Installation blocked by group policy designed to prevent CryptoLocker

Similar Messages

• "This program is blocked by group policy"

  Hi all.
  I have searched Google a fair bit on this but shockingly I just can't find an actual answer.  The Group Policy forum is where I should have started rather than finally come to :)
  I am no genius with GP, I use it in the most basic ways in very small orgs.  My users appear to all have the same problem, when they insert a removable media device that has software on it that might run or autorun, I get the "This program
  is blocked by group policy, contact your admin" message.  I don't believe this ccurs with removable media just as just plain USB storage sticks.  So far the two examples I know of are for an Internet providers USB broadband mobility stick, and
  another user that is using some Kodak products (SD card, camera, and even the Kodak CD I think). 
  Environment is 2008 R2, Win7 Pro workstations, all users are local admin on their machine.  All users are in the default Users container, and all computers are in the Computer container.  To my recollection I have never set a GPO that would directly
  or indirectly cause all users problems like this.  The only thing that has had indirect consequences that I know of in the past, was because we use many of the options available under Folder Redirection, including redirecting the Desktop.  In some
  cases, when a user has tried to launch an exe or what not that was on the desktop, it failed because it's trying to launch in truth on their user folder on the server, not really on the Windows Desktop.  I'm not sure if that might impact my current problem. 
  To start, where can I go to actually check GPO's for this?  Is this the Software Restriction Policy?  If so, which one governs, the one in User Configuration or Copmputer Configuration?  In both cases I went to GPMC and under both, it would
  say I had to go to the Actions menu to create a New Software Restriction policy.  I did so (just picking the item in the Actions menu), and the resutlt was some choices under the actual GPO now, none of which I've yet configured. 
  So, I need to torublesahoot this ut also to know where such a thing causing this error message would be set under normal circumstances.  Also, could antivirus cause this?  I can't see the error saying "group policy" if it did though. 
  Thank you very much. 

  Hi,
  Thanks for posting your issue in the forum.
  Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow
  down the cause of the issue.
  GPMC.log
  ==================
  a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.
  b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
  user in the wizard)
  c. Right click 
  the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
  Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see
  if the issue persists.
  In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.
  Software Restriction Policies
  http://technet.microsoft.com/en-us/library/hh831534.aspx
  Troubleshooting Group Policy Problems
  http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx
  Hope this helps.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback
  on our support quality, please send your feedback here.
  Andy Qi
  TechNet Community Support

• Programs Blocked by Group Policy - But Why?

  Hi, I'm hoping someone can help with this... I'm an IT technician and one of my clients has suddenly experienced an issue whereby they can no longer execute two programs without right clicking and selecting "Run As Administrator". This happened
  "out of the blue" and without any warning or trigger event. The user has been running this same configuration for months before this issue started happening. The only possible event was the user reported possibly running some sort of malware from
  an email attachment they thought was safe but later determined it came from an unknown source. HOWEVER, all current virus and malware scans come up clean.
  If they just click the icon and do a normal execute they receive the message "Program blocked by Group Policy". They are on a domain, however, there have been NO changes to any of the group policies AND no other users are experiencing the issue
  despite the fact all the users are contained in the same security group on the domain controller.
  The two programs this user can no longer execute, without elevation, are: AVG Antivirus Business edition and Symantec PC Anywhere.
  I've been all over google and made some recommended changes via gpedit.msc but nothing has helped so far. I also did a gpupdate and tried turning UAC on and off but the behaivor is the same regardless of the state of UAC.
  Anyone have any suggestions? Thanks much,
  --Rick

