In our previous post How to Uninstall Adobe Flash Player from Windows 10 with ConfigMgr (byteben.com) we reviewed the End of Life for Adobe Flash Player and what that meant for Windows 10 devices. We also stepped through a tutorial showing you how to deploy the update with ConfigMgr. Please review this post first as it contains a lot more detail about the update intention than this post does.
In this post, we will look at how to deploy the same update (KB4577586) using Intune and a Win32App
The chances are that by the time you are reading this post Microsoft will have published the optional update to your WUfB. Ignore the rest of this post and go and drink tea…or take a peek anyway.
As in our previous post when we deployed the update with ConfigMgr, there is a unique KB4577586 update for each Windows 10 version and I have decided to roll all the updates into a single Win32App and use PowerShell to handle the installation. This way we have a single script/app that can handle all Windows 10 versions. The updates are only about 150kb each. You will need access to a WSUS console to download the updates in the correct folder format for the script to work. I have uploaded the updates to my GitHub repository which you could use in your test environment Windows-10/Flash Uninstall_Intune at master · byteben/Windows-10 (github.com)
The scripts are pretty simple. Please test them before using them in production. This update cannot be removed once installed which limits how much testing I could do in my lab.
One script installs the update dependant on the OS architecture and ReleaseID and the other is used as the application detection method.
Install_Flash_Removal_KB4577586.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
<# =========================================================================== Created on: 0/01/2021 13:06 Created by: Ben Whitmore Organization: - Filename: Install_Flash_Removal_KB4577586.ps1 Target System: Windows 10 Only =========================================================================== Version: 1.2 Fixed 20H2 coding error - Credit @AndyUpperton 1.1 Basic Transcript Logging added 1.0 Release #> #Set Current Directory $ScriptPath = $MyInvocation.MyCommand.Path $CurrentDir = Split-Path $ScriptPath $Log = Join-Path $ENV:WINDIR "Temp\Flash_Uninstall.log" Start-Transcript $Log #Set WUSA.EXE Variable $WUSA = "$env:systemroot\System32\wusa.exe" #Get OS Release ID $OS_ReleaseID = Get-ItemProperty "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion" | Select-Object -ExpandProperty ReleaseID #Rename variable for Windows 10 20H2 ReleaseID because the same update is used for 2004/2009 If ($OS_ReleaseID -eq "2009"){ $OS_ReleaseID = "2004" } $OS_ProductName = Get-ItemProperty "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion" | Select-Object -ExpandProperty ProductName #Get OS Architecture $OS_Architecture = Switch (Get-CIMInstance -Namespace "ROOT\CIMV2" -Class "Win32_Processor" | Select-Object -Unique -ExpandProperty Architecture) { 9 { 'x64-based' } 0 { 'x86-based' } 5 { 'ARM64-based' } } #Build OS Version String $OS_String = ($OS_ProductName -split "\s+" | Select-Object -First 2) -Join ' ' #Build Patch Name String $PatchRequired = "Update for Removal of Adobe Flash Player for " + $OS_String + " Version " + $OS_ReleaseID + " for " + $OS_Architecture + " systems (KB4577586)" #Get Patch Titles $PatchNames = Get-ChildItem $CurrentDir | Where-Object { $_.PSIsContainer } | Foreach-Object { $_.Name } #Check if the patch has been downloaded for the current system $PatchFound = $False #Check Installation $Patch = Get-Hotfix | Where-Object { $_.HotFixID -match "KB4577586" } If ($Patch) { Write-Host "Patch Already Installed" } else { Foreach ($Patch in $PatchNames) { If ($Patch -eq $PatchRequired) { $PatchFound = $True #Get MSU from the correct Directory $MSU = Get-ChildItem (Join-Path $CurrentDir $Patch) -Recurse | Where-Object { $_.Extension -eq ".msu" } $MSUFullPath = Join-Path (Join-Path $CurrentDir $PatchRequired) $MSU.Name #Set WUSA Args $Args = @( """$MSUFullPath""" "/quiet" "/norestart" ) } } #Patch detection determines outcome If ($PatchFound) { Write-Host "Patch found for this system" Write-Host "Patch Required: $($PatchRequired)" Write-Host "Patch Name: $($MSU.Name)" Write-Host "`Installing Update..." #Install Patch Start-Process -FilePath $WUSA -ArgumentList $Args -Wait #Check Installation $Patch = Get-Hotfix | Where-Object { $_.HotFixID -match "KB4577586" } If ($Patch) { Write-Host "Patch Installed Successfully" } else { Write-Host "Patch Installation Failed" } } else { Write-Host "Patch not found for this system" Write-Host "Patch Required: $($PatchRequired)" Write-Host "Current System: $($OS_String) $($OS_ReleaseID) $($OS_Architecture) PC" } } Stop-Transcript |
Detect_Flash_Removal_KB4577586_Intune.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Try { $Patch = Get-Hotfix | Where-Object { $_.HotFixID -match "KB4577586" } If ($Patch) { Write-Output "Compliant" Exit 0 } Write-Warning "Not Compliant" Exit 1 } Catch { Write-Warning "Not Compliant" Exit 1 } |
1 . Open your WSUS Console
2 . Expand your WSUS Server Node and select Updates from the Navigation pane
3 . Select Action > Import Updates from the Actions menu

