I have a fairly popular post on here regarding pushing out Java via WSUS. In the previous post, I used LUP or Local Update Publisher. Now, LUP was a good tool however it appears to be no longer updated and it’s a little clunky so it takes some time to properly use and setup. Now, I’ve since moved over to PDQ Deploy from Admin Arsenal. It’s a fantastic product and I’d highly recommend using it (including the free mode) in addition to WPP. So let’s get down to business.
THIS ARTICLE IS OUT OF DATE! THERE IS AN UPDATED VERSION: WSUS PACKAGE PUBLISHER. COMMENTS ARE CLOSED.
Updated: March 28, 2014
Note: This article is over a year old and may not contain relevant information. I do my best to keep things updated, especially because this is a popular post. I am working on a rewrite as I find an alternative to LUP as I am not sure how that software functions in a modern enterprise. In the meantime, please feel free to comment anything that may possibly be out of date and I’ll fix it up as I can! Thank you!
As a network administrator, I hate Java with a burning passion. First, Oracle is slow as frozen molasses to tell Java clients to update, secondly it requires administrator credentials to install, and third it tries to install crapware on our corporate computers (and in some cases, succeeds). If you’re a home user, this blog post won’t be of any use to you as it is aimed towards the corporate environment. If you are a home user, I would suggest disabling Java. Chances are, you don’t need it. In the alternate universe of corporations, we still need it so as much as I would like to not have to use it, it’s not an option.
Managing Java in the Corporate World
This post is going to be very technical. We’re going to be utilizing PKI (Public Key Infrastructure) and WSUS. If you don’t know what these two items are, forward this post onto the person in your company who does.
Things we need: (all links open in new windows/tabs)
- Java offline installer (32-bit version, 64-bit version isn’t needed unless your users are using x64 browser… chances are, they’re not)
- WSUS 3.0 SP2 (minimum)
- .NET 4.0
Local Update Publisher (LUP) (it’s free and open source).Don’t use LUP! Use WPP instead!
- Orca (to modify the MSI – Note: Orca is provided as part of the Windows Installer as MS doesn’t provide it separate) OR InstaEd It (I use Orca, so your mileage with InstaEd It may vary)
I’m not going to cover installing WSUS or .NET Framework. If you need help with WSUS, here is a guide. I’ll be covering WSUS at another time.
Install & Configure LUP In order to publish Java updates, we need software that will actually let us do so. You can install LUP on your technician workstation if you have the WSUS console installed or, as I would recommend, install it on your WSUS server. The most common issue with LUP is the certificates! If you have a PKI in place, have your PKI administrator issue you a WSUS Code Signing certificate. Otherwise, you can generate a certificate from LUP. I’m going to assume you generate a self-signed certificate from LUP. Export the Certificate to the server desktop (or another folder where you store certificates). On the WSUS server, go to Start > and in the search box type in mmc and press enter. Go to File > Add/remove snap-in > Select “Certificates” and press OK. Select the computer account. Go to Trusted Root Certification Authorities > Certificates > Right click > All Tasks > Import. Navigate to your cert on your desktop and import it. Go to Trusted Publishers > Certificates > Right Click > All Tasks > Import. Navigate to your desktop and import the same certificate. The certificate must be imported to both locations! Now, open up your group policy management console. Edit your existing WSUS GPO (this way, all your WSUS settings are together). Computer Configuration > Policies > Windows Settings >Public Key Policies/Trusted Root Certification Authorities > Import the certificate. Computer Configuration > Policies > Windows Settings > Public Key Policies/Trusted Publishers > Import the certificate. Alright, now all of our clients will get the certificates needed. You’ll know if any clients don’t have the certificates installed because any custom updates you push out will fail. All that is needed is to manually import the certificates or just do a gpupdate /force (which is recommended).
Creating our Java Update Package
Now we’re going to create the Java update package to push out to our clients. This part is a little tricky.
WARNING: You do not want multiple versions approved for install on multiple machines at the same time! Always supersede updates!
Modifying the MSI
We need to get the MSI file from the offline installer. Follow these steps to get the files:
- Download and launch the Windows Offline Installation executable (.exe) file.
- Navigate to LocalAppData folder (the user’s Application Data folder). The location of the LocalAppData folder differs for each Windows platform.
- Windows Vista and Windows 7
- Windows XP
C:\Documents and Settings\<user>\Local Settings\ApplicationData\Sun\Java\ jre1.6.0_05\jre1.6.0_05.msi
- Windows 2000
C:\Documents and Settings\<user>\ApplicationData\Sun\Java\jre1.6.0_05\ jre1.6.0_05.msi
- Windows Vista and Windows 7
I like to copy the entire directory to my desktop and modify the MSI there (so you should install Orca on your tech workstation). Right click the MSI and choose “Edit with Orca”
In the “Tables” column in Orca, select “Property” and edit the following values:
|Table||Property||Original Value||Proposed Value||Description|
|Property||JAVAUPDATE||1||0||All three need to be changed to completely disable Java automatic updates|
|Property||IEXPLORER||0||1||Activates Internet Explorer plugin|
|Property||MOZILLA||0||1||Activates Mozilla plugin|
|Property||SYSTRAY||1||0||Disables system tray icon when Java applets are active… This is optional.|
|Property||RebootYesNo||Yes||No||Suppresses the need to reboot|
|Property||EULA||0||1||I would set this to 1 otherwise your users might get a prompt to accept the EULA|
Do File > Save, and then exit Orca. Copy the folder to your WSUS server (or where ever you have LUP installed).
Creating the Update Package Alright, now head into LUP. Connect to your server and go to Tools > Create Update. In the Update File field, browse to where your modified MSI is located. Click on “Add Files” and add the Data1.cab file. Click Next. Package Type: Application Package Title: Java 7 Update 13 (Rename this to whatever version of Java you’re pushing out) Package Description (same thing as the title. You can provide additional info if you’d like) Vendor: Sun Microsystems, Inc. Product: Java And click next (if you’ve already approved a Java update and this one supersedes it, be sure to select the previous update by clicking on “Supersedes”). The package will now be created. Now approve the update for installation.
Enjoy being able to push 3rd party software through Windows Update!
Errors If you get this:
Invalid Operation Exception: The package could not be published.
Verification of file signature failed for file:
\\SERVER\UpdateServicesPackages\[PackageID]\[InstallableItem ID].cab That means there’s an issue with your certificates. TRIPLE CHECK that your certificates are in the correct place!
Local Update Publisher Stuff You can deploy more than just Java through LUP. See the documentation to get started.