Oracle SE Java 8 - Required Software Policy

If you’ve not yet read our announcement concerning Oracle SE Java 8 Support Shift and How It Impacts Automox Users, please see our blog post for further detail and context.

Hello Automox Community!

Given the recent support shift concerning Java SE 8 Updates, we’ve created an Automox Worklet template for Required Software Policy that you may use in extending the patch care continuum of Java SE 8. In addition, this template can be refactored as-needed for other such third-party software solutions.

How To Use

Overall process is documented on our blog post, but to summarize:

  • Obtain the patch through a manual download of the “offline” install file or via Worklet.

  • Upload the patch to the Automox Console in a new Required Software Policy and add the template to the policy.

  • Make any adjustments necessary to scope, and be sure that the patch name and version are matching exactly to the patch upload name and version.

Tips

If you have an issue with the template, be sure to check that the upload filename matches the Package Name.

Be sure to download the offline patch vs the “online” version.

Installation Script (Click To Expand)
<#
#-------------------------------------------------------------[License]------------------------------------------------------------

MIT License

Copyright (c) 2020 Nicholas Colyer

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

* The above copyright notice and this permission notice shall be included in all
  copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

#-----------------------------------------------------------[Description]----------------------------------------------------------

.SYNOPSIS
Java SE Runtime Environment 8 Update (271) Script (Java-SE-8-Patch-Script_Update-271)

.DESCRIPTION
This script will update the java version installed with the patch manually uploaded to the Automox Console.

.OUTPUTS
  Exit 0
  Exit 1 && Exception (Message)

.NOTES
  Version:        1.0
  Creation Date:  12/04/2020
  Author:         Nicholas Colyer
  Purpose/Change: Initial script development
  Email:          nicholas.colyer@automox.com, contact@nicholascolyer.com
  Url:            https://github.com/ncolyer/automox-community
  Platform:       Microsoft Windows
  Release:        10
  Build:          >=1507
  Tags:           Java 8, Build 271 Update, Powershell

.EXAMPLE
  ./Java-SE-8-Patch-Script_Update-271.ps1

#>

#-----------------------------------------------------------[Parameters]-----------------------------------------------------------

Param (

  [string]$compliantPatchFile    = "jre-8u271-windows-i586.exe",
  [string]$compliantProductValue = "Java 8 Update 271",
  [string]$productFilter         = 'Java [0-9] Update(.*)',
  [string]$compliantTestCmd      = "java -version",
  [string]$compliantTestCmdValue = "build 1.8.0_271",
  [string]$pathFilter            = "%java%"  

)

#-----------------------------------------------------------[Functions]------------------------------------------------------------

Function Get-InstalledSoftware {
  <#

  .SYNOPSIS 
  Displays all software listed in the registry on a given computer.

  .DESCRIPTION
  Uses the SOFTWARE registry keys (both 32 and 64bit) to list the name, version, vendor, and uninstall string for each software entry on a given computer.

  .PARAMETER ComputerName
  [String] A string input representing the target device computer name

  .EXAMPLE
  C:\PS> Get-InstalledSoftware -ComputerName SERVER1
  This shows the software installed on SERVER1. 

  .NOTES
  This function is courtesy of stackoverflow community as a superior alternative to WMI/Win32_Product

  .LINK
  https://stackoverflow.com/questions/25268491/alternative-to-win32-product 

  #>

  Param (
  
    [Parameter(mandatory=$true,ValueFromPipelineByPropertyName=$true)][string[]]$ComputerName
  
  )

  Process {
    
    foreach ($Computer in $ComputerName)
    {
      
      #Open Remote Base
      $reg=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$Computer)

      #Check if it's got 64bit regkeys
      $keyRootSoftware = $reg.OpenSubKey("SOFTWARE")
      [bool]$is64 = ($keyRootSoftware.GetSubKeyNames() | ? {$_ -eq 'WOW6432Node'} | Measure-Object).Count
      $keyRootSoftware.Close()

      #Get all of they keys into a list
      $softwareKeys = @()
      
      if ($is64){
        
	$pathUninstall64 = "SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
        $keyUninstall64 = $reg.OpenSubKey($pathUninstall64)
        $keyUninstall64.GetSubKeyNames() | % {
        
	  $softwareKeys += $pathUninstall64 + "\\" + $_
        
	}
        
	$keyUninstall64.Close()
      
      }
      
      $pathUninstall32 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
      $keyUninstall32 = $reg.OpenSubKey($pathUninstall32)
      $keyUninstall32.GetSubKeyNames() | % {
      
        $softwareKeys += $pathUninstall32 + "\\" + $_
      
      }
      
      $keyUninstall32.Close()

