In Windows 10 there are built-in support for Flash in both Internet Explorer 11 and Microsoft Edge but that doesn’t mean that you should use it! Even if that makes updating the Flash plugin much easier as it is done using Microsoft Update/WSUS/Configuration Manager it is still very many 0-Day vulnerabilities and security issues in Flash. In most organisations there are no LOB application or other productivity tools that use Flash. So why are you using Flash in your organisation? to be able to consume commercial AD’s on the Internet? Play games?
I know there are users/system that need require it, but disabling it on those systems that doesn’t need it is a good idea! Found this picture on Twitter somewhere and i visualizes it well I think! 😉
So the next thing would be disabling Flash, for Internet Explorer it is easy there are a group policy that we can do it with a Group Policy as displayed below.
In Microsoft Edge on the other hand that is more of a challenge, there are no Group Policy to disable Flash with. We can solve this by using Group Policy Preferences.
1. Create a new Group Policy Preference setting in the User part of the GPO as it is a user setting in Edge.
2.The following key is the one that should be created:
[HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons]
“FlashPlayerEnabled”=dword:00000000
3. Add a registry entry in the GPP, I did it using the “Update” action if a handy user enables it again it will be disabled when the GPP are applied the next time.
4. The result will look something like this.
So when you start designing/testing/piloting Windows 10 in your organisation, why not do it without Flash enabled?!
There are now better time to make a change like this as when you roll out a new Operating System, so your next big opportunity to do this will be with the release of… Wait that are no new Operating Systems versions coming only Windows 10!
Just wanted to follow up this article with an update in the comments because its the #1 result for “Disable Edge GPO” on Google. I work at a school and this is what I’ve put together for blocking Flash outright on machines. Microsoft has made the GPP workaround above obsolete by releasing real GPO management options for Edge:
Disable Flash on client computers:
CHROME:
(Requires Chrome ADMX template: https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip)
GPO: Administrative Templates > Google > Google Chrome > Content Settings > Default plugins policy > Enabled – dropdown set to “Block all plugins”
FIREFOX:
Uninstall Adobe Flash from system (NPAPI and PPAPI – just for safe measure)
IE:
GPO: Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management > “Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects” set to “Enabled”
EDGE:
(Requires ADMX template for Windows 10 build 1703: https://www.microsoft.com/en-us/download/details.aspx?id=55080)
GPO: Administrative Templates > Windows Components > Microsoft Edge > “Allow Adobe Flash” set to “Disabled”
Stand alone player (included with Adobe Animate CC / Adobe Flash Professional):
(Block using AppLocker or SRP)
Publisher: O=ADOBE SYSTEMS INCORPORATED, L=SAN JOSE, S=CALIFORNIA, C=US
Product Name: SHOCKWAVE FLASH
File Name: SAFLASHPLAYER.EXE
File version: *
Thanks for that article. My question is: Is there a way to allow Flash for specific sites and turn it off for all others (say a kind of exception list)?