Java8.msi
- Start offline installer
- Copy MSI-file from %LOCALAPPDATA%Low\Sun\Java
- Extract repair.mst and settings.cfg to same directory
- msiexec /i jre1.8.0_51.msi TRANSFORMS=java8-repair.mst
See also: java7.msi
Oracle does not directly offer an MSI-file for download (except for customers who pay for a support contract). However the EXE installer is internally based on an MSI file, so it is available.
The MSI-file cannot simply be extracted from the setup program with an archiving tool like 7zip, but you can get it with a trick, see below.
Download the offline installer
Use the offline installer, not the normal installer. This has the added benefit that it doesn't include the Ask-toolbar.
The easiest method is to use these list of direct download links.
If that page does not yet list the latest version, go to java.com, but ignore the big download buttons. Instead click in the header on download, and on the next page on 'all java downloads'. The english version of that page is here, the german one here.
Extract the MSI-file
Run the downloaded installer, and wait until it displays the first dialog. Only answer questions from Windows when it wants confirmation to run the installer, but don't click on any button that the installer shows. Instead look into this directory
- %LOCALAPPDATA%Low\Sun\Java (Windows 7)
- %APPDATA%\Sun\Java (Windows-XP)
Here you find a directory with the version number of the Java installer that you have started, and inside this the MSI-file. Copy that to somewhere else, then abort the installer program.
Fix some errors
Starting with version 8 Oracle decided they want to earn money from people who just use the runtime library. They must be the only company on this planet with such an idea. I hope that everybody puts enormous pressure on all developers of web apps to rewrite them such that they do not need Java any more.
Note that Oracle warns that you should not use the following method. They cannot guarantee that Java will work correctly if installed like this, and they may change the install method in future versions to make this method fail.
They damaged the MSI-file, and made it depend on a settings file. This can be fixed by supplying that settings file (if can even be empty), and repairing the MSI-file.
Settings file
The settings file must only be there, even if it is empty. However I recommand that it contains these lines:
INSTALL_SILENT=Enable
AUTO_UPDATE=Disable
WEB_ANALYTICS=Disable
REBOOT=Disable
SPONSORS=Disable
The file must be named java.settings.cfg and must be located in subdirectory CommonAppData\Oracle\Java, relative to the MSI-file.
Alternatively it can be placed on the destination machines in %allusersprofile%\Oracle\Java\java.settings.cfg. However when I tried to place this file in that directory using the same GPO as for deployment, the install did not work. Apparently the GPO does first the install, and then the file placement.
MSI modifications
Either download my MST file, or edit the MSI-file, for example with Orca, to apply all these modifications:
In Table "CustomAction", row "installexe" add 2048 to the value in the column "Type":
If the old value is 1026, change it to 3074 (Java versions before 8.40).
If the old value is 1042, change it to 3090 (Java versions 8.40, 8.45 and 8.51).
In table "InstallExecuteSequence" row "SetSilentInstall":
change "Condition" from "UILevel=2" to "UILevel<=3"
In table "File" add a row with these values:
| File | java.settings.cfg |
| Component_ | emptycfgComponent |
| FileName | java~1.cfg|java.settings.cfg |
| FileSize | 0 |
| Version | |
| Language | |
| Attributes | 8192 |
| Sequence | 1 |
In table "Component" add this row:
| Component | ComponentID | Directory | Attributes | Condition | KeyPath |
|---|---|---|---|---|---|
| emptycfgComponent | JavaDir | 0 |
In table "Directory" add these rows:
| Directory | Directory_Parent | DefaultDir |
|---|---|---|
| OracleDir | CommonAppDataFolder | Oracle |
| JavaDir | OracleDir | Java |
In table "FeatureComponents" add this row:
| Feature_ | Component_ |
|---|---|
| jrecore | emptycfgComponent |
In table "Media" add this row:
| DiskId | LastSequence | DiskPrompt | Cabined | VolumeLabel | Source |
|---|---|---|---|---|---|
| 2 | 1 |
Configure
The properties ALLUSERS is already set to 1, ARPNOMODIFY is set to "yes", should be 1.
ARPNOREPAIR is also set to 1. This is unfortunate, but one should probably not change it.
But you should change these properties:
- set ARPNOREMOVE to 1. This disables uninstall in 'Add/Remove Programs'.
- change AUTOUPDATECHECK from 1 to 0. This disables update check during installation.
- change JAVAUPDATE from 1 to 0. This disables automatic updates.
- Add property JU, set it to 0. Don't allow users to re-enable updater (is this documented anywhere?).
Other guides also recommend these properties:
| Property | Value |
|---|---|
| AUTO_UPDATE | 0 |
| EULA | 0 |
| SPONSORS | 0 |
| WEB_ANALYTICS | 0 |
For more info see Java Deployment Guide.
Change Security Settings (optional)
The browser plugin of Java version 1.7.51 (January 2014) and later will only run applets, which are signed with a digital certificate. This can be changed by creating a Deployment Rule Set, a whitelist ("Exception List"), or by changing the security level from high to medium. More details here.
Maintaining a whitelist is more work, but provides much higher security, and should thus be preferred. The security level can be set by individual users in the Java Control Panel, and can be deployed to all users with the install option WEB_JAVA_SECURITY_LEVEL=M. This option can either be specified on the command line, or as entry in the properties table of the msi-file (name "WEB_JAVA_SECURITY_LEVEL", value "M"). For maximum security set it to "H".
Disable Browser-Plugin (optional)
For security reasons many people recommend to not use Java any more at all, or only when absolutely necessary. If you need Java only to run local apps, then you should disable the web browser plugin. This prevents that security vulnerabilities can be exploited by planting malware on web pages.
prevent installation of browser-plugin
Starting with Java version 1.7.10, the installation of the plugin can be disabled by specifying WEB_JAVA=0 either as command line argument for the installer (found in this technote), or as property in the MSI-file. Oracle does not tell that this also works as property in the MSI-file, thanks Miles for this great find and for telling me.
If you ever want to switch back to a version with plugins, it is not enough to just uninstall the MSI with WEB_JAVA=0, and then install one without this property. Instead you must either install one with WEB_JAVA=1, or remove the registry key HKLM\SOFTWARE\Oracle\JavaDeploy that remains in the registry after the uninstall, especially the values WebDeployJava and deployment.webjava.enabled inside this key.
prevent use of browser-plugin by Firefox
Firefox can find the Java plugin with two methods, both must be disabled:
- Set the preference plugin.scan.sunJRE in Firefox to a number higher than the current versison number, for example 9.9 (Java 7.11 has version number 1.7.11, so 9 is a lot higher).
- Remove the registry keys HKLM\SOFTWARE\MozillaPlugins\@java.com*
Tips
Remove Old Versions
You should check all computers for old versions, because in the past the installers for Java did not automatically remove them. Oracle warns that leaving them on the computer 'presents a serious security risk'. The Washington Post explains that this is because a 'web site set up by a bad guy could be made to pick and choose which version of Java should be used.'
Release Schedule
Oracle releases regular updates on the Tuesday that is closest to the 17th day of January, April, July and October. This can be on the same day as the patchday from Microsoft, but it can also be a week later. The next dates can be found on www.oracle.com/technetwork/topics/security/alerts-086861.html.
tested with version 1.8.51 (32bit).