On October the 8th Adobe released a security update for Adobe Reader 11.0.4, version 11.0.5. This post will guide you through how to apply the security update to a slipstreamed Adobe Reader installation package. If you’d like to read more about the release from Adobe, you’ll find that here.

Instead of copying the process of how to create a slipstreamed installation package for Adobe Reader into this post, I’d advise you to look at my previous blog post that covers the process more in detail:

Since this is a security patch (11.0.5) released for a previous quarterly patch (11.0.4), the process of applying this security patch is quite simple. You’ll have to apply the patches in this order:

Adobe Reader base release 11.0.0 -> quarterly release 11.0.4 (which the security patch applies to) ->security patch 11.0.5

So by knowing this, we can go ahead and re-use the process of creating a slipstreamed installation package for Adobe Reader 11.0.4 and then apply the security patch 11.0.5 into that.

Applying the security patch

You can either follow the steps below or use this PowerShell script to automate things for you. If you choose to use the script, remember to create the MST file if you wish to customize the installation.

1. Perform the exact same steps in this blog post, until you reach Create a MST transform.
2. Download the following file to C:\AdobePatch\AdobeReaderDownloads (create the folder if it doesn’t exist):
ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.05/misc/AdbeRdrSecUpd11005.msp

3. When you have completed step 7 where you copied the Setup.ini file, run the following command from an elevated command prompt:

msiexec /a C:\AdobePatch\AIP\AcroRead.msi /qb /p AdbeRdrSecUpd11005.msp TARGETDIR=C:\AdobePatch\AIP

4. Now either go ahead and follow the blog post for Adobe Reader 11.0.4 to create the MST transform, or re-use one created earlier.

That’s all, easy as that!

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows deployments and Automation. In 2015 Nickolaj was awarded as PowerShell Hero by the community for his script and tools contributions. Author of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService and a frequent speaker at user groups.

(58)

comments
  • Jason
    Posted at 16:05 October 14, 2013
    Jason
    Reply
    Author

    Getting the following error when trying to run the listed command:

    “The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may be a different version of the program…”

    I followed your steps for 11.0.4 and it worked perfect. Any thoughts on why this isn’t working for 11.0.5?

    • Nickolaj
      Posted at 17:49 October 14, 2013
      Nickolaj
      Reply
      Author

      Hi Jason,

      I’d empty the AIP and start over in this order:

      11.0.0 -> 11.0.4 -> 11.0.5

      Regards,
      Nickolaj

      • Jason
        Posted at 16:29 October 15, 2013
        Jason
        Reply
        Author

        That did it. Thank you very much!

        • Nickolaj
          Posted at 16:34 October 15, 2013
          Nickolaj
          Reply
          Author

          Nice! You’re welcome.

  • Carol Smith
    Posted at 17:49 October 14, 2013
    Carol Smith
    Reply
    Author

    Just wanted to say “BLESS YOU!”

    • Nickolaj
      Posted at 18:06 October 14, 2013
      Nickolaj
      Reply
      Author

      Well thank you! 🙂

  • Peggy
    Posted at 21:06 October 18, 2013
    Peggy
    Reply
    Author

    Do we have to uninstall 11.0.4 from client machines before deploying the 11.0.5 AIP package?

    • Nickolaj
      Posted at 12:12 October 19, 2013
      Nickolaj
      Reply
      Author

      Hi Peg,

      Yes, when doing slipstreaming you always have to superscede the old version with the new. I recommend that you make use of the superscedence feature in the application model.

      Regards,
      Nickolaj

  • Erik
    Posted at 19:50 October 28, 2013
    Erik
    Reply
    Author

    What detection rule are you using? The MSI GUID remained the same since the last version, and for some reason detecting it using the date is not working for me at all. 🙁

  • Erik
    Posted at 20:06 October 28, 2013
    Erik
    Reply
    Author

    Oops, I just realized that I had left out the seconds in the file time. My bad!

    • Nickolaj
      Posted at 20:33 October 28, 2013
      Nickolaj
      Reply
      Author

      Hi Erik!

      I don’t use the Date detection method. Instead I use the Product ID + version. That works alot better in my experience!

      Regards,
      Nickolaj

  • james
    Posted at 22:13 November 2, 2013
    james
    Reply
    Author

    Hi and thanks for these posts! I was really confused on how to deploy Reader and subsequent updates, but this makes it a lot easier to understand.

    Question: you say that because this is slipstreamed it will not install “over” an existing installation of Adobe Reader. I noticed in the Customization Wizard though, you can choose to have the installer remove old versions of Reader. So, I guess I am wondering if I can safely deploy the newly transformed MSI and not worry about previous versions?

    Granted, I am not using SCCM, I plan on using GPOs for the time being to push software updates. Just curious, thanks for the good work!

    • Nickolaj
      Posted at 23:25 November 2, 2013
      Nickolaj
      Reply
      Author

      Hi James,

      Thank! That’s certainly a way to go, and since you’ll be doing it with GPO it sounds about right. I’ve chosen to rely on the supersedence by the application model though.

      Regards,
      Nickolaj

  • Rich
    Posted at 18:26 December 6, 2013
    Rich
    Reply
    Author

    If I understand the Adobe Workflow for updates, using the following method:
    Base 11.0.0 -> Quarterly 11.0.4 -> Security 11.0.5

    what happens when Adobe publishes a quarterly 11.0.6? Will I have to recreate the AIP to: 11.0.0 -> 11.0.6 ?

