Are you looking to deploy Java updates using WSUS? Want to then push them out to your end users through Windows Update? Then this guide is for you!
The end user problem
After having a number of issues with end users complaining about getting Java update alerts, but not being able to download and install them (no local admin rights), we decided it was time to do something about it, so where better to look for the help than our WSUS server.
The idea was simple, we push out Windows Updates and Adobe Updates to all users, so why not deploy Java updates?. So I started looking into it and it turned out to be much simpler than I thought.
Using a combination of SCUP, WSUS, WSUS self-cert and our own GPO‘s, I got it setup and working to all clients.
The how to deploy Java updates guide
The below guide assumes that you have your WSUS self-cert setup and distributed to your clients using GPOs and that you also have your GPO’s setup to allow assigned updates – if you have no idea what this means or need help with it, go to this post about self-signed certs. These updates will not work without having this done first.
Note that to use SCUP you must have an installed, licensed System Center for your business as per the pre-reqs for downloading SCUP.
Please also note that this is for Java 7 Update 5 as you will probably see, this should work in the same way with future updates by just changing the number (5 to 6 for example..).
Something else to note is that you should not push this update to Java Clients lower than version 7, if you do, this will install and leave behind the old version and screw up your Java. If you run it on this version, it will successfully upgrade.
You will need to ensure that you have SCUP (System Center Updates Publisher) installed () on your WSUS server.
You will also need to download the latest Java Update from HERE
The setup process
Once setup, open the SCUP program and click Create Software Updates:
You then need to browse to the location where you saved the downloaded Java Update.
Then make sure that you tick the box labelled Use a local source to publish software update content.
The command line
The other boxes are optional but you need to put the following into the Command Line box:
/s "IEXPLORER=1 MOZILLA=1" /quiet
So the first box should look similar to this:
Then click Next and on the next page you can give your update a name and description etc, again this is all optional so put what you like here, mine is as below:
Click next, again on this page is mostly optional, but mine looks like this:
For the next two pages you can just click Next (Prerequisites & Superseded Updates) as you do not need to input any information here.
The installation rules
The most important part of this sequence is the next two steps so be very careful to get this right.
Create your installable rules so that they are exactly the same as below:
This means that the update will look to see if the registry key exists – if it does, Java is installed so there may be an update that needs to be applied. But it also looks to see if the update is already installed (second row), so if it is (NOT:) means do not run the update.
Click Next and move onto the Installed Rules page. You will need to make these page exactly the same as below:
This means that the update will look at this registry key and if it is there, the update has already been applied and this update does not need to be installed.
You can then click through the rest of the wizard as there is not any more critical information that you need to input.
Deploy Java updates to your user machines
Now, you need to distribute this update. To do this, go to the update, right click and click Publish. Then, select Full Content and complete the wizard.
This should be all you need to do, now, once your WSUS and fully synchronised, your clients should see this Java update using Windows Updates and be installed.
Please feel free to share this page wherever you want, but please make sure you source me if you use the information elsewhere.