  The mailware may have put in a registry entry under policies that is
  causing yuor behaviour.
  As a last resort you could try this:
  Logon as an Administrator
  Navigate to HKLM\Software\Policies and nose around to see if anything
  there might be the cause.
  Next, Navigate to
  HKLM\Software\Microsoft\Windows\CurrentVersion\Policies and do the
  same.
  If nothing jumps out at you, back up both of these registry keys then delete them and then
  run GPUPDATE /FORCE and see if problem is still there.
  If so, try all the above steps again, but this time use HKCU instead
  of HKLM.
  Rick G.1 wrote:
  >
  >
  >Hi, I'm hoping someone can help with this... I'm an IT technician and one of my clients has suddenly experienced an issue whereby they can no longer execute two programs without right clicking and selecting "Run As Administrator". This happened
  "out of the blue" and without any warning or trigger event. The user has been running this same configuration for months before this issue started happening. The only possible event was the user reported possibly running some sort of malware from
  an email attachment they thought was safe but later determined it came from an unknown source. HOWEVER, all current virus and malware scans come up clean.
  >
  >If they just click the icon and do a normal execute they receive the message "Program blocked by Group Policy". They are on a domain, however, there have been NO changes to any of the group policies AND no other users are experiencing the
  issue despite the fact all the users are contained in the same security group on the domain controller.
  >
  >The two programs this user can no longer execute, without elevation, are: AVG Antivirus Business edition and Symantec PC Anywhere.
  >
  >I've been all over google and made some recommended changes via gpedit.msc but nothing has helped so far. I also did a gpupdate and tried turning UAC on and off but the behaivor is the same regardless of the state of UAC.
  >
  >Anyone have any suggestions? Thanks much,
  >
  >--Rick
  >
  >
  >
  Ha®®y

• "Blocked by group policy"

  My Photoshop Elements 10 will no longer work on my home computer. When I try to use it, a pop up will state " This program is blocked by group policy''. I am not aware of any changes that I have made to computer to cause this. Any ideas?

  Look in AppLocker to see if there are rules restricting things:
  http://www.sevenforums.com/tutorials/7844-applocker-create-new-rules.html
  If you know your way around your computer to some extent, open a command prompt, and get a report of your group policy settings, and post it in a message here.  Specifically:
  Start / Run / cmd
  C:\whatever> cd \
  C:\> gpreport /z > c:\gp.txt
  C:\> notepad c:\gp.txt
  In notepad:  Ctrl-A, Ctrl-C (to select all and copy the text)
  Paste the contents of the clipboard into a reply on the web version of the forum.

• "This program is blocked by group policy. Contact admin"

  This message comes us up when I try to manage accounts in the control panel. What do I do?

  Sounds like this has been blocked by Group Policy. Run a GPRESULT /h on the computer to see if this is being pushed to you as a Domain GPO. If so... contact you administrator and ask them about the restriction.
  Alan Burchill (MVP)
  http://www.grouppolicy.biz
  @alanburchill

• Group Policy Preference Power Plan "Blocked By Group Policy"

  I noticed this error in the application event log of a Windows 7 PC:
  Log Name:      Application
  Source:        Group Policy Power Options
  Date:          3/21/2013 3:19:42 AM
  Event ID:      4098
  Task Category: (2)
  Level:         Warning
  Keywords:      Classic
  User:          SYSTEM
  Computer:      xxx
  Description:
  The computer 'Power Plan (Windows Vista and later)' preference item in the 'Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}' Group Policy object did not apply because it failed with error code '0x800704ec This program is blocked by group
  policy. For more information, contact your system administrator.' This error was suppressed.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Group Policy Power Options" />
      <EventID Qualifiers="34305">4098</EventID>
      <Level>3</Level>
      <Task>2</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T10:19:42.000000000Z" />
      <EventRecordID>7687</EventRecordID>
      <Channel>Application</Channel>
      <Computer>xx</Computer>
      <Security UserID="S-1-5-18" />
    </System>
    <EventData>
      <Data>computer</Data>
      <Data>Power Plan (Windows Vista and later)</Data>
      <Data>Windows 7 Desktop Power Plan {A078F08F-45CC-4209-A264-FE0CB5635A99}</Data>
      <Data>0x800704ec This program is blocked by group policy. For more information, contact your system administrator.</Data>
    </EventData>
  </Event>
  How can I find out exactly why it is not working?  "Blocked by group policy" is not specific enough.

