共用方式為


How to Create a Configuration Item and Baseline to Disable Adobe Flash Player Automatic Updates

Updated Post: https://blogs.technet.com/b/brandonlinton/archive/2014/01/03/compliance-baseline-for-adobe-flash-player-configuration-settings.aspx

 In this post i am going to go over how to disable Adobe Flash Player Automatic Updates with a CI item and Baseline.  In a follow up post i will walk through the steps to Deploy and maintain Flash Player Patches via System Center 2012 Configuration Manager and System Center Updates Publisher 2011.  By leveraging Compliance Settings in ConfigMgr we can easily track compliance and remediation of the Adobe Flash Player Automatic Updates mms.cfg file across the enterprise.  Every admin has his own way of getting this out to the enterprise and each has its trade offs.  Personally i feel this is the simplest way to achieve this and retain flexibility of how i deploy Flash Player.

At the end of this post you can find  "Disable Adobe Flash Player Automatic Updates.zip" file which can be used to import the CI and Baseline directly into your Compliance Settings Node of the Console.

Guidance on how to configure Adobe Flash Player Auto Updater can be found at: https://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html

 

1)      Open the ConfigMgr Console and Expand Assets and Compliance --> Compliance Settings --> Configuration Items and select “Create Configuration Item” from the ribbon.

 

 2)      In the Create Configuration item wizard fill out the Name, Description and assign an appropriate category and select next.

 

 3)      On the Supported Platforms screen select any OS level you would like this CI to be evaluated against and select Next.

 

 4)      On the settings screen select New.

 

 5)      In the Create Settings screen supply a Name, Description, Set the Setting Type = “Script” and the Data Type = “Boolean”.

 

 6)      Select Add Script under Discovery Script.

 

7)      In the Edit Discovery Script screen select VBScript and paste in the code at the end of this article and select ok.

 

8)      Select Add Script under Remediation Script.

 

9)      In the Edit Remediation Script screen select VBScript and paste in the code at the end of this article and select ok.

 

10)   Click on the Compliance Rules tab and select New.

 

11)   On the Create Rule screen enter a Name, Description, select warning for the noncompliance severity for reports and ensure to check the box marked “Run the specified remediation script when this setting is noncompliant” and select OK.

 

12)   Select OK to apply the settings.

 

13)   Select Next on the Settings screen.

 

14)   On the Compliance Rules screen select Next.

 

15)   Select Next on the Summary screen.

 

16)   Select Close on the Completion screen.

 

17)   Select Configuration Baselines from the left pane.

 

18)   Supply a Name, Description and assign an appropriate category for the Configuration Baseline.

 

19)   Select Add --> Configuration Items to add Configuration Data to the Baseline.

 

20)   Select add and then choose the CI that was just created and select OK.

 

21)   Select OK to save your Configuration Baseline.

 

22)   Right Click the newly create Baseline and select Deploy.

 

23)   Select Remediate noncompliant rules when supported and configure your schedule to fit your needs.

 

24)   Select Browse to choose your desired collection to deploy to. Select Device Collections from the drop down menu and choose your desired collections and select OK.

 

25)   Select OK to save changes.

 

26)   On your client system you can see that the Baseline has been applied but has not evaluated yet.

 

27)   You can also see that the mms.cfg file does not exist.

 

28)   Click Evaluate and you will now see that the Baseline is Compliant.

 

29)   You will also see that the folder structure has been created and the mms.cfg file with AutoUpdateDisable=1 is created inside the folder structure.

 

Discovery Script:

 

 Dim sFilePath, oWindir 
 Set oShell = CreateObject("WScript.Shell") 
 Set fso = CreateObject("Scripting.FileSystemObject") 
 Set oArch = oShell.Environment("System") 
 oWindir = oShell.ExpandEnvironmentStrings("%WINDIR%") 
 
 Select Case LCase(oArch("PROCESSOR_ARCHITECTURE")) 
 Case "x86" 
 ' x86 
 sFilePath = oWindir & "\System32\Macromed\Flash\" 
 Case "amd64" 
 ' amd64 
 sFilePath = oWindir & "\SysWOW64\Macromed\Flash\" 
 Case Else 
 ' other 
 Wscript.quit(1) 
 End Select 
 
