Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
Keep calm and we will be with you shortly!

Deploy Adobe Flash Removal update KB4577586 using MEMCM

Support for Adobe Flash is going away on the 31st of December 2020 as announced by Adobe back in 2017, In October 27th Microsoft released an update that will remove Adobe Flash Player, which is a good thing,
We need to make sure it is removed as it is no longer supported = big security risk (bigger than Flash itself) as no security updates are released for it anymore.

The update released is not available in WSUS yet. It will be made available in early 2021 according to the KB article mentioned above which in my opinion is a bit late. It is available in Microsoft Update catalog though which is a good start then we can import it in WSUS, synchronize it to MEMCM and deploy it.
Note: Once the update is installed it cannot be uninstalled if you need to re-enable Flash.

I have imported it in a couple environments and run into some different issues so I wrote this post to save you some time googling the errors.

Import and deploy the update

To import the update we need to start the WSUS admin console using Run as administrator. From there we can then select import updates, Internet Explorer 11 is launched and we are directed to Microsoft update catalog.

Import updates in WSUS admin console

We search for our KB4577586 to find our update.

Search in Microsoft Catalog

We select the update for the versions and architecture we need, then select add to basket.

Select updates for Windows Version and architecture

From the “basket” view we can select to import the update directly into WSUS as shown below.

Import directly into Windows Server Update Services

When clicking Import the updates are imported into the WSUS Database. The process is really fast as the update is really small.

Import successful

When the import is completed we start a manual synchronization of updates in MEMCM as we lack patience to wait for the next sync to occur.

Run Synchronization in the admin Console

Then we take a Configuration Manager cup of coffee and wait until the synchronization is complete, once it is complete. We can deploy the update and start testing it out.

Updates ready to deploy in the Admin console

Troubleshooting WSUS import errors

Make sure you start Internet Explorer once with ” Run as administrator” and navigate to the Microsoft Update catalog website. Install the ActiveX when supported. If you get the below message I found it easiest to add “” to the trusted sites zone. Note “HTTP” it is old stuff and the link from the WSUS admin console uses HTTP…..

Another issue I always run into the first time is to actually download the updates as shown below.

Enable .Net 4 strong chiper, as described here:

  1. reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
  2. Reboot the server and try again.

That should solve the issue!

Happy testing!