I’d like to blast Java off my network, however there are many sites and applications that depend on the quirky, unreliable programming framework. I’ve tried both Java 7 and Java 7 Update 1, neither of which appears to have the polish I’d like on them.

My biggest problem is the auto-updating feature. I have 500 public PC’s that run on limited user accounts, and when either version of Java 7 is installed, the users receive an administrative elevation prompt when the system logs on. It creates confusion and just isn’t detail conscious.

My second issue is that everyone wants their site to work on my PC’s. An example is the blackboard education site for Kent State. Up until a few weeks ago, it would not function with IE9, and it needed Java 6. Without these two conditions met, the site would freeze IE. I try to be security conscious and on the cutting edge, to protect the security of my network and the privacy of my users. However many sites, especially government sites, rely on antiquated versions of software. FAFSA filing is a good example. They still require IE8 even though IE9 has been out for more than a year. I have neither the manpower, nor the time to make my computers compatible with every site on the internet.

Uninstalling Java 7

Java is one of those programs that, instead of upgrading in-place, it installs a new copy of itself when you update. So you could literally have 5 revisions of java installed on your machine. If I want to have a specific version of java installed, I’d have to uninstall all previous versions and reinstall the one that I want.

Luckily for us, there’s an easy way to do this, using the registry and the program Msiexec. First, we’ll have to dive into the registry. Open the registry using the Regedit command. Navigate to the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall key. You’ll notice a bunch of program ID’s listed under this key. You’re looking for keys that start with “{26A24AE4”. All the entries for Java will start with these numbers.

We can use Msiexec.exe to uninstall all of these versions of java using the command “msiexec /x {Program ID} /qn /norestart”. We’ll start building a batch file, including a similar line for each version of java listed under the uninstall key. We’ll also include the “start /wait” at the beginning of the line to signal that we want the command to complete before running the next one.

Next, we’re going to want to run the installer for the version of java we actually want on the machine; in this case, Java 6 Update 29. We’re going to include the “/s /qn” switches for silent install. We’re also going to use the special parameters “ADDLOCAL=All IEXPLORER=1 ALLUSERS=1 JAVAUPDATE=0 AUTOUPDATECHECK=0 SYSTRAY=0 WEBSTARTICON=0”. We’re installing in IE for all users. We’re disabling auto-update, and we don’t want the web icon to show when running java stuff.

The final step, is to make sure that the auto-updater is not started when you log on. Go back to your Regedit and navigate up a little bit to the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run. If the auto-updater is installed, you’ll see a value listed under this key called “SunJavaUpdateSched”. We want to remove this key. We can do this by adding a “Reg Delete” command to our batch file. The full command is “start /B reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v SunJavaUpdateSched /f”.

I’ll add in a parameter to the batch file to handle 32-bit or 64-bit and my final batch file looks a little like this:

When you run the batch file, it uninstalls previous versions of java, reinstalls the desired version, and then disables all form of auto-updates.

I recently walked into the local Best Buy to purchase a serial cable. I found all sorts of overpriced HDMI, USB, and VGA cables; but there’s no serial cable to be found. It reminds me of just how much shopping for IT equipment has changed.

When I was growing up, I remember hitting the local CompUSA with my dad; that was my primary store for computer buying. They had a wide array of add-on cards, cases, processors, memory, and everything else that you’d want.

CompUSA is gone, Radio Shack, or “The Shack” as it’s called now is basically a cellphone store. Best Buy has barely sells any computers; it’s all cellphones, tablets, and TV’s. They have one or two desktops, a few laptops, but mostly mobile devices.

The best place I’ve found to buy computer components is Microcenter; unfortunately, the closest one is about an hour north. I was amazed with the shelves of raw hard drives and the stacks of motherboards and cases. It’s the closest that I’ve seen in person to Newegg.

My Dad gave me my start with computers. When I was a kid, he bought us a 386SX (my first actual computer was a Commodore 64). I’m sure it cost him a little bit, but I think that he knew that computers would be big in the future, he was right. He helped me upgrade the system over time. We added a new CD-ROM, sound card, video card, RAM, hard drive. I learned how to install and configure these, back in the day before plug and play. It was a huge foundation for what I do today, arguably more important than even what I learned in college. I’m thankful to my Dad for exposing me to computers when I was little. In a sense, it helped decide what I would do for a living. I couldn’t really be an engineer like him (I’m not made for that), but my Dad still had a big influence on the career that I eventually chose.

Updating Your Windows Servers

Keeping your servers and clients updated is one of the hardest tasks for an Information Technology Pro. There are two ways of going about this .You can manually run windows update, which becomes a tedious and regimented process, or you can set up some mechanism to automatically update your systems. The problem with this second approach is that automation inherently fails. Many people set up an automated process, and then never check back up on it until it’s too late and something has happened, or their servers are so out of date that they get compromised.

Make no mistake, whichever option you choose, it’s your responsibility as an Information Technology Pro to check up on your process and make sure that your systems are getting updated.

