Java Updates using WSUS/SCCM/SCUP and Deployed using Windows Updates
After having a number of issues of users complaining about getting Java update alerts but not being able to download and install them (no local admin rights), we decided it was time to do something about it, so where better to look for the help than our WSUS.
The idea was simple, we push out Windows Updates and Adobe Updates to all users, so why not Java updates?. So I started looking into it and it turned out to be much simpler than I thought.
Using a combination of SCUP, WSUS, WSUS self-cert and our own GPO‘s, I got it setup and working to all clients.
The below guide assumes that you have your WSUS self-cert setup and distributed to your clients using GPOs and that you also have your GPO’s setup to allow assigned updates – if you have no idea what this means or need help with it, go to this post about self-signed certs. These updates will not work without having this done first.
Note that to use SCUP you must have an installed, licensed System Center for your business as per the pre-reqs for downloading SCUP.
Please also note that this is for Java 7 Update 5 as you will probably see, this should work in the same way with future updates by just changing the number (5 to 6 for example..).
Something else to note is that you should not push this update to Java Clients lower than version 7, if you do, this will install and leave behind the old version and screw up your Java. If you run it on version, it will successfully upgrade.
You will need to ensure that you have SCUP (System Center Updates Publisher) installed (can be downloaded by clicking here) on your WSUS server.
You will also need to download the latest Java Update from HERE
Once setup, open the SCUP program and click Create Software Updates:
<span style="font-family: Verdana, sans-serif;"><code style="color: black; word-wrap: normal;"> /s "IEXPLORER=1 MOZILLA=1" /quiet
For the next two pages you can just click Next (Prerequisites & Superseded Updates) as you do not need to input any information here.
The most important part of this sequence is the next two steps so be very careful to get this right.
Create your installable rules so that they are exactly the same as below:
This means that the update will look to see if the registry key exists – if it does, Java is installed so there may be an update that needs to be applied. But it also looks to see if the update is already installed (second row), so if it is (NOT:) means do not run the update.
Click Next and move onto the Installed Rules page. You will need to make these page exactly the same as below:
This means that the update will look at this registry key and if it is there, the update has already been applied and this update does not need to be installed.
You can then click through the rest of the wizard as there is not any more critical information that you need to input.
Now, you need to distribute this update. To do this, go to the update, right click and click Publish. Then, select Full Content and complete the Wizard.
This should be all you need to do, now, once your WSUS and fully synchronised, your clients should see this Java update using Windows Updates and be installed.
Please feel free to share this page wherever you want, but please make sure you source me if you use the information elsewhere.
If you have any problems or questions, just post a comment below using our Disqus system and we will try and help where possible.