By default, an installation of Java will check for updates and then will prompt the end user to install the update whether or not the user has Admin rights. In a small environment, this may not be a problem, but in a larger environment, this can generate a lot of unnecessary support requests. If you’ve installed 32-bit/x86 Java on your 64-bit/x64 Operating System, the normal method of disabling Java updates with Group Policy isn’t going to work. You’ll need to add a Registry key in the Wow6432Node area of HKEY_LOCAL_MACHINE. Here’s how to do that so that your end users don’t see messages like this:
Standard warning about disabling the update utility for 3rd party software: You still need to update 3rd party software just like you would install monthly updates from Microsoft. This tutorial is intended for systems administrators that are using some kind of systems management product for updating 3rd party software. Many of the security flaws in 3rd party software can lead to malware infections and/or compromised computers. If you disable the update notifications, you still need to keep the software up to date!
This tutorial applies to 32-bit Java running on a 64-bit Operating System. If you’re running 32-bit Java on a 32-bit Operating System, you’ll need a different tutorial.
x86 Java stores the setting that you need to disable updates in HKEY_LOCAL_MACHINESOFTWAREWow6432NodeJavaSoftJava UpdatePolicy in 64-bit Windows. The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates. Here’s what it looks like in the Registry with updates enabled:
You could set this manually, but there’s actually a much easier way to do this in Group Policy. First off you’ll need a Group Policy Object (GPO) that applies to your computers that need to have the updater disabled. In my example, it is an empty GPO, but there’s no reason why you can’t add this to an existing GPO.
In your GPO, go to Computer Configuration > Preferences > Windows Settings > Registry. Right-click and choose New > Registry Item.
If you have the 32-bit Java installed on your management station (running 64-bit Windows), you can browse the registry to the setting you’ll be changing. (If you don’t, you can skip the next couple of steps and copy the entry manually.) In the Window that opens, click the “…” button next to Key Path.
Browse down to HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > JavaSoft > Java Update > Policy. In the bottom window, you should see EnableJavaUpdate. Click on it and then click Select.
When you’re taken back to the last window, it should look something like the screenshot below. If you didn’t have Java installed on your management station, you can enter the following:
Key Path: SOFTWAREWow6432NodeJavaSoftJava UpdatePolicy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)
When you click OK, it should look something like this in the Group Policy Management Editor:
All that is left is to let Group Policy refresh on your test systems (or you can run a gpupdate.exe manually).
One last thing… Java updates have (at least in my experience) been kind enough to wipe out this setting after install. As long as your ‘Action’ is set to ‘Update,’ you should be good… Group Policy will recreate the entry at the next refresh.
Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on 4sysops.com.
Latest posts by Kyle Beckman (see all)
- Use Group Policy to Log Out Users After Inactivity - March 27, 2015
- Best Practices for Hyper-V Host Server Security - March 23, 2015
- The Case For and Against Antivirus on Hyper-V - March 16, 2015