tl;dr (summary) for version 8.51:
See also: java7.msi
Tested with version 8.51. For 8.65 see comment at the end.
Oracle does not directly offer an MSI-file for download. However the EXE installer is internally based on an MSI file, so it is available.
The MSI-file cannot simply be extracted from the setup program with an archiving tool like 7zip, but you can get it with a trick, see below.
Warning: Oracle removed the description from their web page how to extract the msi-file, and they warn to not use this method any more. They write that they cannot guarantee that Java will work correctly if installed like this, and that they may change the install method in future versions to make this method not work any more at all. Then you must instead run the exe installer with a settings file, to make it run silent and set the required parameters.
Use the offline installer, not the normal installer. This has the added benefit that it doesn't include the Ask-toolbar.
The easiest method is to use these list of direct download links.
If that page does not yet list the latest version, go to java.com, but ignore the big download buttons. Instead click in the header on download, and on the next page on 'all java downloads'. The english version of that page is here, the german one here.
Run the downloaded installer, and wait until it displays the first dialog. Only answer questions from Windows when it wants confirmation to run the installer, but don't click on any button that the installer shows. Instead look into this directory
Starting with version 8.60 replace Sun with Oracle.
Here you find a directory with the version number of the Java installer that you have started, and inside this the MSI-file. Copy that to somewhere else, then abort the installer program.
If the installer does run through, without showing any message, then Java was already installed previously on this computer.
The MSI-file lacks a few entries, and requires a settings file. This can be fixed by supplying that settings file (it can even be empty), and repairing the MSI-file.
The settings file must only be there, even if it is empty. However I recommend that it contains these lines:INSTALL_SILENT=Enable
The file must be named java.settings.cfg and must be located in subdirectory CommonAppData\Oracle\Java, relative to the MSI-file.
Alternatively it can be placed on the destination machines in %allusersprofile%\Oracle\Java\java.settings.cfg. However when I tried to place this file in that directory using the same GPO as for deployment, the install did not work. Apparently the GPO does first the install, and then the file placement.
Acknowledgement: most of the following comes from www.schulnetz.info/java-8-update-25-per-gpo-ausrollen, which cites maddog2050.wordpress.com/2014/10/27/gpo-deploying-java-8-update-25 as its source. A newer version is on https://maddog2050.wordpress.com/2015/09/09/gpo-deploying-java-8-update-60/, but I have not read that yet.
In Table "CustomAction", row "installexe" add 2048 to the value in the column "Type":
If the old value is 1026, change it to 3074 (Java versions before 8.40).
If the old value is 1042, change it to 3090 (Java versions 8.40, 8.45 and 8.51).
In table "InstallExecuteSequence" row "SetSilentInstall":
change "Condition" from "UILevel=2" to "UILevel<=3"
In table "File" add a row with these values:
In table "Component" add this row:
In table "Directory" add these rows:
In table "FeatureComponents" add this row:
In table "Media" add this row:
The properties ALLUSERS is already set to 1, ARPNOMODIFY is set to "yes", should be 1.
ARPNOREPAIR is also set to 1. This is unfortunate, but one should probably not change it.
But you should change these properties:
Other guides also recommend these properties:
For more info see Java Deployment Guide.
The browser plugin of Java version 1.7.51 (January 2014) and later will only run applets, which are signed with a digital certificate. This can be changed by creating a Deployment Rule Set, a whitelist ("Exception List"), or by changing the security level from high to medium. More details here.
Maintaining a whitelist is more work, but provides much higher security, and should thus be preferred. The security level can be set by individual users in the Java Control Panel, and can be deployed to all users with the install option WEB_JAVA_SECURITY_LEVEL=M. This option can either be specified on the command line, or as entry in the properties table of the msi-file (name "WEB_JAVA_SECURITY_LEVEL", value "M"). For maximum security set it to "H".
For security reasons many people recommend to not use Java any more at all, or only when absolutely necessary. If you need Java only to run local apps, then you should disable the web browser plugin. This prevents that security vulnerabilities can be exploited by planting malware on web pages.
Note: If you want to keep using local jnlp-files (Java Web Start), do not tell Java to disable all browser plugins (first item below), instead disable it specifically in the web browser (second item).
Starting with Java version 1.7.10, the installation of the plugin can be disabled by specifying WEB_JAVA=0 either as command line argument for the installer (found in this technote), or as property in the MSI-file. Oracle does not tell that this also works as property in the MSI-file, thanks Miles for this great find and for telling me.
If you ever want to switch back to a version with plugins, it is not enough to just uninstall the MSI with WEB_JAVA=0, and then install one without this property. Instead you must either install one with WEB_JAVA=1, or remove the registry key HKLM\SOFTWARE\Oracle\JavaDeploy that remains in the registry after the uninstall, especially the values WebDeployJava and deployment.webjava.enabled inside this key.
Remove these registry keys:
(This appears to be outdated, does not have an effect on Internet Explorer version 11).
Firefox searches the Java plugin with two methods. Both must be disabled:
The actual registry keys are version specific. For Java version 1.8.65 they are:
You should check all computers for old versions, because in the past the installers for Java did not automatically remove them. Oracle warns that leaving them on the computer 'presents a serious security risk'. The Washington Post explains that this is because a 'web site set up by a bad guy could be made to pick and choose which version of Java should be used.'
Sun could not decide on a version number format, and Oracle does not dare to fix it, because it would break many things.
Depending on where you look, you will find several different version
numbers for the same release, for example:
8.51 = 8.0.510 = 1.8.51 = jre1.8.0_u51
If you think that this is confusing, wait until you see their version numbering scheme.
Oracle releases regular updates on the Tuesday that is closest to the 17th day of January, April, July and October. This can be on the same day as the patchday from Microsoft, but it can also be a week later. The next dates can be found on www.oracle.com/technetwork/topics/security/alerts-086861.html.
Comment from a reader:
In version 8.65 in table "Directory" the Entry "CommonAppDataFolder" is missing:
I simply copied the line from Adobe Reader Msi and inserted it in Java JRE, now the installation runs cleanly through.
I tried this, it works. Thank you very much!
Update 2015-10-28: When manually testing install-uninstall several times in sequence, they sometimes hang until I manually kill the process javaws.exe. I'm not sure if this is relevant for GPO deployment. Im also not sure if this effect is new with this version, or if it affects only the msi variant.
The same also happens when using the offline-installer.exe
Uninstall appears to be much more unreliable than install.
It may be a race condition that happens only when running on an SDD.