How to package and deploy Java JRE 1.6.0_26 via Group Policy

UPDATE: 18/11/2013 – I have an updated post on how to package and deploy Java 7 Update 45. Read them here:
Deploying Java 7 JRE – Deep Dive! (Part 1)
Deploying Java 7 JRE – Deep Dive! (Part 2)

I have documented the steps to package and deploy the latest (currently) version of Java JRE (Java Runtime Environment) with an MSI via Group Policy. Its a relatively easy task to do but due to information being scattered around the internet when I was doing it I thought I would do a write-up.

Downloading JRE

Ok, you may wonder why i included this. Well it was always a battle to find the correct version to download off the SUN website, but now that Oracle have stepped in they have actually simplified this process. The most important thing to remember is that you want to download java from www.sun.com (which redirect to oracle) rather than www.java.com. They are actually packaged differently and not suitable for mass deployment.

The URL to download JAVA SE (Standard Edition) currently is:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
From here you click on JRE (in small writing) underneath the Java (download) icon in the middle pane. This will direct you to the latest version of JRE which right now is JRE 1.6.0_26. I am only distributing Windows x86 Offline, but I’m sure the Windows x64 will be the same process.

I am working with this file from here-on in:
http://www.oracle.com/technetwork/java/javase/downloads/jre-6u26-download-400751.html

Extracting the MSI

Now Oracle/Sun/Java down actually tell you how to extract the MSI file from the exe you just downloaded. There is a command to extract it that I cant find right now, so ill show you a simple alternative. Double click on the EXE file and leave the installation window open. It should look like this:

Now while that window is still open open up Windows Explorer and go to the below location and you will see the CAB and MSI files that are needed to deploy via GPO.

[code]C:\Users\%username%\AppData\LocalLow\Sun\Java\jre1.6.0_26[/code]

Note: You need to keep the setup window open for 64bit version because it removes the temp files when you cancel the install process. 32 bit doesn’t but its good practice.

Copy these files to your distribution location (or your staging area where you can modify the file using ORCA)

Modifying the MSI to suit enterprise deployment

So now we need to make some changes to the Java MSI installation so that it installs correctly and does not try to auto update seeing as most admins don’t give their users local admin rights. The tool that I use is ORCA, and is available for download from the Microsoft website. Refer to the below article to assist you with this:
How to use the Orca database editor to edit Windows Installer files

So what should you modify? well it all depends on what you want to configure. Ill give you the options I have changed, and you can use the ones you want:

Table

Property

Original Value

Proposed Value

Description

Property

JAVAUPDATE

1

0

All three need to be changed to completely disable Java automatic updates

Property

AUTOUPDATECHECK

1

0

Property

JU

1

0

Property

IEXPLORER

0

1

Activates Internet Explorer plugin

Property

MOZILLA

0

1

Activates Mozilla plugin

Property

SYSTRAY

1

0

Disables system tray icon when Java applets are active

Property

RebootYesNo

Yes

No

Suppresses the need to reboot – not affected by GPO that I’m aware of but does when installed manually.

Property

EULA

0

1

I leave this setting to 0, however if you are installing it via the msiexec through cmd prompt you may need to set this to 1 to install without interuptions.

And this is what it looks like when you edit it in ORCA:

Once you have made the changes you are happy with you can simply save the changes either directly to the MSI, to a new MSI or (the more preferred method) save it to a MST (transforms) file. The transforms file simply tells the MSI to use its preferred settings, and the benefit is you can have one MSI to multiple MST files (depending on your target audience)

NOTE: if you wanted to use a transforms file, you need to create a transforms in ORCA first by clicking Transform -> New Transform, and then when you are finished you need to go to Transform -> Generate Transform.

Deploying via Group Policy (GPO)

Now you are ready to deploy the package via Group Policies. The general process is to do the following:

  1. Create new GPO (or use existing GPO for same software title)
  2. copy install files to DFS share
  3. Add MSI package
  4. Add MST transforms file (note you can only do this at the beginning, and it cannot be changed later)
  5. Change security to your Testing Stakeholders before deploying to all users
  6. Change security to apply to Authenticated Users (or a specific group depending of how you manage deployment) so that everyone else gets the tested deployment.

Refer to this blog that going into detail on how to deploy via GPO:

https://ivan.dretvic.com/2011/06/how-i-deploy-gpo-software-in-my-enviroment/

Important Links

Here are resources i used to get the info I needed:

http://www.appdeploy.com/packages/detail.asp?id=3

44 thoughts on “How to package and deploy Java JRE 1.6.0_26 via Group Policy”

  1. JRE7.0.45 just came out. In trying to modify it I do not see a “Systray” variable in either the 32 or 64bit MSI. As I recall I noticed that it was also missing in the version 7.0.25 release. Has the Systray option moved somewhere else? I would like to disable this option for our lab computers.

