Use Group Policy to Distribute JRE With Its Automatic Update Feature Disabled

Sun Microsystems' Java is a widely used programming language, and as a result, there are many programs and websites that require Sun's Java Runtime Environment (JRE). Many administrators have discovered that, after installing JRE, users with sufficient permissions might see a balloon prompt in the system tray to install an update when Sun releases a new version. This happens because the JRE automatic update feature is enabled by default.

The JRE automatic update feature periodically checks Sun's servers for an updated version. It can also download and install the latest version. This can cause problems on a corporate network because the new JRE version is installed alongside the old versions, taking up unnecessary disk space and cluttering the Add/Remove Programs applet with multiple entries. This also makes standardizing a particular JRE version more difficult. In recent JRE versions, users with sufficient permissions can go to the Update tab in the Java Control Panel applet and disable the automatic update feature, but this setting is a per-user rather than a per-machine setting. If a different user logs on to the computer, the automatic update feature is active for that user unless he or she disables it.

The JRE automatic update feature is controlled by Jusched.exe. When JRE is installed, a value for Jusched.exe is added to the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry subkey. This means that Jusched.exe starts and runs in the background for any user that logs on to the machine. When Jusched.exe is running, it reads the automatic update settings from the registry and prompts the user when an update is available. I'll show you how to install JRE without creating this registry value. If Jusched.exe never runs, no automatic update prompts will appear.

However, simply preventing Jusched.exe from running at logon can create a confusing user experience because the Update tab in the Java Control Panel might still be visible to some users, depending on permissions. This means that a user could set an update schedule that will never occur. To prevent such confusion, I'll also show you how to create a Group Policy Object (GPO) registry setting to hide the Update tab for all users.

The solution to distribute JRE with its automatic update feature disabled and hide the Update tab is fairly simple. You just need to follow five steps.

Step 1: Obtain and Install Orca

To disable JRE's automatic update feature, you need Orca, a GUI database editor for creating and editing Windows Installer (.msi) packages. Orca is part of the Windows Installer SDK, which is a part of the Microsoft Windows Server 2003 Platform SDK. If you don't already have the Windows Installer SDK installed, the easiest way to obtain Orca is to download it from Microsoft developer Aaron Stebner's blog. Alternatively, you can obtain Orca by following the directions and links on the Orca.exe web page. After you have a copy of Orca.msi on your computer, double-click it from Windows Explorer to install it.

Step 2: Obtain JRE

To obtain JRE, go to the Java website and click the Free Java Download link. The next page will prompt you to perform an online install. However, you need to download the offline installation program, so choose the Not the right operating system? See all Java downloads here link. This will take you to a page that lists the JRE downloads for all OSs. Choose the Windows XP/Vista/2000/2003 Offline link for the Windows offline installation and save the download to a directory on your local computer. (As I write this article, the current version's download is named jre-6u6-windows-i586-p-s.exe.) Create a directory called C:JavaDeployment and save the download to this directory.

Next, run the installer program you just downloaded (jre-6u6-windows-i586-p-s.exe in this example) to install JRE on your computer. After the installation finishes, use Windows Explorer to go to the Application DataSunJavaversion directory (where version is the JRE version you just installed) inside your user profile to find the JRE .msi file. On my computer, this file was in C:Documents and SettingsBilljre1.6.0_06. Copy the JRE .msi file (jre1.6.0_06.msi in this example) to the C:JavaDeployment directory. If you can't find the .msi file, search for it in Windows Explorer.

Step 3: Create a Transform File

The next step is to use Orca to create a transform (.mst) file. First, make a backup copy of the JRE .msi file in case of mistakes. Next, right-click the JRE .msi file in Windows Explorer and choose Edit with Orca. Orca displays the JRE database in two panes. The left pane lists the tables in the database, and the right pane lists the rows in the selected table. Select Transform, then New Transform from the Orca menu to create a transform file. This will add the text (transformed by Untitled) to Orca's title bar to indicate you're creating a new transform file.

In Orca's left pane, click the Property table to select it. The right pane will display the Property table's contents, as shown here:

Select the IEXPLORER property and change it from 0 to 1. If your users operate a Mozilla-based browser (e.g., Firefox), change the MOZILLA property from 0 to 1 as well. Enabling these properties ensures that JRE becomes the default runtime environment for users' browsers.

