How to Block Adobe Flash Player Using Active Directory Group Policy
It has been a long time coming. And we have known since 2017 that Adobe was planning to discontinue support for its once-popular Flash Player browser extension. Flash provided a way to add animation and interactive elements to web pages. But with the arrival of open standards, like HTML5 and WebGL, developers moved away from Flash.
Flash Player is a plug-in for browsers that is installed and maintained separately. Although it came bundled with some browsers. Not only that, but it was responsible for some scary security vulnerabilities over the years. So, developers and IT admins alike were glad to see the back of it.
Flash Player reached end of life on December 31st 2020. And now Adobe recommends uninstalling it from systems. Microsoft has an optional update (KB4577586) that removes Flash Player. It was made available in October 2020 in the Microsoft Update Catalog. Microsoft said that it would be made available for Windows Update and Windows Server Update Services (WSUS) in early 2021. And KB4577586 would be changed to ‘recommended’ a few months later.
Regardless of the availability of this update, Microsoft disabled Adobe Flash Player by default at the beginning of 2021. And all versions older than KB4561600, released in June 2020, will be blocked. But if you want to be sure, you can use the Group Policy settings below.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Block Adobe Flash Player using Group Policy
By summer 2021, KB4577586 will be included in the monthly cumulative updates and monthly rollups for Windows. This will result in Flash being automatically removed from systems. In the meantime, you can use Group Policy to block Flash completely. Although, in Microsoft’s browsers, you should find that Flash is now blocked without any manual intervention. But the following settings might be useful for devices that haven’t or can’t be updated for whatever reason.
If you want to apply Group Policy settings to more than one device, you will need to create a central Group Policy store. Check out How to Create a Group Policy Central Store on Petri for more information. And for more information on setting up a Group Policy Object (GPO), read How to Create and Link a Group Policy Object in Active Directory on Petri.
Google Chrome and Microsoft Edge
If you want to block Flash in either Chrome or Edge, you’ll need to download the respective Group Policy templates. You get the policy files for Edge here. And for Google Chrome here. Once you have the Group Policy template installed, you will find the settings for Chrome and Edge under Computer or User Configuration > Policies > Administrative Templates. Here, set the Default Adobe Flash setting to Enabled and then select Block the Adobe Flash plugin from the dropdown menu. If you still need to allow Flash to work on some sites, alternatively you can use the Allow the Flash plugin on these sites setting and create a whitelist of sites where Flash can run.
Legacy Microsoft Edge
To disable Flash in legacy Microsoft Edge, set Allow Adobe Flash to Disabled under Computer or User Configuration > Policies > Administrative Templates > Windows Components > Microsoft Edge.
To disable Flash in Internet Explorer, set Turn off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects to Enabled under Computer or User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.