Note: As funny as this article is, it has since been replaced with the version linked here.
By the time you’ve finished reading this sentence, your version of Java will be two version out of date! Joking aside, Java updates at least twice a month. If you want to stay on top of your updates or at least ease the software installation process, you will need to deploy the Java Runtime Environment (JRE) with Group Policy Software Installation (GPSI).
Unlike some deployments, such as Adobe Flash Player, deploying Java is a little more difficult. This is because Java has a tendency to fail if another older version was ever installed on the computer. Java also likes to have a firewall rule for certain applets (this step is optional though). Finally, you have to physically edit the MSI to remove the auto update feature. So grab yourself a nice cup of joe and prepare to deploy some Java!
Getting the Java Runtime Environment MSI
Head on over to the JRE download website and download the Windows X86 Offline installer. This offline installer will include the setup and the required CAB files.
After downloading, launch the EXE but do not proceed past the welcome screen. Head to %USERPROFILE%\AppData\LocalLow\Sun\Java\. You should see an extracted JRE folder. Copy this folder to your software deployment share.
Editing the Java Runtime Environment MSI
What’s black and white and red all over? An Orca eating a seal! Am I the only one who found that funny? Oh well… let’s continue then…
In order to edit the MSI, you will need to use the MSI editing tool Orca (does my joke make sense now?). If you don’t have Orca installed, you can grab it here. It is under the Software Packaging section.
You should now be able to right click on the JRE msi and select Edit with Orca. If you get a cryptic message when doing this, restart once – the MSI might still think it is opened. If you have ever edited a database, you will notice that an MSI is organized the same way. On the left, you will see tables. In the center, you will see properties within those tables.
Select the Property table and change the following options:
- AUTOUPDATECHECK = 0
- JAVAUPDATE = 0
- JU = 0
- RebootYesNo = NO
- EULA = 1
Save these settings to the MSI. If you prefer to not edit the MSI directly, you can select Transform and Generate Transform to overlay your settings on top of the original MSI. For giggles, you can also change the DefaultUIFont from Tahoma8 to WingDings.
Working with your Group Policy Object
Create a new GPO named APP_Java Runtime Environment. Ensure that this GPO is not linked to any OUs yet. Java has a tendency to break and we don’t want to cause problems this early in the week.
Within your GPO, navigate to Computer Configuration/Policies/Software Settings/Assigned Applications. Add the JRE MSI and ensure that you added it from a UNC (and not the local share). If you are unsure, see problem 3 on this list.
Within the same GPO, navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security. Create a new inbound rule that allows C:\Program Files\Java\jre7\bin\javaw.exe. This will allow Java web applets to load if needed.
Link your Java GPO to a Test OU and restart a test client. You should see “Installing Managed Software: Java Runtime Environment”. If you don’t, consider enabling Verbose mode for your organization.
Troubleshooting your Java Runtime Environment deployment
You can verify that Java is properly working by opening up a command prompt and typing java -version. If you see something like the picture below, you’ve got a problem:
Open up Event Viewer (on your client computer) and browse to the Application event log. When the installation failed, you should see errors from MSIInstaller. If a previous version of Java caused the installation to halt, you can fix this by running the Microsoft Programs and Uninstall utility. You can also search the HKEY_CLASSES_ROOT\Installer\Products key for older version of Java. If those methods do not work, you can use this Group Policy script.
The guide above is how Java is deployed to our 6000+ computers (we just hit 6,000!). If you have any best practices or tips to share, help your fellow readers out by leaving a comment!
Is there any way to automatically remove the old versions of JRE while installing the latest version?
Sure! See the end of this guide: https://deployhappiness.com/deploying-java-8-101-or-why-is-java-still-around/
I don’t see the “Assigned Applications” item in GPO path “Computer Configuration/Policies/Software Settings/”
It only shows “Software Installation”
That is the same area – are you using the 2003 Group Policy Management Console?
Am I correct that we need to manipulate each new version of the installer with Orca before updating the software?
That is correct!
For the firewall rules, it should be jre7 and you also should allow for Program Files (x86) if you have any 64-bit Windows in your environment.
Absolutely right Alan! Thank you!