We have 300 pc's (two locations).
Each PC originally had Adobe Flash on the image.
Only 20% of the PC's can 'surf the net'
We use Microsoft Threat Management Gateway for as our 'isa proxy server'.
1. What's the best way to keep flash up to date without being burdensome: should we download the fresh MSI and deploy via active directory each time adobe fixes a bug? Does adobe update its MSI each time they fix a bug? Is is reasonable to deploy a flash update to maybe 10 pc's, and if nothing catastrophic happens after 1 day, release it to all users? (I've never heard of a flash update trashing a pc - in contrast to windows updates which of course can).
2. Alternatively, should we let the clients just poll adobe on reboot (or whenever it checks), and them them download updates that way? Our concern is if requires user interaction, it won't happen. Is there a registry key or something which can make the updates 'just happen'?
3. I'm concerned that the non-surfing pc's have old, security bug plagued versions of flash; we don't keep flash up to date. Should I be concerned about malicious flash content arriving via email to these non-surfing pc's and getting them infected? Is this a threat vector which we should address?
Thanks for any suggestions for making flash deployments less terrible,