By default, an installation of Java will check for updates and then will prompt the end user to install the update whether or not the user has Admin rights. In a small environment, this may not be a problem, but in a larger environment, this can generate a lot of unnecessary support requests when a user that doesn’t have Admin rights gets a UAC prompt that wants Admin credentials. Here’s how to disable the Java update checks so that your end users don’t see messages like this:
Let me start with my standard warning about disabling the update utility for 3rd party software: You still need to update 3rd party software just like you would install monthly updates from Microsoft unless you have a really good reason not to. This tutorial is intended for systems administrators that are using some kind of systems management product for updating 3rd party software like SCCM, Landesk, etc. Many of the security flaws in 3rd party software can lead to malware infections and/or compromised computers. If you disable the update notifications, you still need to keep the software up to date!
This tutorial applies to 32-bit Java running on a 32-bit Operating System or 64-bit Java running on 64-bit Operating System. If you’re running 32-bit Java on a 64-bit Operating System, there’s a different setting that you’ll need.
Disabling the Java update notifications is actually pretty easy. There’s a registry setting in HKEY_LOCAL_MACHINE that will allow you to completely disable both update notifications and the update functionality. The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy. The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates. Here’s what it looks like in the Registry with updates enabled:
You could set this manually, but there’s actually a much easier way to do this in Group Policy. First off you’ll need a Group Policy Object (GPO) that applies to your computers that need to have the updater disabled. In my example, it is an empty GPO, but there’s no reason why you can’t add this to an existing GPO.
In your GPO, go to Computer Configuration > Preferences > Windows Settings > Registry. Right-click and choose New > Registry Item.
If you have Java installed on your management station, you can browse the registry to the setting you’ll be changing. (If you don’t, you can skip the next couple of steps and copy the entry manually.) In the Window that opens, click the “…” button next to Key Path.
Browse down to HKEY_LOCAL_MACHINE > SOFTWARE > JavaSoft > Java Update > Policy. In the bottom window, you should see EnableJavaUpdate. Click on it and then click Select.
When you’re taken back to the last window, it should look something like the screenshot below. If you didn’t have Java installed on your management station, you can enter the following:
Key Path: SOFTWARE\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)
When you click OK, it should look something like this in the Group Policy Management Editor:
All that is left is to let Group Policy refresh on your test systems (or you can run a gpupdate.exe manually). If you open the Registry Editor, you should see the setting changed:
If you’re on a 32-bit OS, you can go to the Control Panel, run the Java Control Panel tool, and you’ll see that the Update tab is now gone. (For some reason, the 64-bit version of Java on a 64-bit OS doesn’t have the Update tab.)
One last thing… Java updates have (at least in my experience) been kind enough to wipe out this setting after install. As long as your ‘Action’ is set to ‘Update,’ you should be good… Group Policy will recreate the entry at the next refresh.
July 1, 2012 Update – The tutorial has been tested against both Java 6 and Java 7. While it isn’t possible for me to test against every single ‘Update’ of each version, I have tested the Gold/RTM version of both and several later releases with the same experience that is outlined in the tutorial. Unless Oracle makes some significant change to Java (in which case I will update this article), it should stand to reason that this tutorial will continue to work on later releases.
Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on 4sysops.com.
Latest posts by Kyle Beckman (see all)
- Use Group Policy to Log Out Users After Inactivity - March 27, 2015
- Best Practices for Hyper-V Host Server Security - March 23, 2015
- The Case For and Against Antivirus on Hyper-V - March 16, 2015