  Hi,
  You can also enable GPP tracing and logging for more information:
  Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Power Options preference logging and tracing
  http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
  Regards,
  Cicely
  There is no such option "Configure Power Options preference logging and tracing" at Computer
  Configuration\Policies\Administrative Templates\System\Group Policy\.
  It alphabetical order Always use local ADM files ... is followed by Disallow interactive users from generating ...  Not

• Group Policy design for Terminal Server

  Hi, I am mixed about group policy design for Terminal server
  My Infrastructure is so;
  Zone
        ->Department
                     ->User
                     ->Computers
        ->Department
                     ->User
                     ->Computers
        ->Department
                     ->User
                     ->Computers
  Server
         ->OtherServer
          ->TerminalServer (TerminalComputersGPO)
  I create two group policy for user and for terminal server computers (security filtered for Terminal_Users)
  I want to use terminal server user policy but it must effect
  just in terminal computers. not TS user's computers. what i must do? where i must locate it?
  Please click "Vote As Helpful" if it is helpful for you and "Propose as Answer"

  Hi Davut EREN - TAT,
  According to your description, you would like
  terminal server user policy applying to users which log on to terminal computers. Right?
  As MuhammadUmar's suggestion, you can use Loopback in replace mode. The GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup.
  In the real work environment Loopback processing of Group Policy is usually used on Terminal Servers. For example we have users with enabled folder redirection settings, but we do not want these folder redirection to work when the users log on to the
  Terminal Server, in this case we enable Loopback processing of Group s Computer account and do not enable the folder redirection settings.
  For more information about this policy, please refer to the following articles:
  Loopback processing with merge or replace
  Loopback processing of Group Policy
  Regards,
  Lany Zhang

• Software Installation Processing Alerts - Group Policy Failures?

  Hello,
  I am getting several errors reported by SCOM Software Installation Processing alert
  In the local event log I have:
  Warning 9/15/2014 11:09:37 AM GroupPolicy 1112 None
  Warning 9/15/2014 11:09:37 AM Application Management Group Policy 108 None
  Error 9/15/2014 11:09:37 AM Application Management Group Policy 103 None
  Warning 9/15/2014 11:09:37 AM Application Management Group Policy 101 None
  with the details:
  101 - The assignment of application SMS Client Setup Bootstrap from policy MITS Servers Software failed. The error was : %%1274
  103 - The removal of the assignment of application SMS Client Setup Bootstrap from policy MITS Servers Software failed. The error was : %%2
  108 - Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %%1274
  1112 - The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
  - Computer Configuration > Policies > Administrative Templates > System > Group Policy > Policy > Startup policy processing is enabled 
  what does exactly this means?
  Thanks,
  Dom
  System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

  Hi,
  Yes the packaged is installed.
  Troubleshooting the issue deeper with http://support.microsoft.com/kb/249621/en-us is showing
  Software installation extension has been called for background policy refresh
  09-16 06:34:09:346
  Software installation extension has been called for background policy refresh
  The following policies are to be applied, flags are 11.
  MITS Servers Software (unique identifier {E76FB561-E177-421D-AE43-109EADEAD751})
  System volume path = \\ad.medctr.ucla.edu\sysvol\ad.medctr.ucla.edu\Policies\{E76FB561-E177-421D-AE43-109EADEAD751}\Machine
  Active Directory path = LDAP://CN=Machine,cn={E76FB561-E177-421D-AE43-109EADEAD751},cn=policies,cn=system,DC=ad,DC=medctr,DC=ucla,DC=edu
  Set the Active Directory path to LDAP://CN=Class Store,CN=Machine,cn={E76FB561-E177-421D-AE43-109EADEAD751},cn=policies,cn=system,DC=ad,DC=medctr,DC=ucla,DC=edu;.
  Enumerating applications in the Active Directory for computer MSVROFAS2 with flags 5.
  The following applications were found in policy MITS Servers Software.
  Assigned application SMS Client Setup Bootstrap (flags a0044c70).
  Found 1 applications in policy MITS Servers Software.
  Enumerating the managed applications which are currently applied to this user.
  No managed applications are currently applied to this user.
  Found 0 applications locally that are not included in the set of applications from the Active Directory.
  Application SMS Client Setup Bootstrap from policy MITS Servers Software is set for installation because it is assigned to this computer policy.
  Software installation extension cannot perform removal or install operations during asynchronous policy refresh and will force a synchronous foreground refresh.
  The assignment of application SMS Client Setup Bootstrap from policy MITS Servers Software failed. The error was : %1274
  Removing application SMS Client Setup Bootstrap from the software installation database.
  Calling Windows Installer to remove application advertisement for application SMS Client Setup Bootstrap from script C:\Windows\system32\appmgmt\MACHINE\{ecbf218d-0d04-4b00-a43e-91ba5c41d119}.aas.
  Windows Installer cannot remove application advertisement for application SMS Client Setup Bootstrap from script C:\Windows\system32\appmgmt\MACHINE\{ecbf218d-0d04-4b00-a43e-91ba5c41d119}.aas, error 2.
  The removal of the assignment of application SMS Client Setup Bootstrap from policy MITS Servers Software failed. The error was : %2
  Policy Logging for Software Management is attempting to log application SMS Client Setup Bootstrap from policy MITS Servers Software.
  Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : %1274
  Software installation extension has detected changes that require a synchronous foreground policy refresh.
  Software installation extension returning with final error code 1274.
  And this is happening hourly !!!
  This is the current status...
  Thanks,
  Dom
  System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