4 . A browser window will open, search the Catalog for Update for Removal of Adobe Flash Player for Windows 10
5 . Add “ALL” the updates to your basket *. There are 24 in total – the removal tool for Windows 10 20H1 can be used to remove Flash from Windows 10 20H2
* The Add button is only available when browsing the catalog from Internet Explorer.
6 . Select View Basket > Download

7 . Choose a folder to download the updates to

Your files will download into a similar folder structure as below

8 . Download the following PowerShell Scripts to the same folder as above
Detect_Flash_Removal_KB4577586_Intune.ps1
Install_Flash_Removal_KB4577586.ps1
Your content staging folder should now look like this

9 . Download the Win32 Content Prep Tool Zip file in order to create the .intunewin file for deployment https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool/archive/master.zip
10 . Extract the tool to a local folder, e.g. C:\Microsoft-Win32-Content-Prep-Tool-master
You should see the following files

11 . Make sure you “Unblock” IntuneWinAppUtil.exe

12 . Copy IntuneWinAppUtil.exe to the same content folder as the updates and PowerShell scripts specified in step 8

13 . Double click IntuneWinAppUtil.exe
Specify the following Values:-
Source Folder: .\
Setup File: Install_Flash_Removal_KB4577586.ps1
Output Folder: .\
Specify Catalog Folder?: N

You should now see a file called Install_Flash_Removal_KB4577586.intunewin in the content folder. We will use this file in the following steps. It contains all the KB4577586 updates for the different versions of Windows 10.
14 . Navigate to Microsoft Endpoint Manager Admin Center Windows 10 Apps blade and click Add https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/windowsApps

15 . Choose Other > Windows app (Win32)
16 . Click Select
17 . Choose Select app package file

18 . Browse to the Install_Flash_Removal_KB4577586.intunewin file we created previously and Select OK

19 . Fill in the required application information

20 . Click Next
21. Enter the following information on the program tab
Install Command:
Powershell.exe -ExecutionPolicy Bypass -file “Install_Flash_Removal_KB4577586.ps1”
Uninstall Command:
Powershell.exe –ExecutionPolicy Bypass -file “Install_Flash_Removal_KB4577586.ps1”
Install behaviour: System
Device restart behaviour: No specific action
Remember: This update cannot be uninstalled but the Uninstall Command requires some input. I have used the same command line again with the understanding that this will never be used.

22 . Click Next
23 . Fill in the app requirements.

