Can we boycott Flash? Need help getting it installed.

I am having major headaches getting Flash 11 installed onto our computers.  My users do not have Administrator access, so centralized installation is required.  IE is the default browser for all computers and must remain so.

I started with the Group Policy route with no success.  Troubleshooting revealed that Adobe has a major problem with the .msi file they distribute.  It kicks up an error message that bombs out the install.  Based on research, this problem only seems to show up when upgrading from a previous GP install.  I found some scripts reporting to successfully correct the problem and install the .msi, but these methods did not work with the V11 .msi.

So I abandoned that route and moved to installing with Software Update Services.  The install itself went fine......

...but Flash does not work on half of the computers!  More specifically, Flash is not detected by websites.  The only way I've found to fix so far is by going to the problem computer, logging in as Administrator, then manually installing.  This is not a viable option.

Does anybody know how to make this piece of, ahem excuse while I bite my tong...  work?

Thanks!
LVL 14
mds-cosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
There's a way you can elevate specific applications to be updated by limited users


http://www.scriptlogic.com/products/privilegeauthority/


You can use the free version
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZouleousCommented:
Hmm...I've never done this, but you might be able to schedule a task via group policy preferences.  It can be an immediate task as well.  For the account specify Builtin\System of the local computer (not the domain).  Then for the command use something like this:

msiexec.exe /i "MyProgram.msi" /qn

You could also call a script that would handle the install and then maybe copy the install log back to a share for you.  That way you at least know what's been done and how successful it was.

I'm not sure how many computers you're talking about, but this is really where good deployment software comes in handy.  The problem with doing it with Group Policy or  even this way would be you don't get any feedback as to what happened (success of failure of installations).  Also no idea how much of it has been completed..etc...etc.

I'm in a fairly small organization so something like Microsoft's "System Center Configuration Manager" is a little overkill and overly complicated.  They also have a lite version of all their System Center products all rolled in to one for small-medium businesses called "System Center Essentials".  I tried Essentials since it sounded exactly like what I wanted, but I found that it sucked.  It does app deployment through WSUS and I really hated the implementation.  I'm currently looking at a product called Specops Deploy/App.  So far I like what I see.  It uses existing Group Policy infrastructure and seems fairly easy to use.  It allows you to deploy any kind of app or update (not just .msi packages) and gives reporting as to the status of the deployments.

http://www.specopssoft.com/products/specops-deploy
0
mds-cosAuthor Commented:
dstewartir -- unfortunately that does not help with centralized deployment.  If I elevate the privilages, my users still have to do the install themselves.

Zouleous -- to do that I would have to use the Adobe .msi installation package, which is horribly broken.  This is what I tried to use for Group Policy installation.  Fortunately, I know a whole lot about this so was able to very quickly realize that the problem was not my policy but something else.  Tried to manually run the .msi and presto, error message.


The bottom line problem is that Flash did in fact deploy.  I can go into the logs of my deployment software (which like SCE / SCCM ties into the WSUS api to do the actual deployment) and see that it successfully installed to every computer except 1.  I know what caused the failure at that 1 computer, which is not related to the larger problem of flash not working.

At problem comptuters I can go to add / remove programs and see it right there, installed.  But Adobe's installation package obviously did not install correctly -- I'm guesing somewhere the hooks into IIS failed.

With the hoops Adobe makes people jump through to do a centralized depoyment, it seems like they could provide an install package that works just as well as their web-centric depoyment.

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ZouleousCommented:
Where it hooks in to IIS?  Not sure what you mean by that...unless you mean IE
0
ZouleousCommented:
This is the line I use when I build it in to my OS image, but that's using the msi as well.

msiexec.exe /qb- /l*vx "%LogPath%\install_flash_player_11_active_x_32bit.log" REBOOT=ReallySuppress /i "install_flash_player_11_active_x_32bit.msi"


So when you redo it manually are you just visiting their site and installing online?
0
mds-cosAuthor Commented:
Works fine for a clean install.  Error only shows if you have a previous version of Flash installed.  Based on research I've done, it shows up for people who deployed an older version of Flash using GP and are now trying to update to V10 or V11 using GP.


