Video Screencast Help

Is it ok to modify patch bat files? eg Java jre-6u35-windows-i586.bat

Created: 15 Sep 2012 | 10 comments
GarethNZ's picture

We are using Patch Management Solution 7.1 SP1, it's pretty good. But like a few other topics I've seen you can't change the patch\install process to turn off auto updates or have no desktop icon.

I need to update Java from 6u21 to 6u35 and we want updates disabled, new gen plugin disabled and tray icon disabled, 6u21 was installed by script task and also changed reg keys to get Java the way we want.

If I use Patch Management to patch Java to 6u35 it won't have all those settings.
So is is ok\safe to modify the bat file that runs to patch Java? I've found it here: D:\Altiris\Patch Management\Packages\new\JAVA6-35 (folder for 32 & 64 bit)
I've found IE and FF need to be shutdown, added:
taskkill /im firefox.exe /f
taskkill /im iexplore.exe /f
And then ""cmd.exe" /C start /wait %LSFN% /s "IEXPLORER=1 MOZILLA=1" /quiet /norestart" runs to install Java 6u35
Then I have added these lines after (we get an admin prompt first time IE is run if the first line is not run, I'm not sure what it actually does):

start "NoNegen" /wait "C:\Program Files\Java\jre6\bin\ssvagent.exe" -high -jpisetup –old
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v EnableJavaUpdate /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v EnableAutoUpdateCheck /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v NotifyDownload /t REG_DWORD /d 0 /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v NotifyInstall  /t REG_DWORD /d 0 /f
REG DELETE "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v PromptAutoUpdateCheck /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_35" /v "JavaHome" /d "C:\Program Files\Java\jre6" /t REG_SZ /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_35" /v "UseJava2IExplorer" /d 1 /t REG_DWORD /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_35" /v "UseNewJavaPlugin" /d 0 /t REG_DWORD /f
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_35" /v "HideSystemTrayIcon" /d 1 /t REG_DWORD /f

It does seem to run ok, it does pop up a security warning though on first logon "Revocation information for the security certificate for this site is not available. Do you want to proceed? Yes/No/View Certificate", that seems to be a Sun\Java issue, maybe due to our proxy, anyone else get that? There is no Java installed at all until I click Yes. Java then installs and works fine in IE, but Firefox displayes a new tab asking if ok to enable Java plugin.

How are others updating Java? It must be easier.
Thanks
 

Comments 10 CommentsJump to latest comment

KSchroeder's picture

You can change them, but pretty sure they will be changed back on next pmimport.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

andykn101's picture

I don't use Patch Management to update Java. I extract the msi by running the exe on a test PC and looking in AppData and then install using:

msiexec /i jre1.6.0_35.msi /qb ALLUSERS=2 JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 /l*v "%temp%\jre6u35.log"

If you are updating older v6 JREs you may find that automatic updating is handled by a separate service, I used to run msiexec /x {GUID} after installing java with the GUID of the automating updating msi, au.msi. You may find with your reg key approach that this msi is still installed on some JRE versions, 6u33 used this updating method AFAIK.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

freemantim's picture

When you say you extract the MSI by running the exe on a test PC and look in AppData, what folder does that refer to?

Do you run the install normally? Or do you use a specific command line switch with .exe?

When I run the install and point it to a specific folder I don't see any .msi after the install is complete.

Thanks for your help.

andykn101's picture

Sorry, should have said you need to look for the msi while the install is running, I think it's deleted once install finishes.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

freemantim's picture

It remains in the C:\Users\%userprofile%\AppData\LocalLow\Sun\Java folder. (or at least it did for me on my test install PC).

 

 

GarethNZ's picture

Thanks andykn101, I've give that a go.

Why do you use ALLUSERS=2? That's per user right?
Also I assume you or your users don't get any UAC prompt when running IE for the first time after installing Java?

andykn101's picture

ALLUSERS=2 is the default the NS adds to msi install commands, for details see here:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa367559(v=vs.85).aspx

This example is one I've set up for an XP only house, I've not had a chance to try it under W7.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Sally5432's picture

We also use a managed software policy for Java that runs that  says does user have this version of java, if not install.

We had to do it that way because patch management (or a managed policy) in an attempt to update Java would uninstall the old version first and then attempt to install the new version.  If IE was opened, the new install would fail leaving the user with no Java at all.  With patch, if it sees no java, it won't retry to reinstall the latest version.  

Using managed software policy I just set it to install (uninstalling prior versions if there) all users who don't have newest version, and I set the schedule to run the policy every 30 minutes until it's there.

Also important at end of the policy to do a update software inventory and update client config so the users who have the latest fall out of the filter.

Our users live in web browsers and we strongly encourage them to shut down when they leave, so we still we still get calls and have to manually update a certain small percentage of users each update cycle.

If only we could get rid of apps that rely on Java...

---
Don't forget to mark posts as helpful if they are, and mark answers as solutions.

andykn101's picture

Or Wake-on-Lan so you can patch out of hours with users logged off.

I often suggest to clients they designate one night to users to be software deployment night, then they can install patches and software that night and shut the machines down afterwards. This can also emphasise to users that they should shut down PCs every other night.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.