  2. I modified both JRE1.7 MSI’s as suggested. After I installed both the 32 bit and 64 bit JRE’s on Windows 7 (64 bit) Enterprise I got a message at the end telling me that Autoupdates were on. When I checked the registry I found that the AUTOUPDATECHECK value had been changed to 1 even though the MSI’s both have it set to 0. What overrides these settings?

    • Hi Jim,

      I dont have a great deal of experience with installing the 64bit version of JRE. There are reasons to run the 64bit version but currently they are far and few between. The only reasons that come to mind why you need this is:

      • Your default web browser is 64bit and your users use that version – note that most plugins are not compatible with that version
      • Your desktop application requires better memory/performance on the client that would require you to use the 64bit version – i have not seen a need for this in my experience (only on a server)
      • Your application requires the 64bit version of Java. I have never seen this requirement.

      Generally i see users wanting 64bit versions because they have a 64bit machine. Just to clarify for these users, you are able to use the 32bit version only, and will have more consistent results especially when using with the browser. If you are not sure what version of Java you need, then i suggest you only deploy the 32bit version.

      In your case, if you do need both versions running and configured, i would makes sure the registry settings are located in both locations (both 32bit and 64bit locations) or refer to specific documentation from Java (which i know can be hard to decipher). Please share your results as others may be interested.
      Regards,
      Ivan

    • I have never had the need to deploy the JDK, however the process should be very similar if not identical. The installation may extract the information to a different location but the installation steps should be very similar. From my research i do recall a number of posts stating that the process is the same, yet i have not tested this. Your feedback here is welcome and interests me.

      Cheers,
      Ivan

  3. Still had issues with achieving 100% success. In the end devised a script that first ran JavaRa to uninstall java and then ran the msi. 100% success achieved. I suspect my issues related to 7_13 which didn’t install cleanly.

  4. Thanks for that information on psexec. For anyone who follows take note that the L and V are capitalised and there is a space between the V and the location of the log file.
    psexec.exe -s -i msiexec.exe /i java.msi TRANSFORMS=java.mst /qb /L*V c:\temp\javainstall.log
    The logfile output was excellent and I’ll use that information on other msi’s that misbehave.
    In the end, it all worked. I did add the WEB_JAVA property as Miles suggested on the 15th.

  5. What has happened is that Windows 7 sits there on the “please wait” screen forever.
    Or, If I get bored and restart the machine I then find that nothing has happened. Update 17 had uninstalled the previous update but not installed itself. And I couldn’t install the update by any method.
    At least update 21 isn’t being as much of a pain.
    I’ll reread the notes again and see if there is something I’m missing, but I have followed these notes for many updates with success.

    • Hi Matt,
      Before testing the deployment via GPO do make sure that you can successfully install the software from a command prompt as the system. To do this, download psexec.exe from http://live.sysinternals.com and run the following command from an elevated command prompt on a test machine:
      psexec.exe -s -i msiexec.exe /i java.msi TRANSFORMS=java.mst /qb /l*vc:\temp\javainstall.log

      The above command will install Java with basic input, but install as the system, just like GPO would. It also spits out a very comprehensive log of the install. If there are any problems this will identify the issues most of the time. Reference: http://technet.microsoft.com/en-us/library/cc759262%28v=ws.10%29.aspx
      Cheers,
      Ivan

    • Hi Matt,
      When you say you have not been able to deploy Java – can you please specify what is not working?
      Is the extracting failing? Is the install (via MSI) not working? Does it complete but not function? Does it still want to update?
      Cheers,
      Ivan

  6. Hi,

    What has been your experience in dealing with Java applications that seem to require Java 6 when you are installing only Java 7 on a PC? We have a number of programs (Kronos Workfoce Central for example) that seem to only want to run with Java 6. is there some option to enable all backwards compatibility to version 6 even if Java 7 is the only runtime environment installed?

    • Hi Matt,
      I have been fortunate enough to upgrade our software frequently that includes the compatibility with Java7. More importantly, as we review products for implementation for the last 3 years, we have had a firm stance on true web based interfaces (thin client interface) that does not require any particular plugins (aside from SilverLight, Flash or .NetFramework as all our machines always have them) so when a product with Java\AdobeAir\customPlugin requirements comes up we try to reject it. If it does get through we require JRE7 compatibility.

      Should there come a time that we do implement a software that does need JRE6 we will have to deal with it at that time.

      Cheers,
      Ivan

    • Hi Michael,
      Thanks for letting me know. I have stopped packaging Java6 myself and moved to Java7 so I am not aware of why that is the case. If you do come across the solution please let me know.
      Cheers,
      Ivan

      • I eventually gave up after trying to get it to work with java6u41. I just added some registry modifications to the same GPO that deploys Java to disable autoupdate.