• Fireworks 8 Installation Problem via Group Policy

  Hi,
  We are trying deploy Studio 8 across our site using the
  provided MSI's and Group Policy following this guide -
  http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=332882
  I have created the mst files for all products and set them to
  be deployed by group policy. Dreamweaver, Flash, Contribute, Flash
  Video Encoder and Flash Extensions Manager all install fine however
  Fireworks will not, looking in the event log it doesn't even
  attempt to install. All folders have the same permissions, the MSI
  & MSTs are all part of the same Group Policy Object using the
  "Software Installation" method with the same permissions.
  Fireworks will install using MSIEXEC from the command line so
  the package and mst are fine.
  Has anyone else come across this problem?
  Thanks
  Matt

  We are having the same issue here at our NSW High School. I
  have traced the problem to be that Fireworks wants to deploy in
  Chinese (instead of English) and because of this it will not
  install. I am looking for a way to convert the msi file to an mst
  so I can choose English as the default install language.
  Hope this info is useful

• Drive Block using group policy

  Can Any one help me about this drive block 
  i am unable to block the E & F drive for all users. so please advice with clear steps of commands, how do i write the drive blocks script using the group policy in server 2012.
  However I tried through registry but still its not working. my only concern how to block few users accessing D drive and few users from F drive in the local system using group policy. 
  Thanks in advance.

  whats registry settings have you set ?

• This program is blocked by group policy ( on a computer running vista)

  I have read so much about the problem and tried about everything that everyone said to do. and it still has not fixed the problem. the problem I see is that most of the problems that I have read about the units are running something besides Vista. It seem
  to also have blocked me from down loading  programs and files. I need help on fixing this problem. I dont know what to try next. can someone help PLEASE. 

  Unfortunately your post is off topic here, in the TechNet Site Feedback forum, because it is not Feedback about the TechNet Website or Subscription.  This is a standard response I’ve written up in advance to help many people (thousands, really.)
  who post their question in this forum in error, but please don’t ignore it.  The links I share below I’ve collected to help you get right where you need to go with your issue.
  For technical issues with Microsoft products that you would run into as an
  end user of those products, one great source of info and help is
  http://answers.microsoft.com, which has sections for Windows, Hotmail, Office, IE, and other products. Office related forums are also here:
  http://office.microsoft.com/en-us/support/contact-us-FX103894077.aspx
  For Technical issues with Microsoft products that you might have as an
  IT professional (like technical installation issues, or other IT issues), you should head to the TechNet Discussion forums at
  http://social.technet.microsoft.com/forums/en-us, and search for your product name.
  For issues with products you might have as a Developer (like how to talk to APIs, what version of software do what, or other developer issues), you should head to the MSDN discussion forums at
  http://social.msdn.microsoft.com/forums/en-us, and search for your product or issue.
  If you’re asking a question particularly about one of the Microsoft Dynamics products, a great place to start is here:
  http://community.dynamics.com/
  If you really think your issue is related to the subscription or the TechNet Website, and I screwed up, I apologize!  Please repost your question to the discussion forum and include much more detail about your problem, that could include screenshots
  of the issue (do not include subscription information or product keys in your screenshots!), and/or links to the problem you’re seeing. 
  If you really had no idea where to post this question but you still posted it here, you still shouldn’t have because we have a forum just for you!  It’s called the Where is the forum for…? forum and it’s here:
  http://social.msdn.microsoft.com/forums/en-us/whatforum/
  Moving to off topic. 
  Thanks, Mike
  MSDN and TechNet Subscriptions Support

