My Outer Monologue

Currently browsing tag adobe

Blocking Adobe Flash Player Automatic Updates With Group Policy.

In a previous post, I discussed deploying Adobe Flash Player in an enterprise environment. I also mentioned that in order to disable the automatic update feature of Flash, you should create an MST transform file to install a custom mms.cfg.

This is all well and good, unless you are intending on installing the EXE version of Flash, and not the MSI.

Usually, I’d go MSI over EXE any day of the week, but Flash Player is a fickle b*tch of an install. For some reason, I was seeing plenty of MSI installations fail while using SCCM 2007. Most of the failures related to certain files not being marked for installation. The following event log entry could be observed on the machines.

Product: Adobe Flash Player 10 ActiveX — Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action NewCustomAction1, location: C:\DOCUME~1\<username>\LOCALS~1\Temp\InstallAX.exe, command: -install activex -msi

For this reason, I bailed out and went with the EXE installation, which so far, when used with the new silent install switch (-install) works flawlessly.

Now, obviously we can’t transform an EXE, so I’ve had to come up with the following CMD script which can be applied to computer startup through the use of a Group Policy Object.

ECHO AutoUpdateDisable=1 > %WinDir%\System32\Macromed\Flash\mms.cfg
ECHO DisableProductDownload=1 >> %WinDir%\System32\Macromed\Flash\mms.cfg

The nice thing about this script is that it will only run if the Macromed folder exists.

Tags: , , , Posted in Deployment
1 response » | July 26th, 2010 by Tom |

Deploying Adobe Reader Updates in Enterprise Environments.

Anyone who works with software deployments will know where I’m coming from on this. Adobe Reader has to be the single most time consuming piece of software when it comes to software packaging and distribution. With such a large user base and ever increasing targeted threats, it’s no wonder we find ourselves with critical updates to deploy. Often more than one a month.

The trouble with Adobe Reader updates is that they aren’t particularly easy to distribute. Sure, you can download the MSI installer from Adobe’s website and use the Adobe Customisation Wizard to create a neat little MST file to transform the install with all your company’s standard settings, but have you ever tried installing the new MSI over a previous version? Not so easy now huh.

For some unknown reason, Adobe engineer their Reader installations in such a way that simply deploying the new MSI isn’t enough. For instance, you can’t simply push out Adobe Reader 9.3.3 and hope that it updates all the previous 9.3.2 installations. You first have to uninstall all previous versions.

Adobe updates usually come in the form of MSP files. These files are designed to patch your existing installation points. It’s important to note that this is only the case for quarterly updates. Security updates cannot be used to patch your administrative installation point.

For this example, I’m going to patch my Adobe Reader 9.3.0 administrative installation point with the MSP for 9.3.3.

Oh but wait, another fly in the ointment. You can’t patch a 9.0 administrative point with 9.3.3 directly. You must follow this order of patching:

9.3.0 > 9.3.2 > 9.3.3

Start by downloading all of your files. You’ll need:

  • Your 9.3.0 administrative point
  • AdbeRdrUpd932_all_incr.msp
  • AdbeRdrUpd933_all_incr.msp

Slipstreaming Updates into the Administrative Installation Point.

Fire up a command line window, and run the following. This command will integrate your MSP with your installation point.

msiexec.exe /a "path to acroread.msi in admin point" /p "path to AdbeRdrUpd932_all_incr.msp" /qb

You’ll notice the installer wizard configuring your computer. Note that this is actually configuring your installation point, not your computer.

Repeat the above with the AdbeRdrUpd933_all_incr.msp file. You will now have an installation point with Adobe Reader 9.3.3 ready to roll.

Deploying the Updated Version.

If like me you have Microsoft System Center Configuration 2007 at your disposal, you can make use of my batch file script that I have created to remove all previous versions of Adobe Reader prior to installing the new 9.3.3 version. Simply set the script to run before the installation for Adobe Reader 9.3.3 and you should find the install takes place with no errors.

For the script to work fully, you’ll need to add the MSIZap executable into the same folder as the script. This can be downloaded for free as part of the Windows Installer Cleanup Utility (found here…). You only need msizap.exe for the script to work, forget about the other files. MsiZap is a very useful tool. Check out the command line syntax I use and experiment to your hearts content.

If you only have Group Policy at your disposal, I’m sure it wouldn’t be too hard to modify the script to call the install after the uninstalls have taken place. Hope this helps!

REM *** MSI Uninstall Adobe Reader 6
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A00000000001} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 7
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A70900000002} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 8.0
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A80000000002} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 8.1
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A81000000002} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 8.1.4
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A81300000003} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 9.0
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A90000000001} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 9.1
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A91000000001} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 9.2
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A92000000001} REBOOT=Supress /qn
REM *** MSI Uninstall Adobe Reader 9.3
msiexec.exe /x {AC76BA86-7AD7-1033-7B44-A93000000001} REBOOT=Supress /qn
REM *** Zap Uninstall Adobe Reader 6
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A00000000001}
REM *** Zap Uninstall Adobe Reader 7
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A70900000002}
REM *** Zap Uninstall Adobe Reader 8.0
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A80000000002}
REM *** Zap Uninstall Adobe Reader 8.1
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A81000000002}
REM *** Zap Uninstall Adobe Reader 8.1.4
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A81300000003}
REM *** Zap Uninstall Adobe Reader 9.0
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A90000000001}
REM *** Zap Uninstall Adobe Reader 9.1
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A91000000001}
REM *** Zap Uninstall Adobe Reader 9.2
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A92000000001}
REM *** Zap Uninstall Adobe Reader 9.3
"%~dp0msizap.exe" TW! {AC76BA86-7AD7-1033-7B44-A93000000001}
Tags: , , , , , , , Posted in ConfigMgr, Deployment, Scripting, Software
8 responses » | June 30th, 2010 by Tom |

Adobe Flash Player ActiveX Enterprise Deployment.

Update: You might want to check out this more recent article which discusses a more reliable method of installation for SCCM users, along with blocking auto updates with scripting and Group Policy, if transforms aren’t your bag.

Another day, another Adobe related software update. Today I recieved a security bulletin notifying me of a critical update to the Adobe Flash player software. When this happens, I usually have a handful of days to prepare the update for mass deployment through ConfigMgr. The new version (10.1.53.64) is available through the Adobe website, and if you have applied for a distribution license, you can grab the MSI right now!

Unfortunately, Adobe still have not taken the time to create a reliable MSI installer, so we are still left with having to workaround the little annoyances. The main issue I face is getting Adobe Flash Player to disable its automatic update feature, since we do not want our clients going out to the big bad interwebs and pulling down all sorts of untested updates.

To remedy this, I create a text file named mms.cfg, which needs to be placed into %windir%\System32\Macromed\Flash.  The cfg file only needs to contain one line, shown below.

AutoUpdateDisable=1

Now we have the config file created, all that’s left is to create a transform file (MST) based on the downloaded MSI, which drops the config file into the location above during install. For those of you who aren’t familiar with transforming a MSI file, you can execute the following command to do so.

msiexec.exe /i "install.msi" TRANSFORMS="transform.mst" /qb RebootYesNo="No" Reboot="ReallySuppress"
Tags: , , , Posted in Deployment
No responses » | June 14th, 2010 by Tom |