MSEndpointMgr

Deploy Adobe Reader 11.0.5 with ConfigMgr 2012 SP1

On October the 8th Adobe released a security update for Adobe Reader 11.0.4, version 11.0.5. This post will guide you through how to apply the security update to a slipstreamed Adobe Reader installation package. If you’d like to read more about the release from Adobe, you’ll find that here.
Instead of copying the process of how to create a slipstreamed installation package for Adobe Reader into this post, I’d advise you to look at my previous blog post that covers the process more in detail:

Since this is a security patch (11.0.5) released for a previous quarterly patch (11.0.4), the process of applying this security patch is quite simple. You’ll have to apply the patches in this order:
Adobe Reader base release 11.0.0 -> quarterly release 11.0.4 (which the security patch applies to) ->security patch 11.0.5
So by knowing this, we can go ahead and re-use the process of creating a slipstreamed installation package for Adobe Reader 11.0.4 and then apply the security patch 11.0.5 into that.

Applying the security patch

You can either follow the steps below or use this PowerShell script to automate things for you. If you choose to use the script, remember to create the MST file if you wish to customize the installation.
1. Perform the exact same steps in this blog post, until you reach Create a MST transform.
2. Download the following file to C:\AdobePatch\AdobeReaderDownloads (create the folder if it doesn’t exist):
ftp://ftp.adobe.com/pub/adobe/reader/win/11.x/11.0.05/misc/AdbeRdrSecUpd11005.msp
3. When you have completed step 7 where you copied the Setup.ini file, run the following command from an elevated command prompt:

msiexec /a C:\AdobePatch\AIP\AcroRead.msi /qb /p AdbeRdrSecUpd11005.msp TARGETDIR=C:\AdobePatch\AIP

4. Now either go ahead and follow the blog post for Adobe Reader 11.0.4 to create the MST transform, or re-use one created earlier.
That’s all, easy as that!

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

27 comments

  • Are you deploying Adobe Reader MUI (Multilingual)? The detection method doesn’t work for me when I use the Product code (GUID) and specify the version (11.0.09). In the Deployment Status, it says that the client is Already Compliant even though it has version 11.0.00 installed.
    -Alex

  • As I go through the above thread, I noticed some good suggestions/advise and you (Nikolaj), are doing a good job sharing. I’ve just started using SCCM 2012 (upgrading from SCCM 2007)
    My question is: What detection method do you use for multiple .msp files that Adobe products needs. I have a bunch of .msp’s for different Adobe products and I don’t seem to get handle on this. Thanks for your attention.
    Ulysses

  • I followed your instructions and created a package for Reader 11.0.06. I noticed recently with the release of 11.0.07 that machines I installed my custom package on are prompting for an update but it says it is installing 11.0.06, it runs the update and says it installed successfully but if I check for updates from the help menu it finds an update for 11.0.06 again, infinite loop. I used the customization wizard to create this package and left the product updates enabled so that I wouldn’t have to deploy further updates or revisit the machines. Does the customization somehow point the updates check to my deployment share? What is going on with the update for 11.0.06 installing infinite loop?
    I’m working on creating a custom package for 11.0.07 now so I’d like to correct this problem. Any ideas?

    • Hi Nate,
      I’m not really sure why you’ve done the way you have. Is your goal to deploy and forget about Adobe Reader? If that’s it, I’d not recommend you to do that. Instead make use of Applications with supersedence in ConfigMgr.
      Regards,
      Nickolaj

      • Sorry, I guess my challenge is that I don’t have SCCM in our environment. We’re using MDT and I was attempting to install a vanilla install of reader with deployment of an image so we didn’t have to include it in our base image then have to update after deployment to whatever the newest version of reader is at the time. I’ve left reader updates enabled in the package I created hoping it would continue as a vanilla install and get its updates from the internet. This does not appear to be the case though as the 11.0.07 package I created does the same thing now that 11.0.08 is out. I may have to abandon deploying reader with MDT and just make it part of the base image then update as needed. Any other suggestions?

  • So with supersedence it will completely uninstall the earlier version of Adobe Reader/Acrobat then it will install the new version?
    Wouldn’t that take very long time compared to just using MSP to patch?

    • Hi,
      You’re correct, it takes slightly longer for the installation process. But in my opinion that’s not an issue, since the installation is not putting any load on the ConfigMgr servers but only the clients. And normally you’d update applications when the user is not using the computer e.g. over a night or during the weekend. But again, this is not the only way you can deal with Adobe Reader and its updates, it’s just a way that I recommend to do it with ConfigMgr since it’s proven to work flawlessly.
      Regards,
      Nickolaj

    • I am attempting to create my AIP by running msiexec with chained updates to save a couple steps, but I get an error about “This patch could not be opened. Verify the patch package exists…”
      Any idea what I am doing wrong?

      • Hi Norman,
        It would be helpful to know what steps you have taken to get the error. What command lines have you used?
        Regards,
        Nickolaj

  • If I understand the Adobe Workflow for updates, using the following method:
    Base 11.0.0 -> Quarterly 11.0.4 -> Security 11.0.5
    what happens when Adobe publishes a quarterly 11.0.6? Will I have to recreate the AIP to: 11.0.0 -> 11.0.6 ?

  • Hi and thanks for these posts! I was really confused on how to deploy Reader and subsequent updates, but this makes it a lot easier to understand.
    Question: you say that because this is slipstreamed it will not install “over” an existing installation of Adobe Reader. I noticed in the Customization Wizard though, you can choose to have the installer remove old versions of Reader. So, I guess I am wondering if I can safely deploy the newly transformed MSI and not worry about previous versions?
    Granted, I am not using SCCM, I plan on using GPOs for the time being to push software updates. Just curious, thanks for the good work!

    • Hi James,
      Thank! That’s certainly a way to go, and since you’ll be doing it with GPO it sounds about right. I’ve chosen to rely on the supersedence by the application model though.
      Regards,
      Nickolaj

    • Hi Erik!
      I don’t use the Date detection method. Instead I use the Product ID + version. That works alot better in my experience!
      Regards,
      Nickolaj

  • What detection rule are you using? The MSI GUID remained the same since the last version, and for some reason detecting it using the date is not working for me at all. 🙁

  • Do we have to uninstall 11.0.4 from client machines before deploying the 11.0.5 AIP package?

    • Hi Peg,
      Yes, when doing slipstreaming you always have to superscede the old version with the new. I recommend that you make use of the superscedence feature in the application model.
      Regards,
      Nickolaj

  • Getting the following error when trying to run the listed command:
    “The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may be a different version of the program…”
    I followed your steps for 11.0.4 and it worked perfect. Any thoughts on why this isn’t working for 11.0.5?

Sponsors