Deploy the Update for Removal of Adobe Flash Player (KB4577586) using Intune

In our previous post How to Uninstall Adobe Flash Player from Windows 10 with ConfigMgr (byteben.com) we reviewed the End of Life for Adobe Flash Player and what that meant for Windows 10 devices. We also stepped through a tutorial showing you how to deploy the update with ConfigMgr. Please review this post first as it contains a lot more detail about the update intention than this post does.

In this post, we will look at how to deploy the same update (KB4577586) using Intune and a Win32App

The chances are that by the time you are reading this post Microsoft will have published the optional update to your WUfB. Ignore the rest of this post and go and drink tea…or take a peek anyway.

As in our previous post when we deployed the update with ConfigMgr, there is a unique KB4577586 update for each Windows 10 version and I have decided to roll all the updates into a single Win32App and use PowerShell to handle the installation. This way we have a single script/app that can handle all Windows 10 versions. The updates are only about 150kb each. You will need access to a WSUS console to download the updates in the correct folder format for the script to work. I have uploaded the updates to my GitHub repository which you could use in your test environment Windows-10/Flash Uninstall_Intune at master · byteben/Windows-10 (github.com)

The scripts are pretty simple. Please test them before using them in production. This update cannot be removed once installed which limits how much testing I could do in my lab.

One script installs the update dependant on the OS architecture and ReleaseID and the other is used as the application detection method.

Install_Flash_Removal_KB4577586.ps1

Detect_Flash_Removal_KB4577586_Intune.ps1

1 . Open your WSUS Console
2 . Expand your WSUS Server Node and select Updates from the Navigation pane
3 . Select Action > Import Updates from the Actions menu

4 . A browser window will open, search the Catalog for Update for Removal of Adobe Flash Player for Windows 10
5 . Add “ALL” the updates to your basket *. There are 24 in total – the removal tool for Windows 10 20H1 can be used to remove Flash from Windows 10 20H2

* The Add button is only available when browsing the catalog from Internet Explorer.

6 . Select View Basket > Download

7 . Choose a folder to download the updates to

Your files will download into a similar folder structure as below

8 . Download the following PowerShell Scripts to the same folder as above

Detect_Flash_Removal_KB4577586_Intune.ps1
Install_Flash_Removal_KB4577586.ps1

Your content staging folder should now look like this

9 . Download the Win32 Content Prep Tool Zip file in order to create the .intunewin file for deployment https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool/archive/master.zip

10 . Extract the tool to a local folder, e.g. C:\Microsoft-Win32-Content-Prep-Tool-master

You should see the following files

11 . Make sure you “Unblock” IntuneWinAppUtil.exe

12 . Copy IntuneWinAppUtil.exe to the same content folder as the updates and PowerShell scripts specified in step 8

13 . Double click IntuneWinAppUtil.exe

Specify the following Values:-

Source Folder: .\
Setup File: Install_Flash_Removal_KB4577586.ps1
Output Folder: .\
Specify Catalog Folder?: N

You should now see a file called Install_Flash_Removal_KB4577586.intunewin in the content folder. We will use this file in the following steps. It contains all the KB4577586 updates for the different versions of Windows 10.

14 . Navigate to Microsoft Endpoint Manager Admin Center Windows 10 Apps blade and click Add https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/windowsApps

15 . Choose Other > Windows app (Win32)

16 . Click Select

17 . Choose Select app package file

18 . Browse to the Install_Flash_Removal_KB4577586.intunewin file we created previously and Select OK

19 . Fill in the required application information

20 . Click Next
21. Enter the following information on the program tab

Install Command:
Powershell.exe -ExecutionPolicy Bypass -file “Install_Flash_Removal_KB4577586.ps1
Uninstall Command:
Powershell.exe –ExecutionPolicy Bypass -file “Install_Flash_Removal_KB4577586.ps1
Install behaviour: System
Device restart behaviour: No specific action

Remember: This update cannot be uninstalled but the Uninstall Command requires some input. I have used the same command line again with the understanding that this will never be used.

22 . Click Next
23 . Fill in the app requirements.

24 . Click Next
25 . Under Detection rules, Select Use a custom script from the Rules format drop down box
26 . Select the Detect_Flash_Removal_KB4577586_Intune.ps1 script from your original content directory

27 . Click Next
28 . Review Dependencies and Click Next (we don’t have any specific dependencies for this app)
29 . Assign the Win32App to a group of Windows 10 devices in scope for the Removal of Adobe Flash Player update

30 . Click Next
31 . Click Create

Monitoring the Deployment

Once deployed, you can monitor installation progress both on the client…

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log indicates the policy is retrieved from Intune

and from Intune…

Summary

In this post we deployed the Update for Removal of Adobe Flash Player using Intune. You don’t necessarily have to download all the updates into a single package but this is an example of how versatile Win32Apps can be – we had a single Win32App that could deploy the unique Update for the Removal of Adobe Flash Player for all Windows 10 versions and architectures. It is very plausible to create a Win32App with a single version of the update and then target a specific Windows 10 Version for that update.

You can also do deploy the updates using ConfigMgr – see the other post How to Uninstall Adobe Flash Player from Windows 10 with ConfigMgr (byteben.com)

6 thoughts on “Deploy the Update for Removal of Adobe Flash Player (KB4577586) using Intune”

  1. Not sure what I might have missed but this is erroring out with 0x80070000 in our Pilot group. Followed these steps to the letter. Any idea what might be wrong?

    1. Hi Chris,

      You probably copy and pasted the code from my wordpress site which has the wrong ascii code for ”
      Find any double quote characters in your command lines and make sure they are ascii code 34

  2. Thanks for the quick response Ben. I’ve actually copied the code right from Github using the RAW display. Interestingly the detection script appears to work fine. I the package is run against a computer with the KB already applied Intune correctly marks that device as “Installed” for this app. I tried checking the log file (C:\windows\temp\flash_uninstall.log) on a failed client do no log file is generated.

    I’m going to rebuild the package from scratch just in case but curious if you had any other thoughts?

  3. Donovan Sobrero

    Ben, if I don’t have WSUS and I was trying to just download the KB files from the Microsoft Catalog i download the .msu file. if I put them in the root with the ps1 scripts will that work? if not is there a dropbox or file share link you could share. i see there is a new 20H2 one you didn’t have listed.

    1. At the moment the script users the folder structure names to identify the correct update for the correct OS. So that approach wouldn’t work with this script unfortunately. I have published the folder structure on the same GitHub page for your convenience – I would recommend, for a Live environment, to source your own binaries though.

  4. You’re losing me at step 13. I have all of the hotfix folders and both scripts in one location. When I run IntuneWinAppUtil.exe it flashes for a second and I get no output file. Probably an ID10T error, but I’ve never used the tool in this way before. Usually I just use it for pushing out msi packages.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.