I have a Windows Server 2008 machine as my DC. Earlier this year I created a Software Installation GPO to deploy Adobe Flash Player plugin MSI. I assigned the policy to the computers, about half run Windows XP x86 and the other half Windows 7 x64. That all works like clockwork.
When I created the Software Installation Policy, I disabled the Flash Player plugin's automatic update feature by editing the MSI in Orca. I did this because I wanted all of my machines to run the exact same version of the plugin.
Now, some time has passed and a newer version of the Flash Player plugin has been released. It is time for me to push out the updated version of the plugin. I already have the new MSI, but I am lost on what to do next.
- I see the upgrades tab in the Software Installation GPO, but
everything there reads like that would be used for add-ons to a
larger master program and not for updates that are released over
time. - I have read that it is best to create a new Software Installation
policy with the new MSI, revoke the old GPO, and assign the new GPO.
I feel as though, over time, I will wind up with more revoked
policies than active ones. - I have also read that some people have had success by replacing the
old MSI with the new MSI and simply telling the GPO to redeploy.
This seems like a backdoor method that will only get me in to
trouble.
In short, what is the correct, best-practice, or preferred way to roll out the new version via Group Policy?
Best Answer
I've done this many times with Flash Player (and other software). What you want to do is:
Use ORCA to edit it with any customization that you want and save it as a transforms (or save it as a whole new MSI, whatever works for you).
Put that new MSI (and transforms) on your software deployment share.
Add this software (and transforms) to your existing policy. It will automatically detect it as an upgrade to your previous versions of Flash Player. You can add all versions in the same policy if that's how you've previously configured it (x86: plugin and ActiveX, x64: plugin and ActiveX) or you can continue with whatever GPO layout you already have. Just make sure that you're adding like-for-like in your policy and it will automatically detect these as upgrades.
If, for whatever reason, they aren't automatically detected as upgrades, you can set this yourself in the policy. This is the correct way to handle this situation.
There's really nothing special to this.
One thing that you should think about is instead of editing the MSI with ORCA every time there's a new version, you can create an mms.cfg file as outlined here with Flash Player preferences. This file will not be touched across upgrades, so you only need to push out this file once and then you can deploy a vanilla Flash Player installation. I've used Group Policy File Preferences with Item Level Targeting to put this in the correct place on x86 and x64 machines in a mixed environment.