• Best Practice: Deploying Group Policy to Users on different OUs

  Greetings, everyone! I am needing some advice on how to deploy some group policy objects to specific users stored on different OUs.
  Let me set the stage: I work for a large school district, and have recently taken over the district's career center. The idea behind the career center is that students from different high schools around the city come in to take classes based on their choice
  of career, such as radio broadcasting or auto mechanic and such. The AD structure is set up so that each school has their own OU.  When a user (staff, student, etc.) is assigned to a school OU, they automatically are added to
  their school's security group (i.e. EASTHIGH-STUDENT), and that when any user moves from one school to another, we have to move their AD account to that school's OU, which will remove the security group from the old school and apply the new school
  security group.
  For the career center, since we have students coming from different buildings every day, rather than trying to find a way to move their AD account from their high school OU to the career center OU, the previous techs created generic accounts (such as tv001,
  tv002, etc.) in AD and stored them in the career center OU.  This way, teachers can assign students that particular generic account so that they can access the drives and printers from the career center, as well as access the career center network
  drives while they are at their home high school.
  Since I have moved to the career center, and apparently I have more knowledge about group policy than most of the techs in the district, the district system engineers want me to remove all of the generic accounts from the career center OU, and have students
  use their own AD accounts.  Obviously I also want to do this since the generic accounts are very confusing to me, but I'm trying to figure out the best way to do this.
  For simplicity sake, I'm just going to start off by figuring out how to set up a group policy for mapping the career center drives.  Now, I obviously know that the best way would be to create security groups for each career area, and that we would need
  to add students to those groups so that only those particular students would get the GPO for the career center, but my question is where would I like the group policies to?  Do I need to link it at the root of the domain so that every OU is hit? 
  Just curious about this.
  Thanks!

  Don't link it to the root.... apply the drive mapping as a policy at the OU or you could apply the drive mapping using Group Policy Preferences using security group targeting... .I would also strongly recommend you check out my articles
  Best Practice: Active Directory Structure Guidelines
  – Part 1
  Best Practice: Group Policy Design Guidelines – Part 2
  Hope it helps...

• Group Policy

  My Computer comes up with This program is blocked by group policy. For more info contact your system administrator.  What do I need to do to get rid of this and be able to download?  Thanks

  Bjoralemon,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Group policy to disable command prompt and disable registry editter

  I have enabled in group policy that it prevents access to the command prompt and that it prevents access to registry editing tools and this doesnt seem to be taking effort on the test computer.

  https://technet.microsoft.com/en-us/library/cc975912.aspx
  and
  https://support.microsoft.com/en-us/kb/831787
  This counts for admins login in too! (can be annoying) 
  so I think http://www.computerstepbystep.com/registry_editor_windows_7.html may help!(very long winded/ bitty process) 
  I've found the best way is to leave the desktop locked down and use PSEXEC to make edits and changes. 

