Java Updates using WSUS/SCCM/SCUP and Deployed using Windows Updates

java logo

After having a number of issues of users complaining about getting Java update alerts but not being able to download and install them (no local admin rights), we decided it was time to do something about it, so where better to look for the help than our WSUS.

The idea was simple, we push out Windows Updates and Adobe Updates to all users, so why not Java updates?. So I started looking into it and it turned out to be much simpler than I thought.

Using a combination of SCUP, WSUS, WSUS self-cert and our own GPO‘s, I got it setup and working to all clients.

The below guide assumes that you have your WSUS self-cert setup and distributed to your clients using GPOs and that you also have your GPO’s setup to allow assigned updates – if you have no idea what this means or need help with it, go to this post about self-signed certs. These updates will not work without having this done first.

Note that to use SCUP you must have an installed, licensed System Center for your business as per the pre-reqs for downloading SCUP.

Please also note that this is for Java 7 Update 5 as you will probably see, this should work in the same way with future updates by just changing the number (5 to 6 for example..).

Something else to note is that you should not push this update to Java Clients lower than version 7, if you do, this will install and leave behind the old version and screw up your Java. If you run it on version, it will successfully upgrade.

You will need to ensure that you have SCUP (System Center Updates Publisher) installed (can be downloaded by clicking here) on your WSUS server.

You will also need to download the latest Java Update from HERE

Once setup, open the SCUP program and click Create Software Updates:

You then need to browse to the location where you saved the downloaded Java Update.

Then make sure that you tick the box labelled Use a local source to publish software update content.

The other boxes are optional but you need to put the following into the Command Line box:

/s “IEXPLORER=1 MOZILLA=1” /quiet

So the first box should look similar to this:

Then click Next and on the next page you can give your update a name and description etc, again this is all optional so put what you like here, mine is as below:

Click next, again on this page is mostly optional, but mine looks like this:

For the next two pages you can just click Next (Prerequisites & Superseded Updates) as you do not need to input any information here.

The most important part of this sequence is the next two steps so be very careful to get this right.

Create your installable rules so that they are exactly the same as below:

This means that the update will look to see if the registry key exists – if it does, Java is installed so there may be an update that needs to be applied. But it also looks to see if the update is already installed (second row), so if it is (NOT:) means do not run the update.

Click Next and move onto the Installed Rules page. You will need to make these page exactly the same as below:

This means that the update will look at this registry key and if it is there, the update has already been applied and this update does not need to be installed.

You can then click through the rest of the wizard as there is not any more critical information that you need to input.

Now, you need to distribute this update. To do this, go to the update, right click and click Publish. Then, select Full Content and complete the Wizard.

This should be all you need to do, now, once your WSUS and fully synchronised, your clients should see this Java update using Windows Updates and be installed.

Please feel free to share this page wherever you want, but please make sure you source me if you use the information elsewhere.


If this guide has helped you out at all, or if you have any questions, we would love to hear from you. So please feel free to leave us a message below in our comments section.

You might also like...

1 Response

  1. Capurnicus says:

    Do I need to enable anything in WSUS options, so that it will see the updates I create in Publisher? Perhaps enable a particular item in Products or Classifications tabs?

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.