Patch Management Solution

https://www-secure.symantec.com/connect/forums/patch-management-distribute-adobe-and-java-update-problem

We have this same problem with Java we do not have the issue with Flash.

Always after releasing a java update to like 30 users 2 or 3 will come back with Java is hosed.  I display notifications to close out IE and any programs using Java and so on.  It just seems to not be helping.  We always have a few users every release that this happens too.

Does anyone have any suggestions to this issue?  Is there a way to force install at say computer start?

Symantec Support pointed me to the same Oracle bug in the other article.

 

Any information would be helpful.  Management is starting to complain about this.

Hi jlawson,

You may try to change Program Run settings so that Java updates should be installed only when no user is logged in.
Please refer to http://www.symantec.com/docs/TECH197833

Hope this helps,
Roman

Roman this is a perfect article I was aware of the bug but not aware of the control you could do with each package.

Kind of a pain to modify everytime but better than how it has been working out.

 

Let me ask you what about remote users.  Will this package install if the user is not connected to the NS?  Basically download while logged in and on vpn but then when not on vpn and proceed with the install?

@Roman - thanks this is helpful to know.

Oracle announced in Dec it will auto update 6 users to 7.  Is this something patch mgmt will support, patching 6 users to 7 within patch management ?  I put a ticket in asking this, which was prompty closed with a we'll see type answer.

http://www.oracle.com/technetwork/java/javase/documentation/autoupdate-1667051.html

The article from Oracle's web site actually says:

"In December 2012 Oracle will start to auto-update a sample of users from JRE 6 to JRE 7 to evaluate the auto-update mechanism, user experience and seamless migration. Oracle will then start auto-updating all Windows 32-bit users from JRE 6 to JRE 7 with the update release of Java, Java SE 7 Update 11 (Java SE 7u11), due in February 2013."

Our plans are to continue providing updates to JRE 6 until it reaches it EOL in February, 2013.  At the time, we will likely start showing the latest version of JRE 7 to be applicable to computers on which JRE 6 is installed.  The question of whether JRE 7 can install on top of JRE 6 or remove JRE 6 will be dependent on how Oracle builds the package, as that it not within the control of the Patch Management Solution.

 

 

Thanks Michael, that's helpful info.

Roman one issue with this setup.  How do you get the patch to apply?  I rebooted and left my pc logged off for over 20 minutes and I could not get this patch to install.  The policy is set to run this ASAP.

Is there something that can be done we will need to know how to speed this up in order to force this for users who don't get installed quickly.  Any recommendations?

jlawson, this is why I don't think the java update option to install when not logged in will realistically work for us either.  We train our users to shut down when they leave and computers here are rarely logged off but powered on.

Instead of as soon as possible, I'd try a schedule that runs every 5 minutes or so.

When I updated Java the last time, I didn't use patch, I used managed software delivery and created a filter that said 'doesn't have X version of java' and pushed that version of java to that filter and had it running every 20 mins.  This way if it failed or didn't run because the browser was opened, it would just keep trying every 20 mins.  The last part of the MSD was update client config, so once Java was installed, it would fall out of the filter.  We still got 10-15% of users calling into the helpdesk who needed java before the install happened and we had to force close the browser and force the update to happen in the agent.

I'm like to get away from this and use patch for Java but seems like it just isn't able to handle the fail case when it fails when browser is opened.  Or maybe you can use patch but you need to scope it to a filter instead of all computers, all computers that haven't gotten java yet so it will keep trying?

Sally for us if the install fails and kills java then sometimes it takes a miracle to get Java back on the machine.  So just reinstalling is not always the option.  It all depends on the over all failure.

I can't believe patch can't do more advanced stuff or that they don't put this into the patches.  Like checks is the browser running if so do not install but notify user to close browser or whatever is using Java.

They have ways to package installers so not sure why they don't do this.  To me it is just being lazy they want to just say it is oracle's fault and here is the bug to prove it.  That is not the answer for your users though.  You should support them and create a working solution.

Setting the schedule on the task for every 5 minutes is not a bad idea not sure what this does while the user is logged in as far as activity.

Patch appears to only be set to be executed on a repeat of daily.

Hi jlawson,

This workaround works if Java patch installation is scheduled to some time when no user is logged in. SWU policy should be received by client before installation time. Please note that policy is received after Symantec Management Agent configuration update(by default configuration update occurs every 1 hour) in case if Patch filter has been updated(by default Patch Filter Update occurs every 30 minutes).

In case if someone is logged in at the scheduled installation time, patch installation will be skipped. It will try to be installed at next available scheduled time.

I would recommend to set scheduled installation time for Java update at night(repeat daily at same time) with option  to install only when no user is logged in. This policy will be received by client and update will be downloaded to client at day, then user should be logged off before scheduled installation time

Thank you,
Roman

We are using Symantec Patch Management in my company and it works great - but Java is not to be compare with flash, shockwave e.c. Our experience is that the most reliable way to deploy Java updates is with Group Policy. This is done by making a 'shutdown script' that runs both the uninstall strings for old Java versions, then the install strings and finally the registry changes (disable autoupdate...) By making a shutdown script instead of a startup script we prevent that the user opens IE before the installation finish. Another benefit is that the machine we be rebooted after the install so the user wont get caught with a broken java installation when working. Its quite easy to insert the uninstall strings for old java versions in the script and by doing this we prevent that old java versions are installed beside the new version (best practices//security). Hope you all allready are running the new java. /Kenneth