Windows GPO: Disable Adobe Updater for CS3 and CS4

We’ve known for a while that Adobe updates are too frequent and too large and annoying when you have a couple of hundred machines on the network with the Master Collection installed. Recently, we installed Viewpoint to give us reporting from our Sonicwall firewall, and we saw the impact that Adobe updates had on our internet connection and it was staggering. Adobe updates and Apple iTunes updates were the bulk of our traffic, which is no mean feat when we have 900 Students in the Senior School on Facebook.

Viewpoint_AdobeUsage 
Web Usage Report from Viewpoint

Luckily, Adobe have a registry key that can be used to enable/disable the Adobe Updater, and pushing the entry out to clients via Group Policy seems like the sensible option
http://kb2.adobe.com/cps/408/kb408711.html

On Windows XP or Windows Vista

  1. Using Regedit.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe
  2. Create a new Key in this folder named "Updater"
  3. Create a new DWORD value within this Key named "Enterprise with a value of "1"

To try it out, I created the registry entries on my local machine and imported the entries into a new GPO with the Registry Wizard (Right Click on Registry in the Computer Configuration, and select New –> Registry Wizard)

AdobeGPO1 
Registry Keys imported into GPO

 
AdobeGPO2 
Registry Entries, Action set to Update

It’s important to remember to still update the Adobe applications, especially Acrobat and Flash. The Sophos Security Threat Report 2010 highlights the need to keep these two applications up to date. Malicious code can be executed from flash files embedded in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read up.

You can download the Acrobat Updates manually from Adobe, and push them out to clients with msiexec.exe, check AppDeploy for specifics with your version of Acrobat, but something like this would do the trick

msiexec /p "%installdir%\AcroProStdUpd910_T1T2_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

msiexec /p "%installdir%\AcrobatUpd912_all_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

Which is from the Adobe forums and push it out with a script or via GPO

Vista bug – Deletes Inactive Profile

vista Sometime ago now, but still worth sharing, we had an issue with our Vista tablets for Staff. The issue was with Vista, pre SP1 we think, and a Group Policy setting for deleting an inactive profile after 30 days. This GPO setting was a legacy setting that we had on the network to delete Student profiles on network machines that weren’t removed when they logged off.

After successfully rolling out the notebooks to staff, we think about a 30 days after the imaging, we had 4 panicked Staff call the IT Helpdesk within minutes of each other. Their machines had fouled up and restarted and when they logged in they had a fresh profile and all of their documents and email had disappeared!

After a some quick Googling we found Dave’s post on his blog and he’d had exactly the same experience. This is straight from Dave Says:

“Seems the domain controller software has a (Y/N) parameter to delete old profiles that have not been used for 30 days or more.
If set to Y, the software screws up when a terminal logging in is running either Vista or Server 2008 OS. In these instances, it sometimes concludes the current user profile has been inactive for 30 days & deletes it!

Solution is have your admin set parameter to N – apparently there was a note floating around back in the beta days last year – thanks for publicising it guys!”

Thanks to Dave, we immediately change the GPO setting and, luckily, didn’t have any more problems. It was interesting that we only had 4 notebooks with the problem, if it was all 55 we would have been in trouble, but this is what happens when you dive into a new OS I suppose…

More info from Dave Says