      #Get information from all the keys
      $softwareKeys | % {
        
	$subkey=$reg.OpenSubKey($_)
        
	  if ($subkey.GetValue("DisplayName")){
            
	    $installDate = $null
            
	    if ($subkey.GetValue("InstallDate") -match "/"){
            
	      $installDate = Get-Date $subkey.GetValue("InstallDate")
            
	    }
            elseif ($subkey.GetValue("InstallDate").length -eq 8){
            
	      $installDate = Get-Date $subkey.GetValue("InstallDate").Insert(6,".").Insert(4,".")
            }
            
	    New-Object PSObject -Property @{
              ComputerName = $Computer
              Name = $subkey.GetValue("DisplayName")
              Version = $subKey.GetValue("DisplayVersion")
              Vendor = $subkey.GetValue("Publisher")
              UninstallString = $subkey.GetValue("UninstallString")
              InstallDate = $installDate
            }
          
	  }

          $subkey.Close()
      
      }
      
      $reg.Close()
    
    }

  }

}


function Get-CompliantStatus {
  <#

  .SYNOPSIS
  Get-CompliantStatus of device

  .DESCRIPTION
  Determines device compliance by checking registry and commandline for correct version information.
  Both CLI and registry target values are required to return true matches for a compliant result.

  .PARAMETER productFilter
    [String] Qualifying Product Candidate Filter (RegEx)
      
  .PARAMETER compliantProductValue
    [String] Compliant Product Version Value (Exact Match)

  .PARAMETER compliantTestCmd
    [String] Commandline Syntax for Enumerating Version Value

  .PARAMETER compliantTestCmdValue
    [String] Commandline Complaint Version Value Result

  #>

  Param (
    
    [Parameter(mandatory=$true,ValueFromPipelineByPropertyName=$true)][string[]]$productFilter,        
    [Parameter(mandatory=$true,ValueFromPipelineByPropertyName=$true)][string[]]$compliantProductValue,
    [Parameter(mandatory=$true,ValueFromPipelineByPropertyName=$true)][string[]]$compliantTestCmd,
    [Parameter(mandatory=$true,ValueFromPipelineByPropertyName=$true)][string[]]$compliantTestCmdValue

    )

  $installedSoftware = Get-InstalledSoftware $env:COMPUTERNAME

  # Any Java Version Installed?
  If ($installedSoftware | Select-String -Pattern $productFilter){

    # Patch Compliant
    If ($installedSoftware | Select-String -Pattern $compliantProductValue){

      $compliantInstallPkgMgr = $true

    }

  } else {

    Write-Output "No candidate Java installed."
    exit 0

  }

  # Commandline Compliant
  If(([string](& cmd /c $compliantTestCmd 2>&1)) -match $compliantTestCmdValue){

    $compliantInstallCli = $true

  }

  if($compliantInstallCli -and $compliantInstallPkgMgr){

    return $true

  }

  return $false

}


function Start-Install {
  <#

    .SYNOPSIS
    Start-Install of compliant patch

    .DESCRIPTION
    Start-Install will install the compliant patch file supplied on the device

    .PARAMETER compliantPatchFile
    [String] Compliant Product Version Patchfile - Uploaded to Automox Console

  #>

  Param (
    
    [Parameter(mandatory=$true,ValueFromPipelineByPropertyName=$true)][string[]]$compliantPatchFile
        
  )

  if(Start-Process -FilePath ".\$compliantPatchFile" "/s" -Wait){

    Remove-Item -Path ".\$compliantPatchFile" -Force -ErrorAction SilentlyContinue

  }

}


function Invoke-PatchNow ($compliantPatchFile, $pathFilter) {
  <#

    .SYNOPSIS
    Invoke-PatchNow evaluation logic

    .DESCRIPTION
    Invoke-PatchNow will evaluate device compliance and take required action

    .PARAMETER compliantPatchFile
    [String] Patch file uploaded to Automox console for candidate installation

    .PARAMETER pathFilter
    [String] Execution path filter for terminating and potential conflicting processes

  #>

  if ((Get-CompliantStatus $compliantProductValue $productFilter $compliantTestCmd $compliantTestCmdValue) -eq $false){

    # Terminate Any Potential File/Locking Processes
    (Get-WmiObject -Class win32_process -Filter "ExecutablePath like '%$pathFilter%'") | ForEach-Object {($_.terminate())}

    Start-Install $compliantPatchFile

    if ((Get-CompliantStatus $compliantProductValue $productFilter $compliantTestCmd $compliantTestCmdValue) -eq $false){
      Write-Output "Could not patch automatically. Please manually patch device."
      exit 1
    }

  }

  # Already Compliant
  exit 0

}

#-----------------------------------------------------------[Execution]------------------------------------------------------------

Try {

  Invoke-PatchNow

} Catch {

  Write-Output $_.Exception
  exit 1

}

The template is also on GitHub.

1 Like