I'm getting conflicting reports about applying this to version 8.60. Some say Oracle only put everything into a different path, some say that this mst file does not work any more. I have not tested so far myself, because version 8.60 is not a security update.


tl;dr (summary) for version 8.51:

  1. Start offline installer
  2. Copy MSI-file from %LOCALAPPDATA%Low\Sun\Java
  3. Extract repair.mst and settings.cfg to same directory
  4. msiexec /i jre1.8.0_51.msi TRANSFORMS=java8-repair.mst

See also: java7.msi

Oracle does not directly offer an MSI-file for download (except for customers who pay for a support contract). However the EXE installer is internally based on an MSI file, so it is available.

The MSI-file cannot simply be extracted from the setup program with an archiving tool like 7zip, but you can get it with a trick, see below.

Starting with version 8 Oracle decided they want to earn money from people who want to deploy the runtime library as msi. They must be the only software company on this planet with such an awkward idea. I hope that everybody puts enormous pressure on all developers of web apps which need Java in the browser. Demand that they rewrite them such that they do not need Java any more.

Warning: Oracle warns that you should not use this method. They write that they cannot guarantee that Java will work correctly if installed like this, and they warn that they may change the install method in future versions to make this method fail. Then you must instead run the exe installer with a settings file, to make it run silent and set the required parameters.

Download the offline installer

Use the offline installer, not the normal installer. This has the added benefit that it doesn't include the Ask-toolbar.

The easiest method is to use these list of direct download links.

If that page does not yet list the latest version, go to java.com, but ignore the big download buttons. Instead click in the header on download, and on the next page on 'all java downloads'. The english version of that page is here, the german one here.

Extract the MSI-file

Run the downloaded installer, and wait until it displays the first dialog. Only answer questions from Windows when it wants confirmation to run the installer, but don't click on any button that the installer shows. Instead look into this directory

  • %LOCALAPPDATA%Low\Sun\Java (Windows 7)
  • %APPDATA%\Sun\Java (Windows-XP)

Here you find a directory with the version number of the Java installer that you have started, and inside this the MSI-file. Copy that to somewhere else, then abort the installer program.

If the installer does run through, without showing any message, then Java was already installed on this computer.

Fix some errors

Oracle damaged the MSI-file, and made it depend on a settings file. This can be fixed by supplying that settings file (it can even be empty), and repairing the MSI-file.

add settings file

The settings file must only be there, even if it is empty. However I recommand that it contains these lines:


The file must be named java.settings.cfg and must be located in subdirectory CommonAppData\Oracle\Java, relative to the MSI-file.

Alternatively it can be placed on the destination machines in %allusersprofile%\Oracle\Java\java.settings.cfg. However when I tried to place this file in that directory using the same GPO as for deployment, the install did not work. Apparently the GPO does first the install, and then the file placement.

repair msi file

Either download my MST file, or edit the MSI-file, for example with Orca, to apply all these modifications:

Acknowledgement: most of the following comes from www.schulnetz.info/java-8-update-25-per-gpo-ausrollen, which cites maddog2050.wordpress.com/2014/10/27/gpo-deploying-java-8-update-25 as its source.

In Table "CustomAction", row "installexe" add 2048 to the value in the column "Type":
If the old value is 1026, change it to 3074 (Java versions before 8.40).
If the old value is 1042, change it to 3090 (Java versions 8.40, 8.45 and 8.51).

In table "InstallExecuteSequence" row "SetSilentInstall":
change "Condition" from "UILevel=2" to "UILevel<=3"

In table "File" add a row with these values:


In table "Component" add this row:

emptycfgComponent JavaDir0  

In table "Directory" add these rows:


In table "FeatureComponents" add this row:


In table "Media" add this row:



The properties ALLUSERS is already set to 1, ARPNOMODIFY is set to "yes", should be 1.

ARPNOREPAIR is also set to 1. This is unfortunate, but one should probably not change it.

But you should change these properties:

  • set ARPNOREMOVE to 1. This disables uninstall in 'Add/Remove Programs'.
  • change AUTOUPDATECHECK from 1 to 0. This disables update check during installation.
  • change JAVAUPDATE from 1 to 0. This disables automatic updates.
  • Add property JU, set it to 0. Don't allow users to re-enable updater (is this documented anywhere?).

Other guides also recommend these properties:


For more info see Java Deployment Guide.

Change Security Settings (optional)

The browser plugin of Java version 1.7.51 (January 2014) and later will only run applets, which are signed with a digital certificate. This can be changed by creating a Deployment Rule Set, a whitelist ("Exception List"), or by changing the security level from high to medium. More details here.

Maintaining a whitelist is more work, but provides much higher security, and should thus be preferred. The security level can be set by individual users in the Java Control Panel, and can be deployed to all users with the install option WEB_JAVA_SECURITY_LEVEL=M. This option can either be specified on the command line, or as entry in the properties table of the msi-file (name "WEB_JAVA_SECURITY_LEVEL", value "M"). For maximum security set it to "H".

Disable Browser-Plugin (optional)

For security reasons many people recommend to not use Java any more at all, or only when absolutely necessary. If you need Java only to run local apps, then you should disable the web browser plugin. This prevents that security vulnerabilities can be exploited by planting malware on web pages.

prevent installation of browser-plugin

Starting with Java version 1.7.10, the installation of the plugin can be disabled by specifying WEB_JAVA=0 either as command line argument for the installer (found in this technote), or as property in the MSI-file. Oracle does not tell that this also works as property in the MSI-file, thanks Miles for this great find and for telling me.

If you ever want to switch back to a version with plugins, it is not enough to just uninstall the MSI with WEB_JAVA=0, and then install one without this property. Instead you must either install one with WEB_JAVA=1, or remove the registry key HKLM\SOFTWARE\Oracle\JavaDeploy that remains in the registry after the uninstall, especially the values WebDeployJava and deployment.webjava.enabled inside this key.

prevent use of browser-plugin by Firefox

Firefox can find the Java plugin with two methods, both must be disabled:

  • Set the preference plugin.scan.sunJRE in Firefox to a number higher than the current versison number, for example 9.9 (Java 7.11 has version number 1.7.11, so 9 is a lot higher).
  • Remove the registry keys HKLM\SOFTWARE\MozillaPlugins\@java.com*


Remove Old Versions

You should check all computers for old versions, because in the past the installers for Java did not automatically remove them. Oracle warns that leaving them on the computer 'presents a serious security risk'. The Washington Post explains that this is because a 'web site set up by a bad guy could be made to pick and choose which version of Java should be used.'

Version Numbers

Sun could not decide on a version number format, and Oracle does not dare to fix it, because it would break many things.

Depending on where you look, you will find several different version numbers for the same release, for example:
8.51 = 8.0.510 = 1.8.51 = jre1.8.0_u51

If you think that this is confusing, wait until you see their version numbering scheme.

Release Schedule

Oracle releases regular updates on the Tuesday that is closest to the 17th day of January, April, July and October. This can be on the same day as the patchday from Microsoft, but it can also be a week later. The next dates can be found on www.oracle.com/technetwork/topics/security/alerts-086861.html.

tested with version 1.8.51 (32bit).