Uninstalling Adobe Flash Player using Group Policy - Part 1

"Flash is a spaghetti-ball piece of technology  

that has lousy performance and really bad security problems."

Part 1 is about disabling Flash Player in Microsoft Edge using Group Policy.

What version of Flash player are your users running?

As I am writing this blog post, administrators once again find themselves in a situation that has existed since the introduction of Windows 8.

1. Microsofts insists on integrating Adobe Flash Player in the Windows operating system.
2. At the same time, security patches for Flash player that Adobe has already released, are occasionally withheld from Windows users.

The current situation is that Microsoft seems to have called off the February 2017 patch day altogether and Windows Users are stuck with an unpatched Flash Player.

In Microsoft Edge 38.14393.0.0 (Windows 10 14393.693) the Windows 10 Flash version number is 24,0,0,194 when it should be 24.0.0.221.

Check your Flash Player version here: http://www.adobe.com/software/flash/about/

Disabling Flash Player in Microsoft Edge using Group Policy

Create a new GPO and attach it to the OU that contains your Windows 10 users

Navigate to User Configuration \ Preferences \ Windows Settings \ Registry \

Right click on Registry. Choose New \ Registry Items

Configure the Properties:

Action: Update

Hive: HKEY_CURRENT_USER

Key Path:

SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons

The full path is

"HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons"

The key Addons may not exists and will be created later, when the GPO is applied.

Value Name: FlashPlayerEnabled

Value Type: Reg DWORD

Value Data: 00000000

Review the Group Policy:

Log on to the computer and check the Edge Settings:

Be aware that the user can always re-enable flash in their Edge settings, but the GPO will disable Flash at every login of the user.

This solution is therefore not yet perfect, but only part one of a bigger solution.

In the second part, I will show how to disable Flash in Internet Explorer.

Configuring a WLAN profile for Windows computers using Group Policy

"If a trainstation is where the train stops, what's a workstation?"

As you go along with this tutorial, make sure to deviate from my settings so that you end up with a profile that suits your environment. In any case, you should have a functioning Active Directory and workstations running Windows Vista or higher.

This is a rare instance of something that benefits both usability and security and not one at the expense of the other. The users will not have to worry about WLAN settings as those are configured by the GPO and I will not have to worry about users watering down security settings because the settings are locked in into the profile and users cannot change them.

In my case the wireless connection deployed on the workstations will be based on

• WPA2-Enterprise mode
• A Network Policy Server (NPS) that will also serve as RADIUS server
• Client and server authenticating using (pre-autoenrolled) X.509 certificates
 

 

• I opened gpmc.msc and navigated to the Organizational Unit (OU) that contained my wireless capable computers.
• Next, I created a new GPO (i.e. "WLAN profiles <<insert SSID>>"
• Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) policies.
• "Create A New Wireless Network Policy for Windows Vista and Later Releases".
  You can only do this once. When you have created the first policy, the option will disappear until the policy is deleted.

• The policy gets a name and description. Properties General
  

 

•  Adding a network
  The workstations connect automatically, do not connect to more preferable networks and do not connect if the SSID is not broadcast.

The RADIUS Server authenticates via X.509 certificate. There is also some sort of certificate pinning at the root-CA level. Note the checkbox in the middle. Alle three things must match for the client to proceed:

1. Server hostname
2. Server certificate
3. Root certificate

This will ensure that the workstations is connected to the right network and it will remove unnecessary pop-ups that may require information that is not available to the user. ("Do you trust this computer?"). The authentication method selection at the lower end of the screenshot ensures that the workstation will authenticate using its own certificate which will be presented to the server. The alternative would be EAP-MSCHAP v2.

Leaving the PEAP setting, going back to Security > Advanced. I left following settings unchanged.

Network permissions

 

Once the GPO is deployed on the client side, you should see a pre-configured wireless connection with greyed out check-boxes and a message with exclamation mark, stating the the connection settings are managed by the system administrator.