In my current environment users don’t have admin access so when they get the annoying prompt for Java updates that occur 2-3 times a week we get lots of emails about them needing it updated.
For as much as I would like to eliminate the install base of Java it’s sum what of a necessary evil because lots of applications still rely on it. Because of this most domain PC’s may have this installed and because of Java’s default programming it will prompt the user that an update is available and ultimately fail if the user does not have admin rights. This update will also fail if the user has a domain user account but has local admin rights to elevate themselves. So how do you get around this you ask? You could install SCCM 2012 and deploy the updates using the 3rd party configuration.
If you are going to use this please be aware that its not intended for you just hide the update notifications and ignore the updates. We all know all the vulnerabilities java has and the importance to update it.
Open up your GPO editor and you will need to create a new GPO. Name it accordingly then:
Click on Computer Configuration > Preferences > Windows Settings > Right click on Registry > Choose New > Registry Item
These are the settings you will need to complete. I would use a Windows 64 bit computer with 32 bit version of java and admin tools to access GPO editor installed to make this easier:
Key Path: SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000
Again if you have a Windows 64 bit computer with 32 bit version of java and admin tools to access GPO you can browse the key path on your local PC to make sure its accurate.
Once completed your new key should look like this:
Now you can apply it to some test PC’s and perform a gpupdate to test. If all is good deploy to the masses.