In this post, we’ll go over how to disable Flash on IE, Firefox, and Chrome. The video below is the complete recorded webcast in which we cover each browser. In each section, a link is provided that will go to that portion of the webcast or you can watch the webcast in its entirety below.
Is Flash all that bad?
Maybe, maybe not. Adobe Flash is a necessary evil for some organizations…a lot of schools often need Flash to run certain educational programs. The objective is to minimize your possible security risks (AKA minimizing your attack surface). If you don’t need Adobe Flash in your environment, disable it. If you need it, get it and make sure you keep it up to date. For your consideration, what would happen in a month without Adobe Flash?
In the Package Library, there is a deployment package available that will uninstall Adobe Flash (requires an Enterprise license). It will only uninstall the Flash as made available by Adobe. It will not uninstall or disable Flash built into IE (for Windows 8 and higher) or the embedded PPAPI Flash in Chrome. Watch how to uninstall Adobe Flash for Firefox.
There are two steps to disabling Flash in Chrome. First there is the embedded Pepper Flash (PPAPI). Straight up, the best and surefire way to make sure the embedded Flash is disabled in Chrome is through a GPO. In order to use this method you need to import the Google ADMX files into your Group Policy environment. You can download the latest ADMX files here. In a new or existing GPO you can configure the new policy. With the example below we have a dedicated GPO called Component Update Disabled.
In Settings > Administrative Templates > Google/Google Chrome you’ll be able to see what policies you have enabled or disabled. Right-click on your GPO (on the left pane) and select Edit. With the ADMX template loaded, you’ll have the option to go to Computer Configurations > Policies > Administrative Templates > Google > Google Chrome. From there you can find the setting called Enables component updates in Google Chrome. Which you can then set to disabled.
If you do not explicitly set this policy to Disabled then any computers that can access the internet will automatically have the latest embedded Pepper Flash installed.
If you are using Chrome make sure you don’t have the Adobe Flash Player PPAPI installed. This is important because even if you disable the Enables Component Updates in Google Chrome setting Chrome will use the installed Adobe Flash Player PPAPI if it is installed. You can deploy the Uninstall Adobe Flash Player package from PDQ Deploy’s Package Library to uninstall this application.
If you would prefer to not use a GPO to disable the embedded Flash for Chrome you can use PDQ Deploy to push out a specific registry value to your target computers. Below is a download for a package you can use in PDQ Deploy to deploy this policy’s registry changes. Also below is an accompanying Collection you can import into PDQ Inventory to help you track computers with Flash disabled.
Every KB that comes out from Microsoft for Flash has a workaround for disabling Flash. Again, GPO is probably the best way to accomplish this, check out this blog post on how to disable Flash in IE using GPO.
We also have a deployment package you can push out here. Make things easy on yourself and deploy to the right computers and use the Collections provided here to track computers that have Flash disabled.
In some cases you will want to uninstall it. Other situations, however, uninstalling really isn’t an option so you are left with disabling it. Below is a chart showing which OS/browser combinations you can uninstall vs. disable. If uninstalling is an option, you can use the deployment package available that will uninstall Adobe Flash available in PDQ Deploy.