Java (and 3rd party software) through WSUS for free

THIS ARTICLE IS OUT OF DATE! THERE IS AN UPDATED VERSION: WSUS PACKAGE PUBLISHER. COMMENTS ARE CLOSED.

Java-Evil-Edition-orfjackal_net

Updated: March 28, 2014

Note: This article is over a year old and may not contain relevant information. I do my best to keep things updated, especially because this is a popular post. I am working on a rewrite as I find an alternative to LUP as I am not sure how that software functions in a modern enterprise. In the meantime, please feel free to comment anything that may possibly be out of date and I’ll fix it up as I can! Thank you!

As a network administrator, I hate Java with a burning passion. First, Oracle is slow as frozen molasses to tell Java clients to update, secondly it requires administrator credentials to install, and third it tries to install crapware on our corporate computers (and in some cases, succeeds). If you’re a home user, this blog post won’t be of any use to you as it is aimed towards the corporate environment. If you are a home user, I would suggest disabling Java. Chances are, you don’t need it. In the alternate universe of corporations, we still need it so as much as I would like to not have to use it, it’s not an option.

Managing Java in the Corporate World

This post is going to be very technical. We’re going to be utilizing PKI (Public Key Infrastructure) and WSUS. If you don’t know what these two items are, forward this post onto the person in your company who does.

Things we need: (all links open in new windows/tabs)

  • Java offline installer (32-bit version, 64-bit version isn’t needed unless your users are using x64 browser… chances are, they’re not)
  • WSUS 3.0 SP2 (minimum)
  • .NET 4.0
  • Local Update Publisher (LUP) (it’s free and open source).¬†Don’t use LUP! Use WPP instead!
  • Orca (to modify the MSI – Note: Orca is provided as part of the Windows Installer as MS doesn’t provide it separate) OR InstaEd It (I use Orca, so your mileage with InstaEd It may vary)

I’m not going to cover installing WSUS or .NET Framework. If you need help with WSUS, here is a guide. I’ll be covering WSUS at another time.

Install & Configure LUP

In order to publish Java updates, we need software that will actually let us do so. You can install LUP on your technician workstation if you have the WSUS console installed or, as I would recommend, install it on your WSUS server.

The most common issue with LUP is the certificates! If you have a PKI in place, have your PKI administrator issue you a WSUS Code Signing certificate. Otherwise, you can generate a certificate from LUP. I’m going to assume you generate a self-signed certificate from LUP. Export the Certificate to the server desktop (or another folder where you store certificates).

On the WSUS server, go to Start > and in the search box type in mmc and press enter. Go to File > Add/remove snap-in > Select “Certificates” and press OK. Select the computer account. Go to Trusted Root Certification Authorities > Certificates > Right click > All Tasks > Import. Navigate to your cert on your desktop and import it. Go to Trusted Publishers > Certificates > Right Click > All Tasks > Import. Navigate to your desktop and import the same certificate. The certificate must be imported to both locations!

Now, open up your group policy management console. Edit your existing WSUS GPO (this way, all your WSUS settings are together).

Computer  Configuration > Policies > Windows Settings >Public Key Policies/Trusted Root Certification Authorities > Import the certificate.

Computer Configuration > Policies > Windows Settings > Public Key Policies/Trusted Publishers > Import the certificate.

Alright, now all of our clients will get the certificates needed. You’ll know if any clients don’t have the certificates installed because any custom updates you push out will fail. All that is needed is to manually import the certificates or just do a gpupdate /force (which is recommended).

Creating our Java Update Package

Now we’re going to create the Java update package to push out to our clients. This part is a little tricky.

WARNING: You do not want multiple versions approved for install on multiple machines at the same time! Always supersede updates!

Modifying the MSI

We need to get the MSI file from the offline installer. Follow these steps to get the files:

  • Download and launch the Windows Offline Installation executable (.exe) file.
  • Navigate to LocalAppData folder (the user’s Application Data folder). The location of the LocalAppData folder differs for each Windows platform.
      • Windows Vista and Windows 7
        C:\Users\<user>\AppData\LocalLow\Sun\Java\jre1.6.0_05\jre1.6.0_05.msi
      • Windows XP
        C:\Documents and Settings\<user>\Local Settings\ApplicationData\Sun\Java\ jre1.6.0_05\jre1.6.0_05.msi
    • Windows 2000
      C:\Documents and Settings\<user>\ApplicationData\Sun\Java\jre1.6.0_05\ jre1.6.0_05.msi

I like to copy the entire directory to my desktop and modify the MSI there (so you should install Orca on your tech workstation). Right click the MSI and choose “Edit with Orca”

In the “Tables” column in Orca, select “Property” and edit the following values:

Table Property Original Value Proposed Value Description
Property JAVAUPDATE 1 0 All three need to be changed to completely disable Java automatic updates
Property AUTOUPDATECHECK 1 0
Property JU 1 0
Property IEXPLORER 0 1 Activates Internet Explorer plugin
Property MOZILLA 0 1 Activates Mozilla plugin
Property SYSTRAY 1 0 Disables system tray icon when Java applets are active… This is optional.
Property RebootYesNo Yes No Suppresses the need to reboot
Property EULA 0 1 I would set this to 1 otherwise your users might get a prompt to accept the EULA

Do File > Save, and then exit Orca. Copy the folder to your WSUS server (or where ever you have LUP installed).

Creating the Update Package

Alright, now head into LUP. Connect to your server and go to Tools > Create Update. In the Update File field, browse to where your modified MSI is located. Click on “Add Files” and add the Data1.cab file. Click Next.

Package Type: Application

Package Title: Java 7 Update 13 (Rename this to whatever version of Java you’re pushing out)

Package Description (same thing as the title. You can provide additional info if you’d like)

Vendor: Sun Microsystems, Inc.

Product: Java

And click next (if you’ve already approved a Java update and this one supersedes it, be sure to select the previous update by clicking on “Supersedes”). The package will now be created.

Now approve the update for installation.

Enjoy being able to push 3rd party software through Windows Update!

Errors

If you get this:

Invalid Operation Exception: The package could not be published.
Verification of file signature failed for file:
\\SERVER\UpdateServicesPackages\[PackageID]\[InstallableItem ID].cab

That means there’s an issue with your certificates. TRIPLE CHECK that your certificates are in the correct place!

Local Update Publisher Stuff

You can deploy more than just Java through LUP. See the documentation to get started.