This discussion is archived
5 Replies Latest reply: Jul 26, 2013 1:07 AM by SpellJammer RSS

JRE Management in Large Sized Organization

cah2785 Newbie
Currently Being Moderated

Hello All,

 

I have recently been tasked with keeping our workstation JRE installations (20,000+ devices) up to date with the latest JRE releases using Active Directory. Currently we have a mix of Windows 7 and XP devices as we are in the process of migrating all workstations to Windows 7. I am currently gathering the details of applications with JRE dependencies that have version limitations and eliminating those workstations from upgrades.I was hoping for some insight from anyone else who manages JRE for a large organization... Any ideas, tips/tricks, or precautions on how to manage and deploy effectively would be greatly appreciated. Thanks in advance!

  • 1. Re: JRE Management in Large Sized Organization
    SpellJammer Newbie
    Currently Being Moderated

    Hi, from personal experience, testing, testing and more testing. If you are running many web based apps which rely on JRE I would recommend initiating a project where all the application owners come together and test then agree to a standard in terms of options within Java Control Panel Options which need to be enabled and then get sign off for your deployments on this basis because simply rolling out newer JRE versions could potentially break stuff, esepcially business critical apps which may rely on JRE. From personal experience this however changes with each new JRE release and certain bugs in the JRE installation may complicate things, ie not being able to disable the next generation plugin, the deployment properties and config files no longer working, or applications only working with the JRE plugin enabled in IE. An example relating to this is the fact that some of our web based didn't need JRE to be enabled in IE on JRE6U29, but on JRE7U25 they do. Check out the thread I started for some of the other stuff to look out for.

  • 2. Re: JRE Management in Large Sized Organization
    cah2785 Newbie
    Currently Being Moderated

    Can you offer any insight as to the mechanism you use to actually deploy the JRE? Just Active Directory at a high level OU? Or is there a patching mechanism/utility that you use?

     

    Also, how have you uninstalled older versions? We have Java 5 and 6 out there and we need to remove them and only have the latest JRE on the machines... but we all know how uninstalling can be...

  • 3. Re: JRE Management in Large Sized Organization
    SpellJammer Newbie
    Currently Being Moderated

    03b8ac93-cd1d-4d4b-8c22-143a9070884c wrote:

     

    Can you offer any insight as to the mechanism you use to actually deploy the JRE? Just Active Directory at a high level OU? Or is there a patching mechanism/utility that you use?

     

    Also, how have you uninstalled older versions? We have Java 5 and 6 out there and we need to remove them and only have the latest JRE on the machines... but we all know how uninstalling can be...

    Hi Bro Sure

     

     

    We use config manager 2007 for our deployments. Yes I uninstall previous versions. I also create a winrar exe from a batch script that I write to deploy my JRE clients silently to workstations. You could use a batch script which I have written to easily and safely get rid of your older JRE installations via WMI which you can run before you deploy JRE. Copy and paste this into a text file, save the text file as .bat or .cmd. Test the script on a group of pilot users, and you're good to go.

     

    ************************************************************************************************************************************************************************************

    Author: Dylan Ogle South Africa

    @echo off

    cd\

    cls

     

    :UninstallingOldJREVersions

    cd\

    cls

    echo *** This will uninstall older versions of JRE ***

     

    wmic product where "name like 'Java(TM) 5%%'" call uninstall /nointeractive

    goto END

    :END

     

    wmic product where "name like 'Java 5%%'" call uninstall /nointeractive

    goto END

    :END

     

    wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive

    goto END

    :END

     

    wmic product where "name like 'Java 6%%'" call uninstall /nointeractive

    goto END

    :END

     

    wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive

    goto END

    :END

     

    wmic product where "name like 'Java 7%%'" call uninstall /nointeractive

    goto END

    :END

    *****************************************************************************************************************************************************************************

  • 4. Re: JRE Management in Large Sized Organization
    cah2785 Newbie
    Currently Being Moderated

    So I just confirmed, we have don't currently have any version of config manager in use. The uninstall file seems to work well, I am doing some testing with it and I like what I have seen thus far. Two more questions... JRE is a new arena for me so I apologize for all the questions:

     

    1. Do you know of any other utilities/mechanisms that can be used for JRE management besides config manager?

    2. Are you using config manager to remove the software with that batch file as well? If not, how are you using it to remove from remote workstations?

     

    Thank you!!

  • 5. Re: JRE Management in Large Sized Organization
    SpellJammer Newbie
    Currently Being Moderated

    Hi

     

    Yes we do our uninstalls with my batch script. You can deploy the uninstall and the new JRE installation in a single batch script. In terms of other deployment methods, im unfortunately only familiar with the SMS and config manager environments but I do know that Altiris, Riverbed steel heads and AD might be able to do this for you. From the sounds of things deploying from AD would be your best option but I would limit this deployment to one OU at a time if you have OU's setup in AD to mitigate any risks and having a rollback plan in effect should you need to.This is a sample of the script which I use to deploy to all of my workstations:

     

    ********************************************************************************************************************************************************************************************************************************************************

    Author: Dylan Ogle South Africa July 2013

    @echo off

    cd\

    cls

     