Yes, when I redo manually I'm just hitting the site and letting it go through the normal "I'm a home user" method.  All A-OK then.
0
ZouleousCommented:
If it works fine for a clean install then I would try something like what I mentioned above.  Write a script that does something like this

(uninstalls existing Flash)
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_1_102_ActiveX.exe -maintain activex

(installs new Flash)
msiexec.exe /qb- /l*vx "%LogPath%\install_flash_player_11_active_x_32bit.log" REBOOT=ReallySuppress /i "install_flash_player_11_active_x_32bit.msi"

then maybe use group policy to push it out.
0
mds-cosAuthor Commented:
Sadly, that does not work.  Went that route already.  I figured since the error occurs with an upgrade I could simply run an automated uninstall on all systems them push out the install GPO.  Get the same error!  Apparently something gets left behind on the uninstall.
0
ZouleousCommented:
Did you reboot between uninstall/reinstall?

What command did you use to  uninstall?
0
uboundCommented:
I do all my updates using WSUS + LUP (see this thread: http://www.experts-exchange.com/ITPro/IT_Administration/Q_27481854.html).  This has worked well to-date, but I have to confess, I haven't tried the v11 Flash yet.

The thing I like about WSUS + LUP (aside from the fact that they are free) is that they provide reporting if updates fail.  Something GPO distribution is a bit short on.

WSUS + LUP also lets you run cmd files for your update.  I mention since apparently that may be required to solve your problem.

Also, are you using the MSI from http://www.adobe.com/products/players/fpsh_distribution1.html



0
mds-cosAuthor Commented:
WSUS is what I'm doing ("Software Update Services" from my original question).  And, as it happens, I am also using LUP to manipulate the WSUS API.

You are not permitted to provide that download link per Adobe licensing agreements -- so we will probably need to have a moderator delete it.  But yes, I did download the .msi from Adobe via the link they provided after I agreed to their license for local distribution.  Of course, the .msi I used when I was working with the Group Policy route.

For Software Update Services I am importing the updates using the link provided by Adobe.
0
uboundCommented:
Actually, I believe that is the link you *can* distribute.  From the Adobe email I received:

"You may direct others to http://www.adobe.com/products/players/fpsh_distribution1.html to request distribution rights."

The link you *can't* distribute is different (obviously I'm not going to specify...).
0
mds-cosAuthor Commented:
Oh - sorry!  You are absolutly correct!
0
uboundCommented:
Don't scare me like that.  I was panicking.  Anyway, moving on...

I hadn't tried installing Flash 11 until today.  I just tried using LUP to install v11.001.102.055.

Since I didn't want to wait for the nightly install (still several hours from now), I logged in as a non-administrative user, and ran WUAPP.  It showed the flash update, which I told it to install.  It did.

From there I went to the Flash troubleshooting page (http://kb2.adobe.com/cps/155/tn_15507.html) (and don't give me any grief about this link!), which showed the correct version.

As near as I know, running WUAPP as a non-admin works the same as letting it run automatically (http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/b79d65aa-2868-4cc8-a964-3f2e81be4694).

In sum, this appeared to work for me.  Unless there's something else I should look at?  I'm trying to think what you may be doing different.

- Are you using exactly the same version I am?  Maybe adobe fixed this?
- Could users have IE open when your updates run?
- Are you using any transforms like the one described at LUP (https://sourceforge.net/apps/mediawiki/localupdatepubl/index.php?title=Creating_Configuration_files_during_installation.)?
- Maybe I need to wait for the nightly install (rather than running WUAPP) to see the problem you are having?
- I did *not* use the SMS package Adobe provides.  I created my own package.  You?
0
mds-cosAuthor Commented:
I think my issue stems from having used Group Policy to push out Flash for the past 3 years.  In reasearching, I found that people started having problems around Flash 10 (which is where I started seeing some install failures).

- No, did not create my own SMS package.  This could also be the key.  Did you create your package based on the .msi file provided by Adobe, or extract from the standard install from http://www.adobe.com/flashplatform/?

- For version, I'm using whatever the latest version is from when I originally posted this.  I'll check to see if they put somethign else out there as a last ditch.
- I suppose some of the users could have IE open.  But not as many as are affected by this problem.
- No, no transforms.  Just the plain vanilla from Adobe.
- Hopefully you will not have this problem with any of your installs ;-)  It is frustrating!

