I previously wrote up my updating Java process as an article for 7 update 45, but when 7 update 51 came out our users were still presented with an update Java prompt. In order to try to simplify the process for myself going forward, I decided to post another article, hopefully making it simpler and correcting my prior mistakes. There’s some great feedback in the comments on the prior post that might be valuable if you haven’t checked it out yet, it’s here.
Here's my process now for updating Java via Managed Software Delivery Policy
1) Download the latest offline .exe installer from http://www.java.com/en/download/manual.jsp or http://www.oracle.com/technetwork/java/javase/downloads/index.html
2) Extract the MSI
a. Download and launch in GUI mode the Windows Offline Installation executable (.exe) file.
b. When Welcome to Java window appears do not click Install button and navigate to LocalAppData folder (the user Application Data folder). The location of the LocalAppData folder differs for each Windows platform.
Note: You can also navigate directly to APPData folder by typing : %APPDATA% in Windows Explorer Address Bar or Run.
i. Windows Vista and Windows 7 - C:\Users\<user>\AppData\LocalLow\Sun\Java\jre<version_number> ii. Windows XP - C:\Documents and Settings\<user>\Local Settings\ApplicationData\Sun\Java\jre<version_number> iii. Windows 2000 - C:\Documents and Settings\<user>\ApplicationData\Sun\Java\jre<version_number>
More info here: http://www.java.com/en/download/help/msi_install.xml
3) Copy .cab and .msi to folder to desktop
4) Create (or copy existing) deployment.config and deployment.properties file to same folder where .cab, & .msi, these are plain text files.
a. Our deployment.config file following 2 lines
deployment.system.config.mandatory=true
deployment.system.config=file:///C:/Windows/Sun/Java/Deployment/deployment.properties
b. Our deployment.properties file is following (some prior keys mentioned in other thread are outdated now). We have to set security level to 'medium' for one of our apps to run, which is probably not advised if you can get away on 'high'
deployment.expiration.check.enabled=false
deployment.security.mixcode=HIDE_RUN
deployment.javaws.shortcut.locked
deployment.javaws.shortcut=NEVER
deployment.security.level=MEDIUM
You can add more options to properties file based on what’s available in current release. See http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/properties.html
The folder on the desktop should now have 4 files, data1.cab, deployment.config, deployment.properties, & .msi file.
5) Open CMS and navigate to Manage – Software Catalog - Import
6) Click plus button and navigate to folder where all 4 java related files exist, select all files and then select open
7) Make sure .msi file is bolded, if not highlight it and select “Set Installation File”
8) Select Next, files upload to CMS. Edit name, etc as desired. Leave checkbox checked for edit software resource… Select OK.
9) On package tab, delete Install, install no IU and install for all users leaving just Install for all users with no UI/Repair/Uninstall options (not necessary). Our “Install for all users with no UI” command line looks like
a. Ex msiexec.exe /i "jre1.7.0_51.msi" AUTOUPDATECHECK=0 IEXPLORER=1 JAVAUPDATE=0 JU=0 MOZILLA=1 /qn ALLUSERS=2
10) Detection rule is auto created. For Applicability, enter as needed (I leave mine at default). Click OK to save.
11) Navigate to your CMS sharepoint \\cms\SoftwareLibrary and find the UUID of the folder uploaded (latest time /date stamp). This is the same UUID folder name that gets copied locally to workstation when rolling out.
12) Create command script task to copy deployment files to right location. My script also includes lines to delete javaUpdate registry file if it exists because some people had this from previous versions and the Java 7 51 installer wasn’t clearing it and leaving the update tab in the control panel app. Here’s example script – replace 9f283b6e-34b5-4e23-a171-82d3axxxxxxx with the UUID from step 11.
xcopy "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{9f283b6e-34b5-4e23-a171-82d3axxxxxxx}\cache\deployment.config" C:\Windows\sun\java\deployment\ /y
xcopy "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{9f283b6e-34b5-4e23-a171-82d3axxxxxxx }\cache\deployment.properties" C:\Windows\sun\java\deployment\ /y
reg add "HKLM\Software\JavaSoft\Java Update\Test"
reg delete "HKLM\Software\JavaSoft\Java Update" /f
13) Create vbscript to remove previous versions of Java if needed. I got my script from “serverkudsk” comment in this thread . I changed the line strCurrentVersion to be Java(TM) Update 51, this script removes all versions of java on machine below 1.7.51.
http://www.itninja.com/question/silent-uninstall-java-all-versions
14) Create Managed software delivery Policy with 2 scripts and add software task. If you’re not 7.5, consider adding a task to delete software cache (this regenerates the software listed in inventory, there was a bug in 7.1 where old software doesn’t get removed unless you clear cache), and then run a software inventory scan. 7.5 fixes this bug and Delete SoftwareCache is no longer needed. Set applied to and schedule.
This is what my policy looks like
Installing java with the browser opened seems to continue to cause issues. I saw some machines in add/remove programs saying the app was installed, but it didn’t work in the browser and there was no control panel icon. So, I set the policy to only run if no user logged in under schedule – advanced options
I also set the advanced settings for the software install to only run “only when no user is logged on.” This is probably not necessary, but I thought it was a failsafe.
Our users typically leave machines in locked or powered off states, so my plan is to leave these ‘install at logout’ precautions in place for a week or 2 and then eventually set it to run whenever for all users not yet updated and deal with the corrupted installs that happen manually. I’m happy so far in first few days of policy being on about half of users have been updated. At some point I need to better troubleshoot Wake On Lan as that obviously would help in this scenario.
In case it helps anyone else out there, to maintain Java, I have some filters set up.
1) Static filter for “Needs Latest Java” that is maintained at our helpdesk level so if someone calls in needing java, they get added to the static filter.
2) Dynamic filter for “Has Java 7 Update 51” that just checks for latest version of Java. This is built easily in software section of CMS by right clicking on your software resource selecting action, create installed software filter.
3) Dynamic filter for “Waiting for Latest Java Install” that includes all machines in “Needs Latest Java” except those also in “Has Java 7 Update 51”. This is the filter the managed software delivery policy gets scoped to.
4) Static filter for “Needs Outdated Java” for 2-3 users that require an old version of Java for a specific app also maintained by helpdesk
5) Dynamic filter for “Has Java Installed” that is based on SQL query below that some nice person on Connect probably helped me figure out
SELECT sw._ResourceGuid [Guid]
FROM [vSoftwareComponent] sc
inner join [Inv_InstalledSoftware] sw
on sw.[_SoftwareComponentGuid] = sc.[Guid]
where sc.[Name] LIKE '%JAVA%'
and sw.[InstallFlag]=1
6) Finally, a dynamic filter “Remove Java” that is based on ‘Has Java Installed’ but excludes ‘Needs Outdated Java’ and also excludes ‘Needs Latest Java’. This I scope a policy with script to remove Java for everyone who isn’t approved to have it. This policy runs with update software inventory as well so users fall out of the dynamic group after uninstall is successful.