    • Nickolaj
      Posted at 14:34 December 7, 2013
      Nickolaj
      Reply
      Author

      Hi Rich,

      That’s correct!

      Regards,
      Nickolaj

  • Norman The Normal German Gerbil
    Posted at 17:56 December 18, 2013
    Norman The Normal German Gerbil
    Reply
    Author

    You can go from 11.0.0 to 11.0.05 in one command by “Chaining Updates”. Like so:

    msiexec /a C:\AdobePatch\AIP\AcroRead.msi /qb /p “AcrobatUpd11004.msp;AdbeRdrSecUpd11005.msp” TARGETDIR=C:\AdobePatch\AIP

    http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/cmdline.html?#chaining-updates

    • Nickolaj
      Posted at 18:08 December 18, 2013
      Nickolaj
      Reply
      Author

      That’s a great tip, thanks for sharing!

      Regards,
      Nickolaj

    • james
      Posted at 20:55 January 8, 2014
      james
      Reply
      Author

      I am attempting to create my AIP by running msiexec with chained updates to save a couple steps, but I get an error about “This patch could not be opened. Verify the patch package exists…”

      Any idea what I am doing wrong?

      • Nickolaj
        Posted at 21:03 January 8, 2014
        Nickolaj
        Reply
        Author

        Hi Norman,

        It would be helpful to know what steps you have taken to get the error. What command lines have you used?

        Regards,
        Nickolaj

  • B Sod
    Posted at 18:42 December 24, 2013
    B Sod
    Reply
    Author

    So with supersedence it will completely uninstall the earlier version of Adobe Reader/Acrobat then it will install the new version?

    Wouldn’t that take very long time compared to just using MSP to patch?

    • Nickolaj
      Posted at 22:59 January 3, 2014
      Nickolaj
      Reply
      Author

      Hi,

      You’re correct, it takes slightly longer for the installation process. But in my opinion that’s not an issue, since the installation is not putting any load on the ConfigMgr servers but only the clients. And normally you’d update applications when the user is not using the computer e.g. over a night or during the weekend. But again, this is not the only way you can deal with Adobe Reader and its updates, it’s just a way that I recommend to do it with ConfigMgr since it’s proven to work flawlessly.

      Regards,
      Nickolaj

  • Nate
    Posted at 21:42 June 3, 2014
    Nate
    Reply
    Author

    I followed your instructions and created a package for Reader 11.0.06. I noticed recently with the release of 11.0.07 that machines I installed my custom package on are prompting for an update but it says it is installing 11.0.06, it runs the update and says it installed successfully but if I check for updates from the help menu it finds an update for 11.0.06 again, infinite loop. I used the customization wizard to create this package and left the product updates enabled so that I wouldn’t have to deploy further updates or revisit the machines. Does the customization somehow point the updates check to my deployment share? What is going on with the update for 11.0.06 installing infinite loop?

    I’m working on creating a custom package for 11.0.07 now so I’d like to correct this problem. Any ideas?

    • Nickolaj
      Posted at 14:22 June 6, 2014
      Nickolaj
      Reply
      Author

      Hi Nate,

      I’m not really sure why you’ve done the way you have. Is your goal to deploy and forget about Adobe Reader? If that’s it, I’d not recommend you to do that. Instead make use of Applications with supersedence in ConfigMgr.

      Regards,
      Nickolaj

      • Nate
        Posted at 16:37 August 14, 2014
        Nate
        Reply
        Author

        Sorry, I guess my challenge is that I don’t have SCCM in our environment. We’re using MDT and I was attempting to install a vanilla install of reader with deployment of an image so we didn’t have to include it in our base image then have to update after deployment to whatever the newest version of reader is at the time. I’ve left reader updates enabled in the package I created hoping it would continue as a vanilla install and get its updates from the internet. This does not appear to be the case though as the 11.0.07 package I created does the same thing now that 11.0.08 is out. I may have to abandon deploying reader with MDT and just make it part of the base image then update as needed. Any other suggestions?

  • Ulysses
    Posted at 21:23 July 15, 2014
    Ulysses
    Reply
    Author

    As I go through the above thread, I noticed some good suggestions/advise and you (Nikolaj), are doing a good job sharing. I’ve just started using SCCM 2012 (upgrading from SCCM 2007)

    My question is: What detection method do you use for multiple .msp files that Adobe products needs. I have a bunch of .msp’s for different Adobe products and I don’t seem to get handle on this. Thanks for your attention.

    Ulysses

    • Nickolaj
      Posted at 07:26 July 16, 2014
      Nickolaj
      Reply
      Author

      Hi Ulysses,

      Thanks for the kind words. As with the Adobe Reader installation files and upgrades, you make use of the method called slipstreaming. I’ve written a few posts about this and how you can do it. My latest post is about how you can have PowerShell create the slipstreamed package for you directly, check it out:

      http://www.scconfigmgr.com/2014/01/16/slipstream-adobe-reader-with-powershell/

      Regards,
      Nickolaj

  • Alex
    Posted at 17:19 November 4, 2014
    Alex
    Reply
    Author

    Are you deploying Adobe Reader MUI (Multilingual)? The detection method doesn’t work for me when I use the Product code (GUID) and specify the version (11.0.09). In the Deployment Status, it says that the client is Already Compliant even though it has version 11.0.00 installed.

    -Alex

  • Leave a Reply