir. If not, here is my standard warning about disabling the update utility for 3rd party software: You still need to update 3rd party software just like you would install monthly updates from Microsoft unless you have a really good reason not to. This tutorial is intended for systems administrators that are using some kind of systems management product for updating 3rd party software like SCCM, Landesk, etc. Many of the security flaws in 3rd party software can lead to malware infections and/or compromised computers. If you disable the update notifications, you still need to keep the software up to date!
This tutorial applies to Adobe Flash on a x86/32-bit version of Windows. If you need to disable Flash updates for a x64/64-bit version of Windows, I’ve covered that in another post.
First, you’ll want to open the text editor of your choice. The text editor you use doesn’t matter as long as it allows you to change the encoding of text files. In the screenshots below, you’ll see that I used Notepad++.
In your new text file, enter:
Set the encoding to UTF-8 and save the file.
Here’s the same thing in Notepad:
The next thing you’ll need to decide is where on the network to store the mms.cfg file. The share that houses this file will need the Domain Computers group to have Read access on the share and on the NTFS file system. What’s the easiest way to do this with the least amount of effort? Honestly… put it in SYSVOL. (I think I heard some shrieks when I typed that and read it back to myself out loud.) Think about it… how big is this file? A few kilobytes? If you create a new GPO and set a handful of settings, you’ll generate more replication traffic than this file will. Also, pretty much everyone puts their scripts into SYSVOL; this is just a one line text file… way smaller than the average script. You can still create a separate share if you want or if your company requires it.
So, we’re going to put it into \your.fqdn.localSYSVOLyour.fqdn.localscripts:
Next, open the Group Policy Management Console and go to your Group Policy Object that will hold this policy. Go to Computer Configuration > Preferences > Windows Settings > Files. Right-click and choose New > File.
In the New File Properties, set the following:
Source file(s): \your.fqdn.localSYSVOLyour.fqdn.localscriptsmms.cfg
Destination File: C:WindowsSystem32MacromedFlashmms.cfg
When you click OK, it should look something like this in the GPMC:
All that is left is to refresh Group Policy on your test systems. Run a quick gpupdate.exe and you should see this if you open the C:WindowsSystem32MacromedFlash folder:
Here’s the before and after in Adobe Flash Control Panel applet also: