Click to get started.Disabling Java Automatic Updates on a Terminal Server and 64-bit Registry Redirection (Wow6432Node)
9 comment(s)On a recently setup Windows Server 2008 R2 terminal server, Java was installed, and by default the JRE will enable automatic updates for all users. No daily users have administrative privileges, but all users are prompted to install updates. No users can actually install the available updates, nor can they disable the update check via the Control Panel.
After checking the usual candidates for auto runs, I was a little stumped. I finally tracked it down using the Autoruns tool from SysInternals. Since the operating system is 64-bit, many of the registry keys seemed absent under HKLM\Software.
There is a subkey located at HKLM\Software\Wow6432Node that contains the relevant settings for 32-bit applications, and within here, is the expected JavaSoft registry key. This is similar to the automatic system controlled c:\Windows\SysWOW64 directory for 32-bit compatiblity. This is known as 64-bit registry redirection.
To disable updates, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy\
The official fix, per Sun, would be to create a new DWORD value called EnableAutoUpdateCheck, and set it to 0. Unfortunately though, it didn’t work, perhaps because the update had already been checked for, and was in queue just wanting to be installed.
Changing the key EnableJavaUpdate to 0 worked without needing to install updates, and stopped prompting non-admin users from installing updates.
An alternative method would be to stop the update utility from running by deleting the key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
Comments
Thanks for sharing this tip.
Thanks for sharing this tip. I'm on a 64bit windows 7 workstation and found out there are 2 Registry places, one for 32bit that you mentioned and the other 64bit.
I struggled to disable both 32/64 bit Java from updating until I see this blog
Cheers!
Your tip worked great
I agree with you Kevin, the solution helped me as well. It had been evading me for a while.
Thanks.
Took me a while too
Hello,
thanks for sharing that they made to key entries, 32 and 64bit.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy] "EnableJavaUpdate"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy] "EnableAutoUpdateCheck"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy] "EnableJavaUpdate"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy] "EnableAutoUpdateCheck"=dword:00000000
Helped me a lot.
Hey man, really thank
Hey man, really thank you...good job
Thanks! I used it the opposite ...
Hi, I was actually wanting to enable Java update. It seems whenever both the 32 bit and 64 bit versions are installed, the options to turn on and schedule Java update checks disappear from the Java control panel. So I added the missing Registry entries, setting all to 1 instead of 0, so that now it will do the checks (originally, only Wow6432 EnableJava Update was present). Greatly appreciated! Chuck
This is a excellent post. 2
This is a excellent post. 2 people in our IT department has been working on this for 3 days. This needs to pop up at the top of Google search, if it had we sould have fixed this in 5 minutes or less. Thanks!!
2 people and 3 days and still
2 people and 3 days and still not able to find it out... Enough said.
Registry RUN keys
After installing anything now on my terminal servers I check the 32 & 64 bit run keys in both the machine and user hives. If I find anything in there I don't want I add group policy preferences to delete them. That way I don't have to remember in future if I commission a new server or an update puts the reg values back.
Per Oracle
Actually I have been down this road before and you can control Java in the enterprise via a single configuration file.
See Oracle page: http://download.oracle.com/javase/1.5.0/docs/guide/deployment/deployment...
Good news is recently I have seen third parties like Adobe actually offer automated updates via Microsoft in System Center Essentials patch management. I would suppose this is available in SCCM as well, but I don't use it.
Now we just need to push for better standards so that the GPO option is a requirement for apps such as Java, Acrobat Reader, Flash, etc... Perhaps a certified for Microsoft Active Directory Management logo or something along those lines.
Btw, if you think Java's silly flat file is a pain try FireFox's PKI management.... UGGG, that's painfull