Disable Java updates with Group Policy

By default, an installation of Java will check for updates and then will prompt the end user to install the update whether or not the user has Admin rights. In a small environment, this may not be a problem, but in a larger environment, this can generate a lot of unnecessary support requests when a user that doesn’t have Admin rights gets a UAC prompt that wants Admin credentials. Here’s how to disable the Java update checks so that your end users don’t see messages like this:

Java Update Notification in Windows 7

Let me start with my standard warning about disabling the update utility for 3rd party software: You still need to update 3rd party software just like you would install monthly updates from Microsoft unless you have a really good reason not to. This tutorial is intended for systems administrators that are using some kind of systems management product for updating 3rd party software like SCCM, Landesk, etc. Many of the security flaws in 3rd party software can lead to malware infections and/or compromised computers. If you disable the update notifications, you still need to keep the software up to date!

This tutorial applies to 32-bit Java running on a 32-bit Operating System or 64-bit Java running on 64-bit Operating System. If you’re running 32-bit Java on a 64-bit Operating System, there’s a different setting that you’ll need.

Disabling the Java update notifications is actually pretty easy. There’s a registry setting in HKEY_LOCAL_MACHINE that will allow you to completely disable both update notifications and the update functionality. The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy. The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates. Here’s what it looks like in the Registry with updates enabled:

Registry Editor - EnableJavaUpdate Shown in Registry

You could set this manually, but there’s actually a much easier way to do this in Group Policy. First off you’ll need a Group Policy Object (GPO) that applies to your computers that need to have the updater disabled. In my example, it is an empty GPO, but there’s no reason why you can’t add this to an existing GPO.

In your GPO, go to Computer Configuration > Preferences > Windows Settings > Registry. Right-click and choose New > Registry Item.

Group Policy Management Editor - Add Registry Setting

If you have Java installed on your management station, you can browse the registry to the setting you’ll be changing. (If you don’t, you can skip the next couple of steps and copy the entry manually.) In the Window that opens, click the “…” button next to Key Path.

New Registry Properties in Group Policy Editor

Browse down to HKEY_LOCAL_MACHINE > SOFTWARE > JavaSoft > Java Update > Policy. In the bottom window, you should see EnableJavaUpdate. Click on it and then click Select.

Registry Item Browser - DisableJavaUpdate

When you’re taken back to the last window, it should look something like the screenshot below. If you didn’t have Java installed on your management station, you can enter the following:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)

EnableJavaUpdate Setting to Disable Updates

When you click OK, it should look something like this in the Group Policy Management Editor:

Group Policy Management Editor - Add Registry Settings Finished

All that is left is to let Group Policy refresh on your test systems (or you can run a gpupdate.exe manually). If you open the Registry Editor, you should see the setting changed:

Registry Editor - Java Updates Disabled

If you’re on a 32-bit OS, you can go to the Control Panel, run the Java Control Panel tool, and you’ll see that the Update tab is now gone. (For some reason, the 64-bit version of Java on a 64-bit OS doesn’t have the Update tab.)

One last thing… Java updates have (at least in my experience) been kind enough to wipe out this setting after install. As long as your ‘Action’ is set to ‘Update,’ you should be good… Group Policy will recreate the entry at the next refresh.

July 1, 2012 Update – The tutorial has been tested against both Java 6 and Java 7. While it isn’t possible for me to test against every single ‘Update’ of each version, I have tested the Gold/RTM version of both and several later releases with the same experience that is outlined in the tutorial. Unless Oracle makes some significant change to Java (in which case I will update this article), it should stand to reason that this tutorial will continue to work on later releases.

Series Navigation<< Disable 3rd Party Software Updaters with Group Policy: IntroductionDisable 32-bit Java updates on 64-bit Windows with Group Policy >>

Kyle Beckman

Kyle is a Systems Administrator with 15+ years of experience. He currently works in Higher Education supporting everything from smartphones to desktop PC's to Hyper-V Failover Clusters. (If it has a IP address, he probably supports it!) He has also worked in Small Business IT consulting supporting a wide variety of businesses and non-profit organizations.

Kyle is also the Vice President of the Atlanta Windows Infrastructure and Virtualization User Group (WINVUG).You can find additional articles he's written on 4sysops.com.

26 Comments

  1. I have one question about this that I would like to address. Once the tab is removed does it also turn off/ remove the check from the “Check for Updates AutomaticallY”? From everything I have ready about this know one hass addressed wheter or not that check is removed or by simply killing the tab it also gets rid of the auto update feature. Can we say for sure that once the tab is removed it will not allow auto updates to run and check for updates?

    Thanks,
    Joey B

  2. Hi Joey… I fired up a VM and tested this out. Essentially, the answer is yes. Setting this registry key disables the automatic update check that Java performs; the Java Control Panel applet shows that by just removing the whole Update tab. This doesn’t stop someone from running jucheck.exe to manually check for updates, it just stops the check from running automatically.

  3. Does this work with all versions of Java? My company runs an older version and was wondering if they changed the location of these registry entries in newer versions of Java.

  4. I’ve been using this since Java 6 Update 15. If you can tell me which version you’re using, I’ll be glad to test it out in a lab VM and let you know if it works.