Slow and Steady Wins the Race

I worked for a company a few years back that was a little backward. I eventually left because their options of IT were not in-line with mine. In many ways, their IT desires were very backward and status quo. I like to be on the cutting edge, evaluating new products.

I was told at this company that “IT should be seen and not heard. If I see you or hear you, you’re not doing your job.” Likewise, any attempt to reform their backwards IT practices was rebuffed. They kept a sheet in the office that had every employee’s login and password on it. The sheet was stapled to the wall. Seriously, this is not the way to do things.

They were very big on me manually doing everything. A problem that I had with them was that they wanted me to start every morning, before the regular employees started, and laboriously run individualized updates on each computer. This was really a lot of extra time that required me to be in way early and something that I could easily make obsolete with a little modern technology.

Mechanisms to Auto-update

That’s one way of doing things. Manually updating works, I won’t dispute that. But the problem happens when you go from a network with 5 computers, to a network with 1,000 computers. You can’t manually update a network that large, or maybe your network includes multiple locations. With a limited IT staff (nobody with that many locations is going to have dedicated IT staff for each one), you physically can’t maintain this update cycle.

Microsoft has implemented two ways of automatically updating computers. The first is, you can set the operating system itself to automatically run updates. However, this bypasses a network administrator’s power to vet updates for any problems they may cause.

This brings us to Windows Server Update Services (WSUS) and by extension System Center Configuration Manager (SCCM); which uses WSUS on the back-end.

WSUS provides a mechanism to approve updates and then uses Group Policy Objects, or the SCCM Client to control the specifics of update deployment. Using these software tools, you can approve updates, track deployments, and manage compliance from behind the scenes. For a large network, this is great. WSUS is freely available to anyone who’s already running Windows Server (so any business can implement it) and larger companies will be able to utilize it through SCCM.

Troubleshooting SCCM Update Deployment

No automatic update process is failure proof. As I’ve stated, it’s your responsibility to your organization to monitor and track how your update process is functioning. I noticed recently, while checking server logs, that part of my update process had failed. The SCCM Status was saying that the WSUS Configuration component was in a failure state. To fix this, I had to reinstall WSUS and the Software Update Point feature of SCCM. This time, instead of directing WSUS traffic through the default port 80\443, I decided to direct it through the alternate default ports recommended for SCCM by Microsoft, which are 8530 and 8531. I noticed that after doing this, my servers were still not installing updates as published.

The Joy of SCCM Logs

Configuration Manager maintains client-side logging of its operations. By default, SCCM logs are contained in the directory C:\Windows\System32\CCM\Logs or C:\Windows\SysWow64\CCM\Logs (depending on your OS type). The log WUHandler.log is the log file for how SCCM links in to Windows Update. When looking at this log, I noticed that the log indicated that Windows Update traffic had been stalled for a while. At the time, the log file was about a month behind.

My first thought was to go in and repair the Configuration Manger client. You can initiate a repair by selecting the Computer Management icon in your control panel, and then selecting the repair option from the Components tab. This resynchronizes the Configuration Manager client with your server.

I investigated the WUHAndler log a little more, and I kept seeing this line “Group policy settings were overwritten by a higher authority (Domain Controller) to: Server and Policy NOT CONFIGURED”. Following this, the Windows Update handler would try to change the WSUS port from port 8530 back to port 80. This mystified me because there’s no GPO in place setting this, and SCCM should be statically setting the server address and port. This error indicates that some setting within a GPO was affecting my update settings.

I searched and searched and could not find a currently applied GPO with this option enabled however there were a few old objects with WSUS settings. I’m pretty much a Group Policy expert. What I ended up doing was adding a new GPO that adds settings for Windows Updates and points to the correct port, when I did this, the log file updated to show that the windows update server was already set to 8530 and did not need to be changed. Following this, my windows updates FINALLY started flowing again.

Conclusion

This was a really long explanation to tell you the proper way of updating your network, and to highlight that just because you’ve created an automatic deployment system, you need to be careful of the details and monitor your system to make sure that it functions as intended.

Information Technology is more than just hardware and software. It’s about problem solving. Our co-workers come to us with problems, and it’s our job to find a solution to those problems using our skills and abilities. A consciousness for details and good problem solving skills are an essential addition to a good Information Technology professional’s toolbox.

Forget Patent-gate and forget Moogle (Google-Morotola); the latest bit of Technews is that Venerable PC titan HP is ditching both the mobile front with WebOS as well as the consumer PC biz. They’re trying to pull an IBM\Lenovo and spin off their Personal Computer Group.

People who know the history about their current CEO, Leo Apotheker, probably saw the writing on the wall. He’s a software guy, coming from big software and service companies. It’s obvious that the people running HP at the time were looking to transform the company from a hardware giant, into more of a software role. Software brings with it much larger profit margins than hardware.

WebOS

We all know that there are two major mobile OS suppliers; Apple and Google. Microsoft is trying their best to break in after the dismal failure that was Kin (which itself bares a lot of resemblance to how HP is handling the death of WebOS). RIM tried their hand with the playbook and now HP has marked WebOS for death after such a little time in the market. I was shocked to hear this myself.

It seemed like HP really wanted to be a big player in the mobile market when they purchased Palm, who has a big history with mobile devices. Palm used to be the number one name in Personal Digital Assistants (PDA’s, remember those :snicker: ). It was almost a status symbol a decade ago when you had a company Palm. They were a big name, and then HP bought Compaq, maker of the iPaq and Palm, and it seemed like they were really in a position to compete with Apple and Google. The Palm Pre has an awesome OS. Imagine what they could do with a tablet, right.

We’ve seen a lot of big commercials; full of celebrity endorsements. It seems like HP had to chop the price out of the gate $499 to $399, but let’s face it, it was overpriced to begin with. It doesn’t feel like the WebOS devices have been on the shelf long enough to determine success of failure. Our HP sales guys were just here last week pushing this stuff, and now we hear its being pulled. I’m really disappointed.

Hardware is so Yesterday

It seems like all the big American companies are trying to divest of the hardware, because hardware doesn’t make money, not as much as software. HP is trying to transform themselves into a software and service company instead of a consumer hardware vendor. Their actions echo the same thing that happened between IBM and Lenovo.

HP’s move out of mobile is one thing, but they’re also trying to make a move out of the traditional consumer PC business that helped to build their company into what it is today. I think the reality is, they’re trying to shift money out of what’s a dying platform. Yes, I said it, PC is a dying platform. Within the next decade or so, much of the traditional PC market is going to be replaced by mobile devices. The traditional desktop computer is going to turn more into a transforming tablet dock.

I think that getting out of the business now is a great idea. The market is flooded with PC’s, they’re not going to make any money in a flooded, stagnant market. The growth seems to be in software as a service (SaaS). The people in charge of HP seem to be restructuring the company to where it will gain the best revenue.

Required Reading

The News Direct From HP - http://torbin.me/6A8A24D66FF96
Discontinues WebOS (via Arstechnica) - http://torbin.me/D74DD1AD6B884
HP Focuses on SaaS (via Arstechnica) - http://torbin.me/CC9F08BC5FADE

Oracle release Version 7 of Java at the beginning of the week. This is the first full version of Java released since the Oracle takeover. It seems like every time they release a new version, they’re change the method you have to use to shut off the auto-update function. I end up having to re-craft my deployment scripts to eliminate it.

Installing Java

I work for a large public library. We have about 1,000 machines in 18 locations, roughly split 50%\50% between public-use and staff. Both public and staff machines have some level of lockdown which restricts configuration changes and application installation.

My problem is that the Java updater, and other update features, such as Adobe Flash and Reader often require administrative privileges to install. Since neither my public nor staff machines are running with administrators logged on, it results in a UAC or permission pop up within Windows; asking for administrative permission to install the update.

I keep my applications up-to-date myself using Microsoft System Center Configuration Manager. I don’t want my users to see update advertisements; and I definitely don’t want them to be confused by update prompts asking for administrative permission every time the computer starts up in the morning. It’s an annoyance and it’s confusing.

Installation Script

When I deploy applications, like Java and Flash, I usually use an installation script. Many of these programs have installation switches or arguments that disable certain features of the installer, like the updater service. If they don’t, the next step is to isolate the registry settings which control these options. For instance, within Java, there’s a tab that controls update checking and allows you to disable updates all together. When you click this box, it changes a registry key and the tab disappears from Java. When you create your installation script, you can code the script to add this registry key once the Java install completes.

My Java install script looks like this:

First, the script takes an argument which represents if the script should install 32-bit or 64-bit java. I would call the script by “install.bat 32” or “install.bat 64”. There are some differences in the way it handles the registry, as well as a different physical installer. This particular script loads Java for all profiles, and it disables the auto-update and system tray icons (don’t want the user to see those unneeded icons). I also add those registry keys that I talked about earlier; just to make sure we have auto-update disabled.

Install Hassel

Despite my attempts to shut off the auto-updater using the tactics above, which worked fine in Java 6 Update 26, after running the installer, the auto-updater still appeared to be present. We received a few calls from locations running Windows 7. It seemed that every time they opened a new browser window, it was asking for administrative permission to run ssvagent.exe by Oracle. Research indicates that this is the Internet Explorer plug-in.

Since my other efforts were not working, my next idea was to disable the offending Internet Explorer add-on through group policy. By looking in the Internet Explorer Add-ons manager, I found that the Class ID for the Java 7 plug-in is {DBC80044-A445-435B-BC74-9C25C1C588A9}. Within group policy manager, you can open a new or current policy and navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on-Management, and then the policy item “Add-on List”. Here, you’ll be asked for two things; the CLSID (Class ID) which can be found in the Add-on Manager in IE, and a Value. A 0 indicates that we want to disable the add-on and not allow the user to change that. A value of 1 indicates that the add-on should be enabled and the user can’t change that; while a value of 2 indicates that the user can’t manage it. We want a 0. Entering the CLSID and 0 will disable the add-on for the users that the GPO is applied to.

So far, this has solved my problem. I’m a little annoyed that I had to go through this trouble to disable it; this should be easier.