I can’t stress this enough, DO NOT PUT JAVA IN YOUR IMAGE! Let MDT do this at deploy time (It’s easier than you think).
As a colleague of mine, a senior security analyst once said, “It’s considered best practice not to install Java unless absolutely necessary”. When I asked her why, she said “Due to it’s vulnerabilities, it’s risky.”
Now normally I’d brush this off as some special brand of IT paranoia, but coming from her, somebody whom I highly respect in her field, I asked her to elaborate today and she used this wonderful analogy, noting “It’s like putting a big, giant doggy door in your house, one so big a person could get through. If you don’t need it, don’t install it.”
Now, If you’re like me, you have end users who at the end of the day, will still need Java for websites X, Y, and Z, but I’m still not putting Java in my images, I want to make sure that when and if it’s getting installed, it’s the latest and greatest and that I only install it, again IF they need it. This flexibility is what makes thin images so much more powerful, and easier to maintain.
Let MDT push Java at deploy time, and only if you’re pretty sure your end user is going to need it, and your confident your patch management system can patch Java regularly for you.
Step By Step: Configuring MDT to install the latest Java
This is pretty simple, and involves three basic steps. Downloading an Offline installer of Java, extracting an MSI from the installer by installing it to a PC, and finally importing it into MDT. All you need to do is download the offline installer, find the msi it leaves behind in your appdata folder, import that into MDT, and you’re ready to push Java at deploy time. The only thing that’s even remotely tricky about this is that the folder the MSI gets extracted to is hidden. Make sure “Show hidden files and folders” is enabled under folder options in explorer, as Windows by default likes to hide this folder from the end users.
Note: The full command line syntax is: msiexec.exe /qb- /l*vx %LogPath%\Java.log REBOOT=ReallySuppress UILevel=67 ALLUSERS=2 /I filename.msi (obviously you need to replace filename with the name of the msi)
So, next month when the latest version of Java comes out, just go in and either overwrite the existing files (easiest) or just throw the new updated files in there, and fix the command line to reference the new version.
Getting MDT to install the latest version of Java from MSI is easy, it takes a little bit of more work than just throwing it in your image, but in the long run, it’s easier to maintain, and you have the peace of mind that you’re only installing Java when needed and exponentially increases the flexibility of your imaging system.