24 . Click Next
25 . Under Detection rules, Select Use a custom script from the Rules format drop down box
26 . Select the Detect_Flash_Removal_KB4577586_Intune.ps1 script from your original content directory

27 . Click Next
28 . Review Dependencies and Click Next (we don’t have any specific dependencies for this app)
29 . Assign the Win32App to a group of Windows 10 devices in scope for the Removal of Adobe Flash Player update

30 . Click Next
31 . Click Create
Monitoring the Deployment
Once deployed, you can monitor installation progress both on the client…
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log indicates the policy is retrieved from Intune




and from Intune…


Summary
In this post we deployed the Update for Removal of Adobe Flash Player using Intune. You don’t necessarily have to download all the updates into a single package but this is an example of how versatile Win32Apps can be – we had a single Win32App that could deploy the unique Update for the Removal of Adobe Flash Player for all Windows 10 versions and architectures. It is very plausible to create a Win32App with a single version of the update and then target a specific Windows 10 Version for that update.
You can also do deploy the updates using ConfigMgr – see the other post How to Uninstall Adobe Flash Player from Windows 10 with ConfigMgr (byteben.com)
Not sure what I might have missed but this is erroring out with 0x80070000 in our Pilot group. Followed these steps to the letter. Any idea what might be wrong?
Hi Chris,
You probably copy and pasted the code from my wordpress site which has the wrong ascii code for ”
Find any double quote characters in your command lines and make sure they are ascii code 34
Thanks for the quick response Ben. I’ve actually copied the code right from Github using the RAW display. Interestingly the detection script appears to work fine. I the package is run against a computer with the KB already applied Intune correctly marks that device as “Installed” for this app. I tried checking the log file (C:\windows\temp\flash_uninstall.log) on a failed client do no log file is generated.
I’m going to rebuild the package from scratch just in case but curious if you had any other thoughts?
Hi Chris,
Just checking to see if you were able to fix this? I’ve come across the same condition when deploying the app against any machines that need Flash removed. No transaction log file is generated, and the IntuneManagementExtension.log file shows this:
I downloaded the scripts from Github and the binaries directly from Microsoft, so I’m not sure where it’s falling over? If I run the script manually on a workstation, it runs successfully and creates the log file as expected. Intune shows a status of 0x80070000 on machines that it has been deployed to as well.
Any input would be greatly appreciated!
I found out why this was not working. The syntax of the install command needs to be changed
FROM: Powershell.exe -ExecutionPolicy Bypass -file “Install_Flash_Removal_KB4577586.ps1”
TO: Powershell.exe -ExecutionPolicy Bypass -file .\Install_Flash_Removal_KB4577586.ps1
Once I did this, it pushed out flawlessly to all machines.
Hi John. The command in the post works fine too. You probably copied the command line from the post which pastes the incorrect ASCII character for a double quote 🙂
Hi Ben,
I guess I didn’t try that! 🙂
Thanks for your contribution to this, it was a very helpful fix!
John
Ben, if I don’t have WSUS and I was trying to just download the KB files from the Microsoft Catalog i download the .msu file. if I put them in the root with the ps1 scripts will that work? if not is there a dropbox or file share link you could share. i see there is a new 20H2 one you didn’t have listed.
At the moment the script users the folder structure names to identify the correct update for the correct OS. So that approach wouldn’t work with this script unfortunately. I have published the folder structure on the same GitHub page for your convenience – I would recommend, for a Live environment, to source your own binaries though.
You’re losing me at step 13. I have all of the hotfix folders and both scripts in one location. When I run IntuneWinAppUtil.exe it flashes for a second and I get no output file. Probably an ID10T error, but I’ve never used the tool in this way before. Usually I just use it for pushing out msi packages.
Hi Ben, very good job !
Just to notify you that i have an “error ” on my Visual studio code with your $args variable :
The Variable ‘Args’ is an automatic variable that is built into PowerShell, assigning to it might have undesired side effects. If assignment is not by design, please use a different name.
{
“resource”: “./Install_Flash_Removal_KB4577586.ps1”,
“owner”: “_generated_diagnostic_collection_name_#0”,
“code”: “PSAvoidAssignmentToAutomaticVariable”,
“severity”: 4,
“message”: “The Variable ‘Args’ is an automatic variable that is built into PowerShell, assigning to it might have undesired side effects. If assignment is not by design, please use a different name.”,
“source”: “PSScriptAnalyzer”,
“startLineNumber”: 76,
“startColumn”: 4,
“endLineNumber”: 76,
“endColumn”: 9
}
Thanks Nathanael, as we are not using a function in this script the $Args variable won’t be used by PowerShell – but I do see your point. I will try to avoid it in future scripts. Thanks for pointing it out 🙂