Adobe support has not been able to give me any help.  I'm still sending them various logs and such.  But at this point, I have too many other priority items so decided I'm going to enlist the help of my users.  I've set up my GP to give everybody local administrator rights to their computer.  Today I'm sending a message to anybody who has problems (which it turns out is the majority of my folks) to go to http://www.flash.com and install flash from there if necessary.  Hopefully this will clean up whatever is killing my central installs, and I can successfully use GP or WSUS for the next update.

Here is the real kicker.  Several weeks ago I told everybody to visit http://www.adobe.com/software/flash/about/ and report back their Flash version.  Of course not everybody did, but I got a lot of responses.  Many of the people who responded can not view Flash (any Flash enabled site report that they must install Flash Player).  But the about page reports that they have Flash 11 installed!  So wierd.


When I get some stuff off my plate, I think I will try creating my own SMS package.  You just know that some of my users will fail to follow instructions I send today, so I will undoubtedly get a call next month with an "emergency" of somebody who has to view a Flash site but can't do it.  If that works, I'll abandon Adobe's "official" packages.
0
uboundCommented:
That (unmentionable) link has an MSI file.  I used that, and created my own package around it.  I did NOT use the one described as "Import SCCM/ConfigMgr SCUP Catalog," even though I believe LUP will read it to automatically create an update.

I do use a transform to create the MMS file that turns off auto-updating of flash.  Since my users don't have rights to install it anyway, there's no point in burning the cycles or bandwidth.

I don't know what other help I can offer.  Flash 11 is working for me (so far).  I suppose I could look at those log files if you wanted to post them.
0
mds-cosAuthor Commented:
LUP does automatically import from Adobe.

Hmmm...the .MSI file from the (unmentional) link is the one I used for Group Policies.  So it is the one that screwed me up somewhere along the line.  Like I said, I used to extract the .MSI by downloading from the public-side Adobe page then deploying that.  Never had any issues there.  I did that because (ahem) I was a bit slow on the licensing paperwork so didn't have the back-side link.

Starting with V10.0 I used the Adobe provided .MSI.

Log files are totally usless as far as I can tell.  They indicate a successfull install.  I think that is why Adobe is not able to help me here.  Everything shows that Flash 11 was installed successfully.  Just when the affected users try to actually use it web sites say that Flash needs to be installed.

Thanks for your thoughts on the issue.  Updating the rights and telling users to go to www.flash.com is working for us.  I am seriously rethinking my old-school stance of not providing users with administrative rights to the local computer.  Seems like the stuff I *don't* want on our systems manages to install just fine without admin rights.  While the stuff my users need to do their jobs is a constant administrative task to install and keep updated.
0
DonNetwork AdministratorCommented:
By "Updating the rights and telling users to go to www.flash.com is working for us."

do you mean you used privilege authority ?  http:#a37276688
0
uboundCommented:
That's not the direction I'd go, but it's obviously not my call.  LUP updates have been working well for me for a long time now.

I do create local admin accounts for certain staff member who request it.  But doing this at the domain level means they would have admin rights to *all* computers (not exactly ideal).  So, when they need to do admin-y things, they log in as a local admin on their machine, install their software, then log back in with their domain credentials.

As for the stuff that shouldn't run at all, I've been turning on Software Restrictions.  In brief, I only allow programs in Program Files and Windows directories permissions to run, and only Administrators have rights to write to those folders.  So, when someone downloads who-knows-what from who-knows-where, they can't execute it.  Or when they bring in flash drives or CDs from home with whatever-the-heck, that won't run either.  Allowing an exception for local admins means that if they *really* want to run things, they can.  But the extra hassle helps minimize the frog-in-a-blender stuff.

It is also an imperfect system, but it does seem to cut down on the junk.
0
DonNetwork AdministratorCommented:
"That's not the direction I'd go" ???


I wouldnt give any users local admin rights either, there's no need if you use "Privilege Authority"....dont knock something till you've tried it.
0
uboundCommented:
Sorry dstewartir, my response was intended as a reply to mds-cos who was saying that he was considering giving full admin rights, full time to his users.  Not the way I'd go.

I know nothing about Privilege Authority (other than it is not free), so I have no comments either for or against it.
0
mds-cosAuthor Commented:
Oh, I love this!  I think I am going to open up a new discussion for this point.  I'll close this question shortly since we don't seem to be finding a resolution.  I have found in my research that other people are experiencing this problem, all seeming to go back to the Adobe .msi and Group Policies.  The primary fix I found was a registry hack, but didn't work for V11.  I thought switching to WSUS would resolve, but it did not.

