This web page will go away in December 2015. We are switching to deploy Java by running the exe installer. And hopefully soon we will not need to deploy Java any more at all.


tl;dr (summary) for version 8.51:

  1. Start offline installer
  2. Copy MSI-file from %LOCALAPPDATA%Low\Sun\Java
  3. Extract repair.mst and settings.cfg to same directory
  4. msiexec /i jre1.8.0_51.msi TRANSFORMS=java8-repair.mst

See also: java7.msi

Tested with version 8.51. For 8.65 see comment at the end.

Oracle does not directly offer an MSI-file for download. However the EXE installer is internally based on an MSI file, so it is available.

The MSI-file cannot simply be extracted from the setup program with an archiving tool like 7zip, but you can get it with a trick, see below.

Warning: Oracle removed the description from their web page how to extract the msi-file, and they warn to not use this method any more. They write that they cannot guarantee that Java will work correctly if installed like this, and that they may change the install method in future versions to make this method not work any more at all. Then you must instead run the exe installer with a settings file, to make it run silent and set the required parameters.

Download the offline installer

Use the offline installer, not the normal installer. This has the added benefit that it doesn't include the Ask-toolbar.

The easiest method is to use these list of direct download links.

If that page does not yet list the latest version, go to, but ignore the big download buttons. Instead click in the header on download, and on the next page on 'all java downloads'. The english version of that page is here, the german one here.

Extract the MSI-file

Run the downloaded installer, and wait until it displays the first dialog. Only answer questions from Windows when it wants confirmation to run the installer, but don't click on any button that the installer shows. Instead look into this directory

  • %LOCALAPPDATA%Low\Sun\Java (Windows 7)
  • %APPDATA%\Sun\Java (Windows-XP)

Starting with version 8.60 replace Sun with Oracle.

Here you find a directory with the version number of the Java installer that you have started, and inside this the MSI-file. Copy that to somewhere else, then abort the installer program.

If the installer does run through, without showing any message, then Java was already installed previously on this computer.

Fix some errors

The MSI-file lacks a few entries, and requires a settings file. This can be fixed by supplying that settings file (it can even be empty), and repairing the MSI-file.

add settings file

The settings file must only be there, even if it is empty. However I recommend that it contains these lines:


The file must be named java.settings.cfg and must be located in subdirectory CommonAppData\Oracle\Java, relative to the MSI-file.

Alternatively it can be placed on the destination machines in %allusersprofile%\Oracle\Java\java.settings.cfg. However when I tried to place this file in that directory using the same GPO as for deployment, the install did not work. Apparently the GPO does first the install, and then the file placement.

repair msi file

Either download my MST file, or edit the MSI-file, for example with Orca, to apply all these modifications:

Acknowledgement: most of the following comes from, which cites as its source. A newer version is on, but I have not read that yet.

In Table "CustomAction", row "installexe" add 2048 to the value in the column "Type":
If the old value is 1026, change it to 3074 (Java versions before 8.40).
If the old value is 1042, change it to 3090 (Java versions 8.40, 8.45 and 8.51).

In table "InstallExecuteSequence" row "SetSilentInstall":
change "Condition" from "UILevel=2" to "UILevel<=3"

In table "File" add a row with these values:


In table "Component" add this row:

emptycfgComponent JavaDir0  

In table "Directory" add these rows:


In table "FeatureComponents" add this row:


In table "Media" add this row:



The properties ALLUSERS is already set to 1, ARPNOMODIFY is set to "yes", should be 1.

ARPNOREPAIR is also set to 1. This is unfortunate, but one should probably not change it.

But you should change these properties:

  • set ARPNOREMOVE to 1. This disables uninstall in 'Add/Remove Programs'.
  • change AUTOUPDATECHECK from 1 to 0. This disables update check during installation.
  • change JAVAUPDATE from 1 to 0. This disables automatic updates.
  • Add property JU, set it to 0. Don't allow users to re-enable updater (is this documented anywhere?).

