In Patching Java and more through SCCM/WSUS for free Part 1, we discussed setting up SCUP for WSUS and SCCM. In this article, we’re going to take a look at creating your own custom updates – primarily with Java. If you haven’t setup SCUP, run through Part 1. It’s actually pretty easy and should only take you about an hour or so.
Creating the Java update
Java has changed a little bit over the years. Unfortunately, it’s still a bit of a pain to manage. Unlike in the past, we don’t have to modify the MSI, we just have to get it. To get the MSI, head on over to java.com and get the offline installer. Click on Free Java Download, then click on “offline installer” on the left hand side. Download the file and run it, but don’t close the installer or run it. Just keep it open.
Now to get the MSI file, go to C:\Users\<username>\AppData\LocalLow\Oracle\Java\jre1.8.0_171 and copy the MSI file to a working directory on your computer. Once you do that, you can cancel the installer. We have the file that we need.
Open up the SCUP console if you haven’t already. In the Updates workspace, we have to create a vendor and then a product. Right click on All Software Updates and select Create Vendor. Type in “Oracle”. Then right click on the Oracle folder and click on Create Product. Type in Java. Expand the folder tree until we’re at Java.
Once we’re in the Java folder, we need to create an update. Click on Update (1). When the Create Update window opens, click on browse (2) and navigate to where you put the MSI file. In order for your update server to be able to download the file, you will need to place it in an available file share or web location (3).
You may get a warning about the update not being signed when you browse to it. From my testing, you can safely ignore this warning message.
In the command line box, enter the following commands:
JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No WEB_JAVA=1
What this does is turn off Java update notifications and automatic checks for new Java versions. This is so clients don’t get the notifications. You can update once you’ve done your testing, etc. The RebootYesNo flag is set to no to require a reboot and WEB_JAVA=1 enables it in the web browser.
Fill out the details of the update, in this case it’s Java 8, Update 171 32-bit version. You can enter a full description if you wish. Select the vendor and product, then enter a URL for more information. In this case it’s java.com
You can fill out some optional information for your information if you wish. Bulletin and Article IDs I like to set to any internal KBs about the software. This can be useful for your help desk staff. If there are any CVEs for the update, I’ll also include those. The support URL you can set to your internal help desk. You can also set the severity of the update as well and if a reboot might be requested.
For the prerequisite, I set both 64 and 32 bit versions as this will work on both clients. In fact, you’ll probably need the 32-bit version instead of the 64-bit.
Since this is our first update, there’s nothing for it to supersede so we’ll just click next.
We’ll leave applicability rules as default.
Same with the Installed
Now we can verify our update and then continue through the rest of the wizard.
Publishing Updates to WSUS/SCCM
Publishing updates was covered in Part 1.