Deploy Adobe Flash Removal update KB4577586 using MEMCM

Support for Adobe Flash is going away on the 31st of December 2020 as announced by Adobe back in 2017, https://www.adobe.com/se/products/flashplayer/end-of-life.html In October 27th Microsoft released an update that will remove Adobe Flash Player, which is a good thing, https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player
We need to make sure it is removed as it is no longer supported = big security risk (bigger than Flash itself) as no security updates are released for it anymore.

The update released is not available in WSUS yet. It will be made available in early 2021 according to the KB article mentioned above which in my opinion is a bit late. It is available in Microsoft Update catalog though which is a good start then we can import it in WSUS, synchronize it to MEMCM and deploy it.
Note: Once the update is installed it cannot be uninstalled if you need to re-enable Flash.

I have imported it in a couple environments and run into some different issues so I wrote this post to save you some time googling the errors.

Import and deploy the update

To import the update we need to start the WSUS admin console using Run as administrator. From there we can then select import updates, Internet Explorer 11 is launched and we are directed to Microsoft update catalog.

We search for our KB4577586 to find our update.

We select the update for the versions and architecture we need, then select add to basket.

From the “basket” view we can select to import the update directly into WSUS as shown below.

When clicking Import the updates are imported into the WSUS Database. The process is really fast as the update is really small.

When the import is completed we start a manual synchronization of updates in MEMCM as we lack patience to wait for the next sync to occur.

Then we take a Configuration Manager cup of coffee and wait until the synchronization is complete, once it is complete. We can deploy the update and start testing it out.

Troubleshooting WSUS import errors

Make sure you start Internet Explorer once with ” Run as administrator” and navigate to the Microsoft Update catalog website. Install the ActiveX when supported. If you get the below message I found it easiest to add “http://catalog.update.microsoft.com” to the trusted sites zone. Note “HTTP” it is old stuff and the link from the WSUS admin console uses HTTP…..

Another issue I always run into the first time is to actually download the updates as shown below.

Enable .Net 4 strong chiper, as described here: https://community.spiceworks.com/topic/2144162-import-to-wsus-fails-direct-import-from-ms-update-catalog.

1. reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
2. Reboot the server and try again.

That should solve the issue!

Happy testing!