• Flash Player group policy installation

  Hi All,
  Consider the following scenario:
  BigCorp deploys thier Flash player the Group Policy Software Installation (GPSI).
  BigCorp rolls out the latest version of Flash player to thier site.  Although BigCorp has followed all thier testing plans, and not noticed errors - users begin to report issues with a line of business app which uses Flash.
  Admins at BigCorp disable the policy which installed the latest version of Flash payer, and re-enable the previous version.  Affected users reboot thier machines and they hang indefinatley at the GPSI instllation stage.
  This behaviour appears to be by design, but the behaviour of the installer is not sane at this point.
  I believe that this issue is caused by the feature noted at http://kb2.adobe.com/cps/402/kb402435.html - since removing HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\SafeVersions prevents this from happening.  (Specific versions are listed, and appear to work as one might expect; i.e. remove the DWORD value at HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer\SafeVersions\10 and earlier versions can be installed)
  The reason for the indefinate wait during installation of a downlevel version appears to be that the installer is displaying a dialog box that has been suppressed by GPSI since it is, I imagine, waiting for a response from the user that it will never recieve. At this point the only way to allow the machine to complete a reboot is to either a)disonnect the network b) force the policy to fall out of scope.
  Evidence for this can be obtained from the %windir%\system32\macromed\Flash\install.log; specifically the line:
  MessageBox: 12582960,"The version of Adobe® Flash® Player ActiveX that you are trying to install is not the most current version. Please visit http://www.adobe.com/go/getflashplayer to obtain the latest, most secure version."
  Whilst I can understand (to some extent) the design of this feature - preventing the installation of an older client in this manner is disruptive to Adobe's clients.
  It would be advantageous if we could override this using an MSI property. For example the Safe Versions features is in effect, unless the notional IGNORESAFEVERSIONS property is set to 'YES'. (Perhaps Adobe could consider this a feature request?)
  This would afford protection for the maximum number of customers, but allow users with a business need to roll back to an older version of Flash player to shoulder the responisbility of running an older version.
  http://kb2.adobe.com/cps/141/tn_14157.html is NOT a sensible solution for customer who are relient on GPSI for Flash Player installation. Repeatedly running the downloadable uninstaller is not a sane thing to do, as far as I can tell.
  I've only tested this with the Adobe supplied MSI (not the in-browser installer) as I have thousands of machines to deploy this to.
  Does anyone else have issues with this, and how do you get around them?

  Hi,
  Apologies for digging up this thread but this issue has meant that I haven't deployed any updates to the Flash Player ActiveX since 10.0.45.2 for fear that it'll break my whole GP software deployment.
  Firstly, I don't think Adobe will ever do 'the right thing' and introduce a new MSI property to make the install ignore any existing SafeVersions registry keys because I don't think they can; the actual ActiveX install is a custom action that calls an external executable embedded within the MSI that doesn't use Windows Installer technology so it wouldn't be aware of any MSI properties.
  However, I've recently revisited this problem and I think I may have come up with a solution.
  The trick I've employed is to ensure that the HKLM\Software\Macromedia\FlashPlayer\SafeVersions registry key gets removed during the MSI uninstall routine.  To do this you need to modify the MSI to add a new row into the Registry table.
  You can do this by generating a transform using Orca, like so;
  Registry = [any unique value you like]
  Root = 2
  Key = Software\Macromedia\FlashPlayer\SafeVersions
  Name = *
  Value = [Blank]
  Component = ISRegistryComponent
  The important bit is the asterix against the Name value.  This tells the MSI to always remove that registry key upon uninstall no matter what existing values are contained within the key.  Once that key is gone you can install any other version of Flash Player you like, even older versions.
  This whole method of deployment relies on a couple of things to work though;
  You must ensure that Flash Player auto updates are turned off for all your workstations that have Flash Player installed using Group Policy. http://kb2.adobe.com/cps/167/16701594.html describes this method.  Note that for x64 machines you must place the MMS.CFG file under %systemroot%\SysWOW64\Macromed\Flash and not %systemroot\SysWOW64 like the document says.  This ensures that your users don't manually update Flash Player out of your control and with an MSI that doesn't employ the fix as above.
  Ensure that all future versions of Flash Player are pushed out using Group Policy and that you use the transform file above for each one.   If you do this you can roll back to a previous version without issue.
  Assign the MSI to your computers rather than users
  I've only ever 'replaced' Flash Player in Group Policy when rolling out a new version rather than upgrade it.  This means that the existing version is completely uninstalled before the new one.  That's not to say that upgrades won't work, it's just that I've never tried it.
  EDIT: 'Upgrading' previous MSI's works fine.
  One last thing to note though is if you've already assigned Flash Player using Group Policy you can directly modify the install_flash_player_10_active_x.msi that was used to include the above registry row (ie, not using a transform) and then re-deploy it.  This ensures that the SafeVersions key will be removed right from the start if it is ever uninstalled.  Of course, if any of your users have manually upgraded to a newer version since then this won't work - in that case you'll have to remove the SafeVersions key manually, perhaps using a VB script (ideally at machine shutdown).
  I hope this information helps anyone who's had a headache with deploying Flash Player through Group Policies.
  Cheers,
  Zinc
  Message was edited by: Zinc666