The normal download page from Adobe for the flash player offers only installers as exe-files.
It is not possible to extract an MSI-file from the installer with a tool like 7zip, because the installer isn't internally based on msi, instead the msi (see below) is a wrapper around the exe.
Adobe does offer a web page with download links for msi-files, but they don't allow to publish the address of that page, or the download links to the files, or the files. Instead they demand that you register with them before they allow you to to deploy flash player to other computers (read their EULA).
Registration is free and requires only answering a few harmless questions. The registration is valid for one year, then you must register again. They will send you an email with a reminder before the registraion expires.
To register, go to the normal download page, look in the right column under 'Resources', and click on 'Distribute Flash Player'. Shortly after finishing the registration, their server will automatically send you an email with links to special admin webpages and direct download links to the msi-files.
In the MSI-files that you get, these properties are already set:
They cause the software to be installed per machine, not per user, and they disable the button in "system control" > "add/remove programs" to modify that installation.
I recommend that you add:
This forbids local removal of the software through add/remove programs in system control.
Here I usually include a short message telling that this software has been automatically deployed from the server and hence cannot be modified locally.
Additionally I personally prefer to update the property
This property is set to 'Adobe Flash Player 11 Plugin'. I always replace the '11' inside that string with the full version number, taken from property ProductVersion. Reason for this change: the GPO Editor of Windows Server uses the value of this property as default for the name for the software package. If you have the new and one or more old versions in one GPO, they are hard to distinguish when they all have the same name.
The installer can check if it is the current version.
That check would cause problems if some computer was sitting switched off for a while (e.g. during holiday), a new version has just come out, but you haven't yet updated the GPO to deliver that new version. If now that computer is switched on, it will uninstall the previously installed version, but then fail to install the last one.
Thus you should change this property:
This property comes set to 1. Change the value to 0 (zero).
If you don't have a tool like Orca to do that modification, you may download my AdobeFlash NoUpdateCheck.vbs and simply drag and drop a msi file onto that script file. This will change the property from 1 to 0. Works for both the ActiveX variant (for Internet Explorer) and for the Plugin variant (for Firefox and others).
Version 11.2 and later contains an automatic updater, that runs as service. Thus the user does not need to have admin rights for the updater to do its work. Simultaneously Adobe introduced filenames that contain the version number.
I expect this to cause problems in an environment with automatic software deployment. Thus you should disable the automatic updater.
Adobe writes in the admin guide that the msi installer does not activate this updater. But to be on the safe side, I disable it nevertheless, especially because it does create the file FlashPlayerUpdateService.exe, and the service "Adobe Flash Player Update Service".
Place the file here:
Starting with version 11.3, the installer contains both the 32 and the 64 bit version, and when running in 64-Bit Windows it will install both versions, which will both use the mms.cfg file from the directory SysWow64.
You may want to add some more options to the file mms.cfg, for example the blog
recommends to add these options for privacy reasons:
LocalStorageLimit = 1
AssetCacheSize = 0
ThirdPartyStorage = 0
AssetCacheSize = 0
LegacyDomainMatching = 0
LocalFileLegacyAction = 0
This is from part two of a series of posts about Flash, the other parts are: 1, 3, 4, 5.
Usually one should not deploy software without first testing it on one machine. That test should include install, uninstall and reinstall. I do this by adding the new version to a test-GPO, then removing it, then adding it again. If done like this, the uninstall step causes the machine to reinstall the previous version, because I haven't removed that yet from the GPO. This procedure works with all software except with Adobe Flash for ActiveX.
Trying to downgrade flash player for ActiveX to an older version triggers Windows Installer Error 1722 and the file FlashInstall.log says that it got error "0001 [E] 00001013" when trying to execute "InstallAX.exe -install -msi".
The reason is that the uninstaller purposefully leaves a registry entry behind, that prevents later installation of an earlier version. If you want to do that, you must remove the registry values 10 and 11 in the key HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions. One way to do this is to download flash-allow-reinstall.reg and double-click it. Or just remove the whole key using flash-allow-reinstall-new.reg.
Adobe added a section to the admin guide titled "Manually Uninstalling Flash Player on Macintosh".
Adobe added some clarifications in the admin guide regarding the auto-updater.
The release notes for version 11.9 list no new features for Windows (except maybe "Safe Mode in Safari 6.1 and higher"), otherwise this received "only" normal bug fixes, no security issues. The version for MacOS got a new installer. All other new features are only for Android and iOS. In the Admin Guide for 11.9 I found only one change compared with 11.8: the section "DMG Installation for Macintosh" was replaced by two sections "PKG Installer for Macintosh" and "App installer for Macintosh".
Comparing the administration guides for versions 10.7 and 10.8, I found as the only difference two new options for the config file mms.cfg: DisableHardwareAcceleration and UseWAVPlayer.
According to the release notes of 11.7 the only new feature in the Windows variant is "Sandboxing enhancements".
There is only one difference in the contents between administration guides for versions 10.5 and 10.6:
An updated screenshot on page 40, replacing 'Macromedia' with 'Adobe'.
Read the Flash Player Administration Guide.
Adobe doesn't tell many details about this. Here is what I found out so far:
Adobe Air is installed on many machines without either their users, nor the admins knowing. If comes for example as part of Creative Suite, some versions of Acrobat, and some software from other companies as well. Almost every time Adobe fixes bugs in flash player, they fix the same bugs in Adobe Air as well. Please check if you have Air installed, and either remove or update it!.
Macromedia Flash Player got automatically installed with Windows XP, but does not get updates any more. If you have it installed, remove it! Look for a the file c:\windows\system32\Macromed\Flash\Flash6.ocx
Don't deploy Flash-ActiveX to machines running Windows 8. It's included in Internet Explorer.