15.01.2013 UPDATE: New Query
As you probably already know Oracle just released a Java update to patch two critical vulnerabilities, including one that had been exploited in ongoing and accelerating attacks. https://blogs.oracle.com/security/entry/october_2012_critical_patch_update
So I thought that this was a good time as ever to make a little list of tips that could be helpful keeping Java up to date.
Yes there is a built in feature that will auto update Java, but that requires that you have local administrative rights on your computer. Which is NOT recommended in an business environment.
So you use SCCM or MDT to deploy and update applications.
- Lets start with downloading the Offline installer: http://java.com/en/download/manual.jsp
Extract MSI file
- When its downloaded you will notice that it is an EXE file. It is possible to deploy it like that but I recommend to extract it and deploy an MSI instead. (An MSI file includes a lot of info which makes deployment easier installation programs and detection rules.)
- Start the Offline Installer, when you are prompted with the welcome screen the installer has extracted the files for you.
- Cancel the installation and fetch the files from C:Users%username%AppDataLocalLowSunJava
There is an folder for each version. Copy the latest In mine case “jre1.7.0_11” to your server / sourcefiles share. It should contain an MSI and a CAB file.
- In your sccm console right-click the Software Distribute Package node and choose “New” – “Package From Definition” It will automatically create programs for you like “Per – System Unattended”
- Now that you have created and installation program you want to deploy it to all clients that have an old version. Create a new collection. My structure looks like this Collections Software Distribution Java Upgrade to Java 7 Update 11
- Right-click and go to properties and then “Membership Rules” on the newly created collection and create a new query. Call it something nice and import the following Query Statement
[important]select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceID not in (select SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID from SMS_G_System_ADD_REMOVE_PROGRAMS where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = “Java 7 Update 11” and SMS_G_System_ADD_REMOVE_PROGRAMS.Version = “7.0.110”)[/important]
Now you have a Dynamic collection which will contain all systems that have and old version of Java installed.
You can now distribute the program we created earlier to this collection. Remember that the browser needs to be closet before you start the installation or it may fail.
Disable Java Update Tab and also Updates and Notifications
Can be accomplished either by GPO Preferences , script or in a Task Sequence together with the java program. I prefer the first one
reg add “HKLMSOFTWAREJavaSoftJava UpdatePolicy” /v EnableJavaUpdate /t REG_DWORD /d 00000000 /f
reg add “HKLMSOFTWAREJavaSoftJava UpdatePolicy” /v NotifyDownload /t REG_DWORD /d 00000000 /f
I will update this post later with more info regarding a more user friendly way to perform the installation. With a free tool from the mighty CoreTech http://blog.coretech.dk/kea/running-a-custom-notification-before-installing-a-program-with-configuration-manager/