Friday, April 26



Updated: March 28, 2014

Note: This article is over a year old and may not contain relevant information. I do my best to keep things updated, especially because this is a popular post. I am working on a rewrite as I find an alternative to LUP as I am not sure how that software functions in a modern enterprise. In the meantime, please feel free to comment anything that may possibly be out of date and I’ll fix it up as I can! Thank you!

As a network administrator, I hate Java with a burning passion. First, Oracle is slow as frozen molasses to tell Java clients to update, secondly it requires administrator credentials to install, and third it tries to install crapware on our corporate computers (and in some cases, succeeds). If you’re a home user, this blog post won’t be of any use to you as it is aimed towards the corporate environment. If you are a home user, I would suggest disabling Java. Chances are, you don’t need it. In the alternate universe of corporations, we still need it so as much as I would like to not have to use it, it’s not an option.

Managing Java in the Corporate World

This post is going to be very technical. We’re going to be utilizing PKI (Public Key Infrastructure) and WSUS. If you don’t know what these two items are, forward this post onto the person in your company who does.

Things we need: (all links open in new windows/tabs)

I’m not going to cover installing WSUS or .NET Framework. If you need help with WSUS, here is a guide. I’ll be covering WSUS at another time.

Install & Configure LUP

In order to publish Java updates, we need software that will actually let us do so. You can install LUP on your technician workstation if you have the WSUS console installed or, as I would recommend, install it on your WSUS server.

The most common issue with LUP is the certificates! If you have a PKI in place, have your PKI administrator issue you a WSUS Code Signing certificate. Otherwise, you can generate a certificate from LUP. I’m going to assume you generate a self-signed certificate from LUP. Export the Certificate to the server desktop (or another folder where you store certificates).

On the WSUS server, go to Start > and in the search box type in mmc and press enter. Go to File > Add/remove snap-in > Select “Certificates” and press OK. Select the computer account. Go to Trusted Root Certification Authorities > Certificates > Right click > All Tasks > Import. Navigate to your cert on your desktop and import it. Go to Trusted Publishers > Certificates > Right Click > All Tasks > Import. Navigate to your desktop and import the same certificate. The certificate must be imported to both locations!

Now, open up your group policy management console. Edit your existing WSUS GPO (this way, all your WSUS settings are together).

Computer  Configuration > Policies > Windows Settings >Public Key Policies/Trusted Root Certification Authorities > Import the certificate.

Computer Configuration > Policies > Windows Settings > Public Key Policies/Trusted Publishers > Import the certificate.

Alright, now all of our clients will get the certificates needed. You’ll know if any clients don’t have the certificates installed because any custom updates you push out will fail. All that is needed is to manually import the certificates or just do a gpupdate /force (which is recommended).

Creating our Java Update Package

Now we’re going to create the Java update package to push out to our clients. This part is a little tricky.

WARNING: You do not want multiple versions approved for install on multiple machines at the same time! Always supersede updates!

Modifying the MSI

We need to get the MSI file from the offline installer. Follow these steps to get the files:

  • Download and launch the Windows Offline Installation executable (.exe) file.
  • Navigate to LocalAppData folder (the user’s Application Data folder). The location of the LocalAppData folder differs for each Windows platform.
      • Windows Vista and Windows 7
      • Windows XP
        C:\Documents and Settings\<user>\Local Settings\ApplicationData\Sun\Java\ jre1.6.0_05\jre1.6.0_05.msi
    • Windows 2000
      C:\Documents and Settings\<user>\ApplicationData\Sun\Java\jre1.6.0_05\ jre1.6.0_05.msi

I like to copy the entire directory to my desktop and modify the MSI there (so you should install Orca on your tech workstation). Right click the MSI and choose “Edit with Orca”

In the “Tables” column in Orca, select “Property” and edit the following values:

TablePropertyOriginal ValueProposed ValueDescription
PropertyJAVAUPDATE10All three need to be changed to completely disable Java automatic updates
PropertyIEXPLORER01Activates Internet Explorer plugin
PropertyMOZILLA01Activates Mozilla plugin
PropertySYSTRAY10Disables system tray icon when Java applets are active… This is optional.
PropertyRebootYesNoYesNoSuppresses the need to reboot
PropertyEULA01I would set this to 1 otherwise your users might get a prompt to accept the EULA

Do File > Save, and then exit Orca. Copy the folder to your WSUS server (or where ever you have LUP installed).

Creating the Update Package

Alright, now head into LUP. Connect to your server and go to Tools > Create Update. In the Update File field, browse to where your modified MSI is located. Click on “Add Files” and add the file. Click Next.

Package Type: Application

Package Title: Java 7 Update 13 (Rename this to whatever version of Java you’re pushing out)

Package Description (same thing as the title. You can provide additional info if you’d like)

Vendor: Sun Microsystems, Inc.

Product: Java

And click next (if you’ve already approved a Java update and this one supersedes it, be sure to select the previous update by clicking on “Supersedes”). The package will now be created.

Now approve the update for installation.

Enjoy being able to push 3rd party software through Windows Update!


If you get this:

Invalid Operation Exception: The package could not be published.
Verification of file signature failed for file:
\\SERVER\UpdateServicesPackages\[PackageID]\[InstallableItem ID].cab

That means there’s an issue with your certificates. TRIPLE CHECK that your certificates are in the correct place!

Local Update Publisher Stuff

You can deploy more than just Java through LUP. See the documentation to get started.


About Author

Hi! I'm Travis and I love technology.


    • It’s easier than it seems to implement, but once you do, it’ll save you a lot of time in the end. When my users have issues with Java, I just tell them to run Windows Updates, the latest Java gets installed and problem solved! 🙂

  1. Hi,
    I have one problem i install the java with lup, java check is OK. but wenn i try to open java on control panel , nothing happend. wenn i install the same version manually the java on control panel is working. am login as administrator. can someone help me by my problem?

  2. Hi, is there a way totest the functionality of the edited .msi?

    after Orca has failed to edit the .msi i used InstEd, but after editing, when i try to install manually from this .msi the installation process fails every time.

    • Yes, just simply run it (assuming you don’t already have the Java version installed)! You shouldn’t get prompted to install the ask toolbar or whatever Oracle is shipping with it, and you shouldn’t get any update prompts when a new version is released. Or you can always try on an older version since that will naturally complain about being out of date.

  3. Looks great! I’ll be testing this out soon. Have you had any luck with Adobe updates using this method?

  4. Pingback: Pushing Packages with WSUS Package Publisher | The IT Cave