But how to keep the old Java and the Adobe Flash Player up-to-date?

Don't forget to remove older versions of Java. If computers have both Java 6 and Java 7, it won't automatically remove Java 6 when you update Java 7. You have to deal with this yourselves.

Below are some simple command lines that you can use as an example and put in a batch file and deploy to computers. It will simply uninstall old Java versions without any further interactions.

A script like this may uninstall old versions like Java:

Be aware that when using the terms like and %% in collection queries, you burn more processing time on your SQL or SCCM servers. So, if you have a lot of these and plan to have that collection for a long time, you might consider more specific queries like = and with using exact name without %.

I often use the quick and simple way and use a Software Package for this, but you might just, with some more work, make it even smoother with the new Software Application form. This one works with very little fuzz. The users will not notice anything, and that is what I wanted.

Second, I would run this with the Environment setting Only when no user is logged on.

This is to avoid many processes and components which are in use when the job is run and to ensure that it is more successful. You might think, but our users never log off?

Yes, but from my experience, if you're not in a hurry to get the job done as soon as possible, this will run eventually when the user's shutdown and reboot their machines. And yes, many users do not even do this on a regular basis. Here we touch something that I see as a big security issue, because I see computers that haven't been rebooted for two or three months and that means you're not forcing a reboot with your Software Update or WSUS Policy. This means that it's of course much more convenient and pleasant for the end users, and for the IT departments in the matter of being nice, but not when it comes to fulfill their responsibility to maintain the most secure environment possible. There is also the fact that the goal is to get more successfully application deployments too. When computers are hanging around with a lot of pending reboot on their Operating System, this interferes with applications installing. Mostly because Windows isn't securely patched before the reboot is done, the .dll, .sys files among others are not replaced with new patched files until reboot.

But isn't there a smoother way of keeping third-party applications up-to-date?

Yes, there is, you have the possibility to use System Center Update Publisher (SCUP) and several others which are far more advanced with zero-day vulnerability analysis that are undisclosed computer-software vulnerability that hackers can take advantage of. You can read more about this in the Chapter 8, Malware Handling.

Finally, I want to mention something that is to be considered as a good practice and a necessary safety precaution within all kinds of deployment, and it only takes a few seconds when creating the package, application, task sequence or similar. You have to specify exactly what Operating System this job is allowed to run on.

Why is this important? It may save you from accidentally targeting systems that you don't want. Like Servers, or platforms that aren't suited for this deployment.

This is very important as much as it is forgotten. I strongly advise you to set it on your OS deployment Task Sequences.

Platform selection for the program