Configuration Manager 2012 Compliance Baseline to Disable Java Automatic Updates

Posted: August 12, 2014 in System Center Configuration Manager 2012
Tags: , ,

Configuration Manager 2012 Compliance Baseline to Disable Java Automatic Updates

In this post I’m not going to explain how to create a Compliance Item and Baseline for that you can review this post; Configuration Manager 2012 Compliance Baseline to Disable Adobe Air Automatic Updates.

Below you will find scripts for Discovery and Remediation of Java automatic updates.

<#
  This script will check if automatic updates is disabled and return a Compliant/Non-Compliant string.

  Created:     04.08.2014
  Version:     1.0
  Author:      Odd-Magne Kristoffersen
  Homepage:    https://sccmguru.wordpress.com/
    
  References:

#>

$OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture

If($OSArchitecture.OSArchitecture -ne "32-bit")
    {
    $UpdateCheck = Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy' -Name EnableAutoUpdateCheck, EnableJavaUpdate, NotifyDownload, NotifyInstall
        if (($UpdateCheck.EnableAutoUpdateCheck –eq 0) –and ($UpdateCheck.EnableJavaUpdate -eq 0) –and ($UpdateCheck.NotifyDownload -eq 0) -and ($UpdateCheck.NotifyInstall -eq 0))
        {Write-Host 'Compliant'}
        else
        {Write-Host 'Non-Compliant'}
    } 
else
    { 
    $UpdateCheck = Get-ItemProperty 'HKLM:\SOFTWARE\JavaSoft\Java Update\Policy' -Name EnableAutoUpdateCheck, EnableJavaUpdate, NotifyDownload, NotifyInstall
        if (($UpdateCheck.EnableAutoUpdateCheck –eq 0) –and ($UpdateCheck.EnableJavaUpdate -eq 0) –and ($UpdateCheck.NotifyDownload -eq 0) -and ($UpdateCheck.NotifyInstall -eq 0))
        {Write-Host 'Compliant'}
        else
        {Write-Host 'Non-Compliant'}
    }
<#
  This script will disable automatic updates if it is enabled.

  Created:     04.08.2014
  Version:     1.0
  Author:      Odd-Magne Kristoffersen
  Homepage:    https://sccmguru.wordpress.com/
    
  References:

#>

$OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture

If($OSArchitecture.OSArchitecture -ne "32-bit")
    {
    Set-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy' -Name EnableAutoUpdateCheck -Value 0 -Force
    Set-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy' -Name EnableJavaUpdate -Value 0 -Force
    Set-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy' -Name NotifyDownload -Value 0 -Force
    Set-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy' -Name NotifyInstall -Value 0 -Force
    }
else
    {
    Set-ItemProperty 'HKLM:\SOFTWARE\JavaSoft\Java Update\Policy' -Name EnableAutoUpdateCheck -Value 0 -Force
    Set-ItemProperty 'HKLM:\SOFTWARE\JavaSoft\Java Update\Policy' -Name EnableJavaUpdate -Value 0 -Force
    Set-ItemProperty 'HKLM:\SOFTWARE\JavaSoft\Java Update\Policy' -Name NotifyDownload -Value 0 -Force
    Set-ItemProperty 'HKLM:\SOFTWARE\JavaSoft\Java Update\Policy' -Name NotifyInstall -Value 0 -Force
    }

You can also download the scripts here: Compliance Settings Scripts

Advertisements
Comments
  1. Nick says:

    The detection script was failing if the registry item didn’t exist for whatever reason, so I added a check to see if the registry item didn’t exist at all and report as non-compliant so that the remediation script will still run versus showing an error state in sccm. A person could just as easily detect if any errors were thrown at the end and report non-compliant as well, but I went the first route so as to only override the non-existent state.

    The script I’m using is:

    $OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture

    If($OSArchitecture.OSArchitecture -ne “32-bit”)
    {
    If(Test-Path ‘HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy’)
    {
    $UpdateCheck = Get-ItemProperty ‘HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy’ -Name EnableAutoUpdateCheck, EnableJavaUpdate, NotifyDownload, NotifyInstall
    if (($UpdateCheck.EnableAutoUpdateCheck –eq 0) –and ($UpdateCheck.EnableJavaUpdate -eq 0) –and ($UpdateCheck.NotifyDownload -eq 0) -and ($UpdateCheck.NotifyInstall -eq 0))
    {Write-Host ‘Compliant’}
    else
    {Write-Host ‘Non-Compliant’}
    }
    }
    else
    {Write-Host ‘Non-Compliant’}
    else
    {
    If(Test-Path ‘HKLM:\SOFTWARE\JavaSoft\Java Update\Policy’)
    {
    $UpdateCheck = Get-ItemProperty ‘HKLM:\SOFTWARE\JavaSoft\Java Update\Policy’ -Name EnableAutoUpdateCheck, EnableJavaUpdate, NotifyDownload, NotifyInstall
    if (($UpdateCheck.EnableAutoUpdateCheck –eq 0) –and ($UpdateCheck.EnableJavaUpdate -eq 0) –and ($UpdateCheck.NotifyDownload -eq 0) -and ($UpdateCheck.NotifyInstall -eq 0))
    {Write-Host ‘Compliant’}
    else
    {Write-Host ‘Non-Compliant’}
    }
    }
    else
    {Write-Host ‘Non-Compliant’}

    • Nick says:

      I screwed up and posted a version with bad brackets. This is the working version:

      $OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture

      If($OSArchitecture.OSArchitecture -ne “32-bit”)
      {
      If(Test-Path ‘HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy’)
      {
      $UpdateCheck = Get-ItemProperty ‘HKLM:\SOFTWARE\Wow6432Node\Javasoft\Java Update\Policy’ -Name EnableAutoUpdateCheck, EnableJavaUpdate, NotifyDownload, NotifyInstall
      if (($UpdateCheck.EnableAutoUpdateCheck –eq 0) –and ($UpdateCheck.EnableJavaUpdate -eq 0) –and ($UpdateCheck.NotifyDownload -eq 0) -and ($UpdateCheck.NotifyInstall -eq 0))
      {Write-Host ‘Compliant’}
      else
      {Write-Host ‘Non-Compliant’}
      }
      else
      {Write-Host ‘Non-Compliant’}
      }
      else
      {
      If(Test-Path ‘HKLM:\SOFTWARE\JavaSoft\Java Update\Policy’)
      {
      $UpdateCheck = Get-ItemProperty ‘HKLM:\SOFTWARE\JavaSoft\Java Update\Policy’ -Name EnableAutoUpdateCheck, EnableJavaUpdate, NotifyDownload, NotifyInstall
      if (($UpdateCheck.EnableAutoUpdateCheck –eq 0) –and ($UpdateCheck.EnableJavaUpdate -eq 0) –and ($UpdateCheck.NotifyDownload -eq 0) -and ($UpdateCheck.NotifyInstall -eq 0))
      {Write-Host ‘Compliant’}
      else
      {Write-Host ‘Non-Compliant’}
      }
      else
      {Write-Host ‘Non-Compliant’}
      }

  2. Trevor Jones says:

    The registry keys for Java need to be REG_DWORD and you need to specify that in the remediation script, otherwise it will create REG_SZ.

    eg:

    Set-ItemProperty ‘HKLM:\SOFTWARE\JavaSoft\Java Update\Policy’ -Name EnableAutoUpdateCheck -Type DWORD -Value 0 -Force

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s