    :64BitChecker

    if exist "C:\Program Files (x86)" set OSV="C:\Program Files (x86)"

    if not exist "C:\Program Files (x86)" set OSV="C:\Program Files"

     

    :KillIE&JavaProcesses

    echo *** This will kill IE and Java Processes ***

    Rem ***

    taskkill /F /IM iexplorer.exe

    taskkill /F /IM iexplore.exe

    taskkill /F /IM javaw.exe

    taskkill /F /IM javaws.exe

    taskkill /F /IM jqs.exe

    taskkill /F /IM jusched.exe

     

     

     

     

     

    :UninstallingOldJREVersions

    cd\

    cls

    echo *** This will uninstall older versions of JRE ***

     

     

    wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive

    goto END

    :END

     

     

    wmic product where "name like 'Java 6%%'" call uninstall /nointeractive

    goto END

    :END

     

     

    wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive

    goto END

    :END

     

     

    wmic product where "name like 'Java 7%%'" call uninstall /nointeractive

    goto END

    :END

     

     

    :Backup&ClearRegistryForJavaSoft 32Bit

    if exist "C:\Program Files" start /w regedit /e "%systemroot%\JavaSoftRegBackup.reg" HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft

    if exist "C:\Program Files" reg delete HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft /f

     

     

    :Backup&ClearRegistryForJavaSoft 64Bit

    if exist "C:\Program Files (x86)" start /w regedit /e "%systemroot%\JavaSoftRegBackup.reg" HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft

    if exist "C:\Program Files (x86)" reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft /f

     

     

    :InstallJREVersion 7U25

    cd\

    cls

    echo *** Installing Java 7 Update 25  ***

    Rem ***

    %~dp0\jre-7u25-windows-i586 /s /L C:\Windows\setup.log "WEB_JAVA=1 REBOOT=SUPRESS WEB_JAVA_SECURITY_LEVEL=M"

     

    :Disabling Automatic Updates

    cd\

    cls

    echo *** Disabling Automatic Updates  ***

    Rem ***

    if exist "C:\Program Files (x86)" regedit.exe -s %~dp0\DisableAutoUpdateX64.reg

    if exist "C:\Program Files" regedit.exe -s %~dp0\DisableAutoUpdate.reg

     

     

     

     

    :Copying Configuration Properties Files

    cd\

    cls

    echo *** Copying Configuration Properties Files ***

    Rem ***

    if not exist "C:\Windows\Sun\Java\Deployment" MD "C:\Windows\Sun\Java\Deployment"

    copy %~dp0\deployment.config "C:\Windows\Sun\Java\Deployment" /y

    copy %~dp0\deployment.properties "C:\Windows\Sun\Java\Deployment" /y

     

    :End Of Script

     

    ********************************************************************************************************************************************************************************************************************************************************

    Background Explanation For Certain Components Of My Script:

     

    For the above mentioned script I'm disabling automatic updates in the registry for my 32&64bit machines using the following reg keys which you can create and store in the installation directory of the script along with the JRE setup and deployment.properties and deployment.config files:

     

    64 bit:

    Windows Registry Editor Version 5.00

     

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]

    "EnableJavaUpdate"=dword:00000000

    "EnableAutoUpdateCheck"=dword:00000000

    "NotifyDownload"=dword:00000000

    "NotifyInstall"=dword:00000000

     

    32Bit:

    Windows Registry Editor Version 5.00

     

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy]

    "EnableJavaUpdate"=dword:00000000

    "EnableAutoUpdateCheck"=dword:00000000

    "NotifyDownload"=dword:00000000

    "NotifyInstall"=dword:00000000

    ********************************************************************************************************************************************************************************************************************************************************

    Then I'm also deleting the Javasoft registry key to remove any traces of previous JRE installations for 32 bit and 64 bit.

     

    64Bit:

    Windows Registry Editor Version 5.00

     

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft]

     

    32Bit:

    Windows Registry Editor Version 5.00

     

     

    [HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft]

    ********************************************************************************************************************************************************************************************************************************************************

    Finally Im locking down and enabling the following settings in the Java control panel by creating a deployment.config and deployment.properties file which gets copied to the following directory:

    C:\Windows\Sun\Java\Deployment  . My script creates this directory if it doesn't exist and my deployment files look like this (note you need to copy the contents of each file into notepad and save as deployment.config and deployment.properties

     

    Deployment.config:

    deployment.system.config = file\:\\C\:\\WINDOWS\\Sun\\Java\\Deployment\\deployment.properties

    deployment.system.config.mandatory = true

     

    Deployment.properties

    deployment.javaws.autodownload=NEVER

    deployment.javaws.autodownload.locked=

    deployment.security.mixcode=HIDE_RUN

    deployment.security.mixcode.locked=

    deployment.console.startup.mode=HIDE

    deployment.console.startup.mode.locked=

    deployment.security.level=MEDIUM

    deployment.security.level.locked=

    ********************************************************************************************************************************************************************************************************************************************************

    And that's it, test it and let me know if it works for you? Drop me an email at jhbitgeek@gmail.com should you need assistance with anything.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points