Disable Adobe Flash in IE

Posted on Posted in Uncategorized

The recent discovery of two Zero-day Adobe Flash vulnerabilities has prompted sys admins to disable Flash objects in Internet Explorer. We will show you some ways you can accomplish this. Keep in mind that the steps below are intended for Windows 8.x computers. 

Using GPO to Disable Adobe Flash

If you are using Active Directory then I would recommend that you disable Flash ActiveX via Group Policy (GPO). To do this go to your Group Policy Management Editor and enable the policy “Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects”. This policy is stored in Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management.

DisableFlashGPO

 

Modifying the Registry with PDQ Deploy

If you don’t want to use Group Policy to do this then you can modify the registry of the target machines using PDQ Deploy. As usual I need to give you the whole “If you modify the registry then all hell will break loose, your loved ones will simultaneously combust and free, at no extra charge, you will destroy your installation of Windows” speech. Consider that warning as read.

Moving on.

1. Create two Registry files. In my example I have called them DisableFlashIE.reg

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

 and DisableFlashIE64.reg

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

2. Create a Package in PDQ Deploy with two install steps called Disable Adobe Flash for IE (or the like).

In my first Install Step I have added DisableFlashIE.reg as the Install File.

DisableFlashIEPackage1

If you are running PDQ Deploy in Pro or Enterprise mode select the Conditions tab. For the O/S Version deselect everything except for Windows 8 and Windows 8.1. Under Architecture choose 32-bit.

DisableFlashIEPackage2

Create a second Install Step but this time point the Install File to DisableFlashIE64.reg. Under the Conditions tab for this Step choose the 64-bit Architecture (and make sure the O/S conditions are set to Windows 8 and 8.1).

3. Deploy the package to target computers. Obviously you’ll want to test this out on a few targets before committing to deploying to your entire organization. From your main PDQ Deploy window select your new package and hit the Deploy > Deploy Once button. Choose your target computers and deploy away.

Check back soon for my next blog post on using PDQ Inventory to find which machines have Flash for IE enabled.