Next, change the JAVAUPDATE property from 1 to 0 to prevent Jusched.exe from running at startup for all users. Lastly, I recommend you also change the SYSTRAY property from 1 to 0 to prevent JRE from displaying an icon in the system tray, but this is optional. Each updated property value is outlined with a green border.

After making these changes, choose Transform, then Generate Transform from the Orca menu to create the .mst file. Browse to the C:JavaDeployment directory, enter a filename (e.g., jre1.6.0_06.mst), and click Save. This will change Orca's title bar text to reflect the transform file's name. Close Orca.

Finally, copy the JRE .msi file and the transform file (jre1.6.0_06.msi and jre1.6.0_06.mst in this example) to a central location that's accessible to the computers that will be installing the software. If you've used GPO software distribution before, you probably already have a location set up. If not, create a share and grant the Domain Computers group read access to the files.

Step 4: Create or Update a GPO to Install JRE

To install JRE, you can either create a GPO or update an existing one. For this example, create a new GPO named Install JRE and link it to the organizational unit (OU) where you want to install JRE. (If you're unfamiliar with how to create GPOs, see the Learning Path for a link to information about this topic.) Edit the GPO and navigate to Computer Configuration/Software Settings/Software installation. Right-click the Software installation node and choose New, then Package. Browse to your software distribution share, find the JRE .msi file, and click Open. Make sure that you browse to the package's location using a Universal Naming Convention (UNC) path, not a drive letter. When the GPO console prompts you for the deployment method, select Advanced, then click OK:

The GPO console will display a properties dialog box for the package. Select the Modifications tab and click the Add button to add a transform file to the package. Browse to your software distribution share and select the transform file you just created. The pathname to this file will appear in the dialog box. Finally, click OK to save your changes to the GPO. After saving the changes, the package name, version, and filename will appear in the GPO console. After the package is assigned in the GPO, Group Policy will automatically install the package onto the computers after you reboot them.

Step 5: Implement a Custom Registry Policy to Hide the Update Tab

After installing JRE, the HKLMSoftwareJavaSoftJava UpdatePolicy registry subkey contains a REG_DWORD value called EnableJavaUpdate. If this value is set to 1, the Update tab is visible. If it's set to 0, the update tab is hidden. After the JRE installation completes, the EnableJavaUpdate value is always set to 1. I tried setting this value to 0 by adding a row to the Registry table in the transform file, but this technique didn't work due to how Sun builds the JRE database. To solve this problem, I wrote a custom GPO administrative template (.adm) file named JavaUpdate.adm, which you can download by clicking the Download the Code Here button at the top of the page. The JavaUpdate.adm template lets you configure the EnableJavaUpdate registry value by enabling or disabling the setting from a GPO.

To add this template to the GPO you created in Step 4, navigate to Computer Configuration/Administrative Templates. Right-click the Administrative Templates node and choose Add/Remove Templates. Next, click the Add button to browse to the JavaUpdate.adm file and click Open. The JavaUpdate template will appear in the list. Click Close. You'll see the Sun Java JRE node in the left pane of the GPO console.

Because the JavaUpdate.adm template updates a registry value outside the standard policy subkey locations, the GPO console won't display its settings by default. To remedy this, click View, then Filtering from the GPO console's menu bar. Uncheck the Only show policy settings that can be fully managed check box and click OK:

Next, navigate to Computer Configuration/Administrative Templates/Sun Java JRE in the GPO console. This will display the Java Update setting in the right pane. The setting default is Enabled, so double-click the Java Update setting and select Disabled, then click OK:

If you're using Windows Server 2008 or Windows Vista to manage your Group Policy templates, you can convert the JavaUpdate.adm file to an ADMX template file. For more information about ADMX templates, see Darren Mar-Elia's article "Windows Vista and Server 2008 Group Policy Enhancements."

If you find that the EnableJavaUpdate registry value doesn't change from 1 to 0, even after a Group Policy refresh cycle or a reboot, you'll need to modify another Group Policy setting to enforce the change. To make this change, edit the GPO you created in Step 4 and navigate to Computer Configuration/Administrative Templates/System/Group Policy. Double-click the Registry policy processing setting, set it to Enabled, select the Process even if the Group Policy objects have not changed option, then click OK.

A Simple But Effective Solution

With the five-step solution I just described, you can use a GPO deploy the latest JRE with its automatic update feature disabled. And this GPO even hides JRE's Update tab.