Most SCCM customers uses some kind of 3rd party tool or add-on (Like SCUP) when it comes to patch management of 3rd party tool, like adobe, java, etc. But what if you don’t have access to all these fancy tools?
This is a guide to how you can prepare, deploy and upgrade previous versions of Java using the Application model in System Center 2012 Configuration Manager.
Get the Source Files:
Download: http://java.com/en/download/manual.jsp
If you use a 64-bit version of Windows, you still need the 32-bit version. You should only use the 64-bit version if you plan to use the 64-bit version of Internet Explorer.
Extract Source Files to MSI:
- Launch the Windows Offline Installation executable (.exe) file.
- Navigate to LocalAppData folder (the user’s Application Data folder). The location of the LocalAppData folder differs for each Windows platform.
- Windows Vista, Windows 7 and Windows 8:
- C:\Users\<user>\AppData\LocalLow\Sun\Java\jre1.7.0_17
- C:\Users\<user>\AppData\LocalLow\Sun\Java\jre1.7.0_17_x64
Create the MST File
Next, we need to edit the MSI file to prevent the standard users from getting annoying popups by disabling auto update. This can be done by using Microsoft Orca (you should not save the changes directly in the MSI file, but create an mst file with the things you need to change).
We need to edit the following rows:
| Property | Effect of the Property | Default Value | Custom Value |
| AUTOUPDATECHECK | Prevent Auto Updates | 1 | 0 |
| IEEXPLORER | Enable Java in Internet Explorer | 0 | 1 |
| JAVAUPDATE | Prevent Auto Updates | 1 | 0 |
| JU | Prevent Auto Updates | 1 | 0 |
| MOZILLA | Enable Java in Plugin based browsers | 0 | 1 |
Install command:
msiexec /i “jre1.7.0_17.msi” transforms=”jre1.7.0_17.mst” /q
Uninstall command:
msiexec /x {26A24AE4-039D-4CA4-87B4-2F83217017FF} /q
The numbers marked with bold is changing with every minor update, and represent the current version. 17017 = 17.0_17.
Detection Method
Setting Type : Windows Installer
Product Code : {26A24AE4-039D-4CA4-87B4-2F83217017FF}
Upgrade previous versions
When you’re updating a previous version of Java using the new application model in Configuration Manager 2012, you can use application supersedence. When specifying the supersedence relationship for Java, I would recommend that you always select uninstall of the previous version as a best practice.
That’s it. Happy patching…
13 Comments
A great guide on how to package Java runtime.
But you have not mentioned anyhting regarding killing IE / FF.
if those are up and running 30% chance of the installation going bad or corrupt.
This is a bit “dirty”, but it gets the job done 🙂
@echo off
taskkill /F /IM iexplorer.exe
taskkill /F /IM iexplore.exe
taskkill /F /IM firefox.exe
taskkill /F /IM chrome.exe
taskkill /F /IM javaw.exe
taskkill /F /IM jqs.exe
taskkill /F /IM jusched.exe
REM Uninstall Java 7 Update 15
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F83217015FF} /qn /norestart
REM Uninstall Java 7 Update 15×64
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F86417015FF} /qn /norestart
REM Uninstall Java 7 Update 16
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F83217016FF} /qn /norestart
REM Uninstall Java 7 Update 16×64
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F86417016FF} /qn /norestart
REM Uninstall Java 7 Update 17
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F83217017FF} /qn /norestart
REM Uninstall Java 7 Update 17×64
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F86417017FF} /qn /norestart
REM Uninstall Java 7 Update 21
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F83217021FF} /qn /norestart
REM Uninstall Java 7 Update 21×64
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F86417021FF} /qn /norestart
REM Uninstall Java 7 Update 25
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F83217025FF} /qn /norestart
REM Uninstall Java 7 Update 25×64
msiexec.exe /X {26A24AE4-039D-4CA4-87B4-2F86417025FF} /qn /norestart
REM Install JRE x86
msiexec.exe /i “%~dp0jre1.7.0_40.msi” TRANSFORMS=”%~dp0java7u40.mst” ADDLOCAL=ALL IEXPLORER=1 REBOOT=Suppress JAVAUPDATE=0 JU=0 AUTOUPDATECHECK=0 JQS=0 SYSTRAY=0 EULA=0 WEBSTARTICON=0 /passive /norestart /l*v c:windowstempJava7x86.log
regedit.exe /s “%~dp0DisableJavaAU_service_on_x64clients.reg”
REM Return the exit code to SCCM
exit /B %EXIT_CODE%
@ Sem, where do you add your script? how you run it during deployment.
Can you please supply instructions (screenshots if possible).
I apologies in advance for my ignorance but, I am new to SCCM 2012.
@Ronni, where do you place the MST file? Network share, locally on the SCCM server, or Dist Point Server?
Thank you in advance for your time and support.
If you put the MSI and the MST file in the same folder you should be fine…
Hi
Great guide… and the hack to make sure ie etc. isn’t running does the trick as well..
there’s just 1 problem…
Since we cannot control when java will be installed AND if we add the hack to kill browsers.. we might destroy a lot of stuff for the clients working on .. an online form, doing research etc etc etc. when we kill their browser..
how do we avoid a lot of unhappy users losing their work?
oh.. and I see my clients starting to report that they’re prompted in IE to enable or disable java ssv helper… we should handle this in the deployment as well..
I’m almost spamming here…
Found this:
User Configuration/Administrative Templates/Windows Components/Internet Explorer/Security Features/Add-on Management
Add-on List Enabled
Add-on List
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 0
{DBC80044-A445-435B-BC74-9C25C1C588A9} 0
a GPO to disable ( 0 ) or enable ( 1 ) the java ssv helper that “pops up” in IE after installation.
Seems strange that it cannot be handled in the installation.. but haven’t been able to find anything..
Hi Ronni
Is there any way to remove temporary internet files from java cache of all users, during older version of java removal?
You can always deploy the application using a wrapper like the PowerShell App Deployment Toolkit.
That will allow you to run any command you need before or after a specific job.
Psapodeploy is what i an using now. A Nice prompt for the user and “no” unhappy customers.
I think a better SCCM detection method is to use the version of the java.exe file in “C:Program Files (x86)Javajre7bin” (on 64-bit Windows anyway).
Then in the “Detection Rule” window, choose the “Version” property of the file and “Greater than or equal to” whatever version you are deploying (e.g. 7.0.670.1 for Java 7 u67).
This has the benefit that the SCCM application will not deploy to a PC which been upgraded to a later Java version manually. Some developers are quick to upgrade Java on their PCs – it can be a while before an SCCM package for the latest Java version is created, tested and deployed.
The detection method I described above will work for Java 7 but Java 8 has a separate folder for each version (e.g. C:Program Files(x86)Javajre1.8.0_45)
Then how should we use the detection method for Java if we don’t want to have 7 installed on the machine that has 8u45? Even 8u31 has a separate install directory. What’s the best way to tackle this in a detection method can someone please explain?