  5. We have 6/18 mostly but find alot of different versions. 6/33, 7/4. Thanks for offering to test.

  6. I’ve tested Java 6 Update 18, Update 33, and Java 7… all have the same outcome as the article. I was pretty sure they would, I just wanted to make sure before I said something that was incorrect. I’ve also updated the article to reflect the versions tested.

  7. Make sure that the option “Apply once and do not reapply” is disabled, this option is located at the Common tab when editing the registry GPO (take a look at the 4th and 6th images of this article).

    If this option is not cleared, when a new version of java is installed the registry key will go back to 1 and the GPO will not change it again.

    Great article, many thanks.

  8. Great advice, Luis! Thanks! By default, the “Apply once and do not reapply” shouldn’t be checked… I hope you didn’t have to learn this one from experience. :)

  9. Great job, clear instructions with detailed screen shots. Thanks for taking the time to do this.
    Regards

  10. Great Write up! Had my policy setup & tested in my lab in no time.

    Have one question does anybody know if it makes a difference if I only create 1 policy with both registry entries. We have 64-bit Java running on 64-bit Operating System & 32-bit Java on a 64-bit Operating System. I will in time clean it up, but want to push the policy while we upgrade PCs.

  11. Thanks for this, I’d just like to point out if your running 64bit windows and 32bit Java then the reg entries are in a slightly different location and will be found under
    hklmsoftwarewow6432nodejavasoft etc

  12. I’m still having problems with this… We set the GPO up, and applied it. When I look at the registry settings, the key is indeed set to 0. Except I’m still seeing the popups. (and no, it isn’t a 64 bit machine.) Any ideas? Is there another key somewhere that I’m missing?

    1. Without seeing the output of a gpresult, it is hard for me to tell. I would double-check your settings and make sure there isn’t something that is off. I’d also try setting the Registry entry manually on a machine to see if the setting takes. If it does, there may be an error in your policy. If it doesn’t, there may be something else going on with your systems.

  13. Quick question, Im currently setting up a GPO to disable the java updates, but in my registry there isn’t an entry for EnableJavaUpdate in HKEY_LOCAL_MACHINESOFTWAREJavaSoftJava UpdatePolicy

    (Java is definitely installed),

    There are entires for inHKEY_LOCAL_MACHINESOFTWAREJavaSoftJava UpdatePolicyJavaFx for Frequency, UpdateSchedule and UpdateScheduleMinutes

    Would changing these make any difference?

    Any advice be great thanks

  14. @John

    Was your Java installed as a different user? e.g. admin user? If so, the Update folder will be under their profile. I’ve just found this in my install.

    When running regedit as my admin account I found it in;

    HKEY_CURRENT_USERSoftwareJavaSoftJava Update

    1. Can you give me the system configuration that allowed you to install this inside a user’s account? (OS, Java version, user rights assigned to the user, status of UAC, etc.) I just tried to reproduce this behavior on a test system and couldn’t. My experience has always been that Java installs, by default, into Program Files or Program Files (x86) after a UAC prompt. Running the installer without Admin rights or UAC disabled usually results in nothing happening. If you can give me directions I can use to reproduce what you’re seeing, I’ll document it all and update these posts.

  15. Hi,

    Thanks for the info – i’ve applied this on several machines – XP and Win 7 and they all work…except for one model laptop (win 7) for some reason!

    The group policy that I have created dumps the dword value onto the machines and it is set correctly but the update tab in Java is still there. I have compared this to another model Win 7 laptop with the same version of Win 7 and the same version of Java (Ver 7 update 17) but it just won’t get rid of that tab. I’m logging on as the same user on each machine and the laptop is in the same OU as the other working laptop.

    I’ve looked at the logs and debug log for group policy but can’t see why. Any ideas?

    Cheers!

    1. Honestly, I’m at a loss. If it is applying the registry value to the correct location, then something with Java is causing it to ignore the setting. The biggest thing I’ve seen is using the wrong setting for the wrong bitness (32 vs 64 bit). The only other thing I can think of since you mentioned that it was one specific model would be if there is something unique to the Java installed on that model machine. If you’re using the OS image from the vendor, it could quite literally be anything. If you’re not, there may be something specific to how the software was deployed to the system or possibly something like a third-party tool causing a conflict.

  16. You are a champion! I uninstalled Java completely and installed the 64 bit version and now it is working. It must’ve been something funny with how it was originally installed. Thanks again!

  17. You made a mistake!!

    Action: Update
    Hive: HKEY_LOCAL_MACHINE
    Key Path: SOFTWARE\JavaSoft\Java\UpdatePolicy
    Value name: EnableJavaUpdate
    Value type: REG_DWORD
    Value data: 00000000 (that’s 8 zero’s)

    Key path should be:SOFTWARE\JavaSoft\Java Update\Policy

    1. Me? A mistake? Nooooooo….. Seems to be right now… though I have no idea how the Revision counter for the article went up. :-”

      (Thanks for the head’s up!)

  18. Hi Kyle, I’m hoping you can help because I am still having probs with this. I disabled update in both places (software\javasoft and software\wow6432node\javasoft) and it is still trying to update. This is in Citrix 4.5 on 64 bit Windows 2003 server. The software update is going to the users Remote Desktop Profile location, as assigned in AD. Profile size is restricted and this is causing logon problems with Profile Space Exceeded messages. Can anyone let me know what else I can check to stop these Java updates?

    Thanks much,
    Mick in Princeton

Comments are closed.

© 2014 trekker.net