 If fso.FileExists(sFilePath & "mms.cfg") Then 
 Wscript.echo "TRUE" 
 'Wscript.echo "File Exists! " & sFilePath & "mms.cfg" 
 Else 
 Wscript.echo "FALSE" 
 'Wscript.echo "Cant Find File! " & sFilePath & "mms.cfg" 
 End If

 

 Remediation Script:  
  
 Dim sFilePath, oWindir 
 Set oShell = CreateObject("WScript.Shell") 
 Set fso = CreateObject("Scripting.FileSystemObject") 
 Set oArch = oShell.Environment("System") 
 oWindir = oShell.ExpandEnvironmentStrings("%WINDIR%") 
 
 Select Case LCase(oArch("PROCESSOR_ARCHITECTURE")) 
 Case "x86" 
 ' x86 
 If NOT fso.FolderExists(oWindir & "\System32\Macromed") Then 
 fso.CreateFolder(oWindir & "\System32\Macromed") 
 End If 
 
 If NOT fso.FolderExists(oWindir & "\System32\Macromed\Flash") Then 
 fso.CreateFolder(oWindir & "\System32\Macromed\Flash") 
 End If 
 sFilePath = oWindir & "\System32\Macromed\Flash\" 
 Case "amd64" 
 ' amd64 
 If NOT fso.FolderExists(oWindir & "\SysWOW64\Macromed") Then 
 fso.CreateFolder(oWindir & "\SysWOW64\Macromed") 
 End If 
 
 If NOT fso.FolderExists(oWindir & "\SysWOW64\Macromed\Flash") Then 
 fso.CreateFolder(oWindir & "\SysWOW64\Macromed\Flash") 
 End If 
 sFilePath = oWindir & "\SysWOW64\Macromed\Flash\" 
 Case Else 
 ' other 
 Wscript.quit(1) 
 End Select 
 
 If NOT fso.FileExists(sFilePath & "mms.cfg") Then 
 Set strm = CreateObject("ADODB.Stream") 
 With strm 
 .Open 
 .CharSet = "UTF-8" 
 .WriteText "AutoUpdateDisable=1" 
 .SaveToFile (sFilePath & "mms.cfg"), 1 
 .Close 
 End With 
 'Wscript.echo "Creating File! " & sFilePath & "mms.cfg" 
 Else 
 'Wscript.echo "File Exists! " & sFilePath & "mms.cfg" 
 End If
  

 Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified
in the
Terms of Use .

Disable Adobe Flash Player Automatic Updates.zip

Comments

  • Anonymous
    January 01, 2003
    I am able to find out we require to enter another value SilentAutoUpdateEnable=0 (.WriteText "AutoUpdateDisable=1" & VbCrLf & "SilentAutoUpdateEnable=0"), However one thing i am not able to find out is that in some users with XP machines some have the mms.cfg file already there , this script doesnt work on those any suggestions how we can modify the script so that if mms.cfg changes as per the new mms.cfg settings in machines where mms.cfg file already exist with wrong values.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    You could do one of two things either setup your detection rule so that it never evaluates to true causing the script to always be copied down or you could also modify the detection script to also do a ReadLine and check for compliance in the file itself then copy the file down if not compliant. http://technet.microsoft.com/en-us/library/ee198708.aspx I might revisit this and add the additional detail into an updated Powershell version of the script as i am moving everything over to POSH as the days of XP come to an end.

  • Anonymous
    January 01, 2003
    Great post and am looking to implement this over the next week or so. Thank you. Looking forward to your follow up post you mentioned, if you still plan on writing it.

  • Anonymous
    November 13, 2013
    Great post, defintely going to try it out.

  • Anonymous
    November 26, 2013
    Did not change the settings for the cfg file if it already existed. Ran and I still show it as set to 0

  • Anonymous
    January 03, 2014
    Last year i wrote a blog post here http://blogs.technet.com/b/brandonlinton/archive/2013/03/30/how-to

  • Anonymous
    February 25, 2014
    Hey I'm trying to figure out how to set the detection rule so that it never evaluates to true, any help would be great thanks.

  • Anonymous
    February 26, 2014
    I read right past it thanks for the update it's a very good article.

  • Anonymous
    April 22, 2014
    Thanks! works great.

  • Anonymous
    May 07, 2014
    Umm why paste the text of a URL on a web page with no hyperlink?? Better yet, why not just edit this post?