Java 8 install script for Enterprise software deployment SCCM

Deploying Suns Java was already pain in the ass when they came out with V6 and 7. But with V8 they just shot the bird at a unknown high level :-( My Boss told me to create a package for this application with the following requirements:

  1. Remove any existing Java Installer and Settings
  2. Install 32bit and 64bit Version
  3. Easy future deployment with just replacing the msi’s
  4. Deploy the Exception Sites list with it
  5. Deploy the Configurations and Settings
  6. Add the companys own Certificate for Deep Packet inspection
  7. Remove ugly update messages

Yes those are the requirements…. Now get started.

The first problem you will encounter is that Java has a death trigger, which will enforce the users to install a newer version of Java as soon as a specific timestamp is reached. The second problem you will encounter (most important one) is that most applets use all permissions they can get. Because java does not like such security holes it will run those applets in a very restricted container that has no connection to the Host.

The actual script:

wmic product where "name like 'Java 9%%'" call uninstall /nointeractive
wmic product where "name like 'Java 8%%'" call uninstall /nointeractive
wmic product where "name like 'Java 7%%'" call uninstall /nointeractive
wmic product where "name like 'JavaFX%%'" call uninstall /nointeractive
wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive
wmic product where "name like 'Java(tm) 6%%'" call uninstall /nointeractive
wmic product where "name like 'J2SE Runtime Environment%%'" call uninstall /nointeractive

del "C:\WINDOWS\Sun" /Q /S /F
for /D %i in ("C:\Users\*") do del "%i\AppData\LocalLow\Sun\Java\Deployment\deployment.properties"  /Q /S /F
del "C:\Program Files (x86)\Java" /Q /S /F

REM Set depoyment.expiration.check.enabled to disabled, because otherwise Java Update every month is needed
setx deployment.expiration.check.enabled false /m

REM Set depoyment.expiration.check.enabled to disabled, because otherwise Java Update every month is needed
javaws -userConfig deployment.expiration.check.enabled false

REM Stop processes that use java
taskkill.exe /F /IM jqs.exe /IM java.exe /IM javaw.exe /IM javaws.exe


REM Set the deployment config and the properties to the right place
md C:\WINDOWS\Sun
md C:\WINDOWS\Sun\Java
md C:\WINDOWS\Sun\Java\Deployment
copy /y "%~dp0deployment.config" "C:\WINDOWS\Sun\Java\Deployment\deployment.config"
copy /y "%~dp0deployment.properties" "C:\WINDOWS\Sun\Java\Deployment\deployment.properties"
copy /y "%~dp0exception.sites" "C:\WINDOWS\Sun\Java\Deployment\exception.sites"


REM The Java installer itself with some options

start /wait msiexec /i "%~dp0jre1.8.0_51x64.msi" /qn
start /wait msiexec /i "%~dp0jre1.8.0_51.msi" /qn


REM Add Certificates so that the stupid Java does not answer with a Warning
certutil -addstore "AuthRoot" "%~dp0MyCert.cer"


setx deployment.expiration.check.enabled false /m

REM Set depoyment.expiration.check.enabled to disabled, because otherwise Java Update every month is needed
javaws -userConfig deployment.expiration.check.enabled false

del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java" /Q /S /F


EXIT /B 0

Short explanation what the script does:

  1. First i uninstall all Java Applications with wmic
  2. Delete pre configurations in Userspace and in the Windows folder
  3. Remove Existing Executables
  4. Set Expiration check to false
  5. Kill all tasks with java
  6. Create the necessary folder and copy the files
  7. Start the Installer
  8. Add your companys certificate
  9. Set the deployment expiration check again to disable
  10. Delete the Startmenu icon that got created

This script will work with SCCM and LANDESK (for landesk remove the for loop line, because Landesk cant do loops :-( )

To manage all settings and the exception site list centraly, we created a GPO rule that replaces on all workstations the exception.sites and deployment.properties. We changed the permission on those files so that the local helpdesk can write to those, either to change them or to add a site to the exception list.

Keep in mind that most applications will work per default because of the security settings. The best way (probalby most easy one) is to add them to the exceptions.sites list.

ATTENTION: The exceptions.sites file does NOT accept WILDCARDS If you have a url with a applet like https://www.jans.li/foo/foo/foofoo/applet.java then you add https://www.jans.li/ to the exception sites list.

You can download my full package with all files from here: [https://www.jans.li/files/Java8.zip][1] the Password is www.jans.li

Hope this helps you, if there is a question that is not answered here, write a mail to [email protected]

[1]: https://www.jans.li/files/Java8.zip

comments powered by Disqus