  7. Even after successfully deploying JRE 1.7.-_11b21 today, neither IE nor Firefox have the plugin installed. I have tried saving the msi changes and also applying the changes via MST.

  8. Hi Ivan, great blog, so useful. Did you get a chance to test with version 7? I have followed your instructions with version 7 update 10 and the install leaves the “JRE Auto-Download” setting as “Always Auto-Download” in the control panel (which seems different to version 6). So it seems to either have ignored the MST, has a different setting somewhere that needs modifying or has set it correctly but the contol panel is ignoring it. Thanks for your time, Traci

  9. No tray! My MST had the following changes: AUTOUPDATECHECK 0; IEXPLORER 1; JAVAUPDATE 0; JU 0; MOZILLA 1; & RebootYesNo No. My boss likes the command line switches too so here is what went out in SCCM:MSIEXEC.EXE /I jre1.7.0_05.msi TRANFORMS=JRE175.MST /qn /norestart ADDLOCAL=All IEXPLORER=1 MOZILLA=1 JAVAUPDATE=0 AU=0 AUTOUPDATECHECK=0 JU=0 REBOOT=Suppress. Beats doing QuickTime.

  10. In the Java 7 releases there isn’t a SYSTRAY property anymore… just if someone’s wondering.
    The icon in the systray doesn’t appear anyway, seems to be removed completely… or the setting from the older versions still take place.

    Greetz

  11. Helpful blog, cheers Ivan. Just one question, I was always instructed that you should never amend a vendor MSI directly but make any adjustments via a MST (Transform). Are you advising that it is ok to modify the MSI directly?

  12. Thanks for creating this blog. I plan on using it to deploy Java in my environment.

    One question though… Does this package uninstall the previous versions, or does it leave them and install this new version next to them.

    • Hi Michael,
      Sorry I thought that I included the information in the article but it looks like I have not. I could not find the official documentation however here is an excerpt from another site that provides the answer:

      Some good news regarding Java for once! Starting with 1.6.11, Java now uninstalls previous versions upon installation. I always thought this was a terrible fallacy in Java development mentality. Granted that some applications may need older versions of Java, most updates to software fix security issues. Why then, would you want to keep the older, insecure version on your computer? Previous installations took up about 170 MB of space with each instance as well.
      http://www.404techsupport.com/2009/01/deploying-java-through-group-policy-and-java-re-improvements/

      Regards,
      Ivan

  13. Thank you!

    This was a lifesaver. Every since u21 the whole software has been broken, ignoring its own configuration. Finally a solution that really works. I wish some enterprising people would really start distributing a modified installer package in the same way as alternate versions of QuickTime etc. as it would save a lot of folks from a lot of grief, fighting autoupdates and systray icons people have no control over and other minor niggles JRE has had for years and no amount of bug reports have effected in any way.

    • Hi RCT,
      I hear you – if there was some way to do it easily it would make our lives easy. Unfortunately there is no free version that I could find. Here are some alternatives that update all the apps you could want to.
      https://ninite.com/ – never used – just stumbled onto it today
      http://secunia.com/ – snaps into WSUS and meant to be very good – again never used it.
      As for configuring the apps – most of the apps could be configured through the registry using Group Policy Preferences.

      I agree – as an overall package – there is no easy way to do all of this. I guess this is why we have jobs 🙂

      Cheers,
      Ivan

  14. Hi Ivan,
    I think JU is better set up into 1. The reason is I got some Java version corruption when I deploy JRE 7 on some JRE 6 installed desktops(lots of them). Which cost me sometime to figure out the coruption since I was using vbs to read Java version from registry, it says 1.7 installed and I believed. but in enviroment variable java is not set up properly.
    I reset JU into 1, auto update into 1, redeploy the package, it fixed the problem.

  15. Thanks a lot Ivan,
    I am working for department of education in australia and been assigned to a secondary school, providing all level support to local school(teachers, student, system administrator and school ICT technician) , if you have a look of my recent posts, you will find a lot inserts regarding different areas but majorly about automation and admin/ better administration management.
    I really respect people like you investing a lot time and write down a very specific detailed toturial regarding how to get the job done – step by step, word by word.

    Really appreciate. Because you consider others`s feeling.
    People like you makes our job easier. I should learn from you and try to add more explaination in my own works instead of posting something only I can understand.
    I copy and paste this to my own blog because it is such a useful doc not limited to JRE but can be implemented in anyother areas. Cheers.
    Lei

Leave a Reply to MattCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

QR Code Business Card
%d bloggers like this: