• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

SCCM 2007 Exclusions

Greetings & Felicitations,

I have a collection that gets pushed Java updates; however, there are systems within that collection I need to exclude.  I am having a difficult :o( time understanding the logic behind excluding these systems.  Can anyone assist in "excluding" systems from a collection and/or preventing them from getting specific updates, i.e., Java versions.

Thanks
0
Adelo
Asked:
Adelo
  • 2
  • 2
3 Solutions
 
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
Create a collection with these special servers

then create another collection that excludes this collection and put it inside main java collection.

http://security.crudtastic.com/?p=144

It will look like this

JAVA
      nojava
      yesjava
0
 
AdeloSystems Administration/Vulnerability ManagementAuthor Commented:
Oh wow! I will have to modify a couple of statements I guess because these are workstations and I need to prevent Java from being updated.
0
 
Mike TLeading EngineerCommented:
Hi,

You need to prevent Java updating by creating an MST (and use the MSI from the original source). As above, the exclude query is as described. Test it well before unleashing as queries can get complicated quickly.

Mike
0
 
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
For the servers, create a package with the following registry entry. Then create a regedit program to import it.


On Windows 2008 R2 Enterprise
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy
"EnableJavaUpdate"=dword:00000000

http://www.dabcc.com/posts.aspx?thread=221&forum=53

This will disable it.
0
 
Mike TLeading EngineerCommented:
Hi,

Just realised my post was not clear as I intended.

One of the best ways to stop Java from updating itself is to create a package with the settings to not update *before* you even deploy it. That way it's done and you don't have to worry.
Arguably, the best way to achieve that is use a custom package: the original MSI from Oracle and a transform aka MST file with your customisations.

If it's too late for some machine and they already have updating turned on then a registry tweak will work, but in my experience Oracle change the behaviour too often for a silver bullet approach. What stops updates on version 6 might do nothing at all on version 8.

Hence the need to create a package every release and test it.

If you don't create an MST, then Java likes to repair itself and put the registry keys back to auto-update! The exact solution depends on the version you have.
Our solution required an INI file and an MST in the past.

There is an alternative to packaging: create a GPO (here); but again it may be version specific.

Mike
ps: there's more than just one reg key in that post too, if you want to try that
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now