Other guides also recommend these properties:


For more info see Java Deployment Guide.

Change Security Settings (optional)

The browser plugin of Java version 1.7.51 (January 2014) and later will only run applets, which are signed with a digital certificate. This can be changed by creating a Deployment Rule Set, a whitelist ("Exception List"), or by changing the security level from high to medium. More details here.

Maintaining a whitelist is more work, but provides much higher security, and should thus be preferred. The security level can be set by individual users in the Java Control Panel, and can be deployed to all users with the install option WEB_JAVA_SECURITY_LEVEL=M. This option can either be specified on the command line, or as entry in the properties table of the msi-file (name "WEB_JAVA_SECURITY_LEVEL", value "M"). For maximum security set it to "H".

Disable Browser-Plugin (optional)

For security reasons many people recommend to not use Java any more at all, or only when absolutely necessary. If you need Java only to run local apps, then you should disable the web browser plugin. This prevents that security vulnerabilities can be exploited by planting malware on web pages.

Note: If you want to keep using local jnlp-files (Java Web Start), do not tell Java to disable all browser plugins (first item below), instead disable it specifically in the web browser (second item).

prevent installation of browser-plugin

Starting with Java version 1.7.10, the installation of the plugin can be disabled by specifying WEB_JAVA=0 either as command line argument for the installer (found in this technote), or as property in the MSI-file. Oracle does not tell that this also works as property in the MSI-file, thanks Miles for this great find and for telling me.

If you ever want to switch back to a version with plugins, it is not enough to just uninstall the MSI with WEB_JAVA=0, and then install one without this property. Instead you must either install one with WEB_JAVA=1, or remove the registry key HKLM\SOFTWARE\Oracle\JavaDeploy that remains in the registry after the uninstall, especially the values WebDeployJava and deployment.webjava.enabled inside this key.

prevent use of browser-plugin by Internet Explorer

Remove these registry keys:

  • HKLM\SOFTWARE\JavaSoft\Java Plug-in
  • HKLM\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in

(This appears to be outdated, does not have an effect on Internet Explorer version 11).

prevent use of browser-plugin by Firefox

Firefox searches the Java plugin with two methods. Both must be disabled:

  • Set the preference plugin.scan.sunJRE in Firefox to a number higher than the current versison number of Java, for example 9.9 (Java 7u11 has internally the version number 1.7.11, so 9 is a lot higher).
  • Remove the registry keys HKLM\SOFTWARE\MozillaPlugins\*

The actual registry keys are version specific. For Java version 1.8.65 they are:



Remove Old Versions

You should check all computers for old versions, because in the past the installers for Java did not automatically remove them. Oracle warns that leaving them on the computer 'presents a serious security risk'. The Washington Post explains that this is because a 'web site set up by a bad guy could be made to pick and choose which version of Java should be used.'

Version Numbers

Sun could not decide on a version number format, and Oracle does not dare to fix it, because it would break many things.

Depending on where you look, you will find several different version numbers for the same release, for example:
8.51 = 8.0.510 = 1.8.51 = jre1.8.0_u51

If you think that this is confusing, wait until you see their version numbering scheme.

Release Schedule

Oracle releases regular updates on the Tuesday that is closest to the 17th day of January, April, July and October. This can be on the same day as the patchday from Microsoft, but it can also be a week later. The next dates can be found on

Comment from a reader:

In version 8.65 in table "Directory" the Entry "CommonAppDataFolder" is missing:
I simply copied the line from Adobe Reader Msi and inserted it in Java JRE, now the installation runs cleanly through.

I tried this, it works. Thank you very much!

Update 2015-10-28: When manually testing install-uninstall several times in sequence, they sometimes hang until I manually kill the process javaws.exe. I'm not sure if this is relevant for GPO deployment. Im also not sure if this effect is new with this version, or if it affects only the msi variant.

Update 2015-11-04: The same also happens when using the offline-installer.exe
Uninstall appears to be much more unreliable than install.
It may be a race condition that happens only when running on an SDD.