I am an old fart myself, so have staunchly held to "When Hell freezes over" on the question of giving users local admin rights to their system.  Say, is it getting cold in here? ;-)  I do not plan on leaving users at local admin level for more than a couple weeks (give everybody time to update their Flash), but honestly have started thinking very seriously about doing so.

For some environments, I understand that Hell has not frozen over so there is no way I would go this direction.  And honestly, I "grew up" in the type of Enterprise environments where I would never consider giving users local admin....

...but stepping out of my IT shell, I am seriously questioning old wisdom of never giving users more than "Power Users" in most environments.  Especially in the small business sector where the administrative burden of getting around lack of user admin privs seems to outweigh the potential downsides of just letting them have it.

This experience has basically been the straw that is tipping me.  IT spends hours figuring out how to get around no admin privs for the laundry list of things Users legitimately need.  When I stop to really think about it, I am not sure this is time well spent when measured against the possible downside of just giving a user local admin.  Totally resolves program updates and home printers (to name just a couple of things our users need).

I have always held to “data does not belong on the PC – if a desktop issue cannot be resolved in 15-30 minutes the system gets re-imaged to standard build”.  So if a user does install something that makes the system go haywire no big deal.  Our company policy is clear about users loading software, so if IT shows up to a problem system and even sees unauthorized software we spend 0 time troubleshooting.  Just throw in the boot disk and let the system re-image.
0
uboundCommented:
IT spends hours figuring out how to get around no admin privs for the laundry list of things Users legitimately need.

There could legitimately be a discussion here.  I'd be interested to read your laundry list.

However, I don't believe that depending on users to remember/choose to install security fixes for the software on their computer falls in this category.  Flash, Java, iTunes et al periodically find actual security holes in their products which require upgrades to fix.  This means (IMO) that regardless of what you do with admin rights, you are still going to need to find dependable ways to centrally distribute and maintain updates.

While it is (apparently) too late for your needs, probably the next thing I would have investigated would be "does uninstalling the old version before installing the new version resolve the problem?"  Since (with a little effort) you can run batch files from LUP, this might have been a solution.

Where are you reading about people trying to solve this "GPO installed Flash" problem?
0
mds-cosAuthor Commented:
The answer to question is no, this does not fix.  Actually, I believe the uninstall is at the root of the overall issue.  Going to add/remove programs on a problem system to remove V10 brings up an error message stating that InstallAX.exe is not marked for installation.

Attempting to install V11 from the .msi produces the exact same error message.

BUT --  Going to www.flash.com and doing a standard (vs. centralized) install of V11 DOES NOT produce the error message!  Everything installs just fine and at the end V10 is properly uninstalled!

I found a fix for the unistall problem out on another discussion thread that involved running a script to delete V10 files and delete the registry keys (I tried the Adobe uninstall utility, but there was an issue with that...don't rightly recall exactly what the problem was).  Pushed this script out and V10 was uninstalled from all of our computers, but the V11 .msi file provided by Adobe would still not install (trying to push via Group Policy or running manually at the users computer).  That is when I decided to move to WSUS.

WSUS successfully installed V11 according to every log I look at -- can even see V11 installed in Add/remove programs.  But as I have stated, Flash does not work when visiting a website that requires Flash.


In retrospect, I should have throught to extract a .MSI from the website version of the install.  Maybe that would have pushed out successfully from GP.  It is too late now though.  This "fix" of temporarily giving users local admin rights then having them go get Flash themselves is working well.  Absolutely no complaints from any users, and spot checking shows that they are actually doing it.



I've gone through a lot of discussion threads, but here are a few:

http://faultbucket.ca/2010/12/adobe-flash-gpo-deploy-error-installax-exe/

http://www.gregorystrike.com/2011/08/16/adobe-flash-player-%E2%80%98fp_ax_msi_installer%E2%80%99-installer-error-script/

http://forums.adobe.com/thread/707685
0
mds-cosAuthor Commented:
So we didn't get a solution to my specific problem, but awarding points for good discussion and ideas.

Certainly a couple ways presented here that would work for deployment of Flash.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.