Java Group Policy (GPO) with Item-Level Targeting
Group Policy Objects (GPO) are great ways to assign settings to Windows based computers. Sometimes you need more control than what the default WMI or access based controls offer.
Let me introduce you to “Item-Level Targeting”. It’s a way to target parts of the GPO to only certain computers or users.
Let’s use our favorite program, Java, to illustrate how this can be useful.
I’m being sarcastic in case you couldn’t tell. 😉
In this example we will be creating a new GPO and targeting Windows 32-bit and 64-bit, along with Java JRE Client 32-bit and 64-bit installs and disables the updates and copies the enterprise deployment configuration file to the computer.
Step 1: Creating a WMI Filter
First things first, let’s create a WMI Filter so we can only apply this to computers that have the Java Runtime installed.
1) Open Group Policy Management console.
2) Right click WMI Filters and choose New and name your new WMI Filter.
3) Click Add and ensure the Namespace is set to root\CIMv2 and paste the following into the Query text box and click OK and then Save.
SELECT * FROM CIM_DataFile WHERE (Path LIKE '\\Program Files%\\Java\\jre%\\bin\\' AND FileName = 'java' AND Extension = 'exe')
This query returns true (if installed) in either Program Files and Program Files (x86) folder locations. So we are checking for 32-bit and 64-bit installs of the Java Runtime Environment.
Step 2: Creating the Group Policy Object (GPO)
1) Open Group Policy Management console.
2) Right click Group Policy Objects and choose New and name your new GPO.
This will be a computer policy, but can easily be a user policy. Just depends on the options you choose in your GPO.
3) Edit your shiny new GPO and put in the settings you want. I’m going to assume you know what you’re doing in this regard, so I’ll just skip the details and show a couple screenshots.
Computer Configuration / Preferences / Windows Settings / Files
Computer Configuration / Preferences / Windows Settings / Registry
4) Now, let’s assign the WMI filter we created previously in Step 1 to this GPO using the WMI Filtering dropdown at the bottom of the Scope tab on the GPO.
Step 3: Adding Item-Level Targeting to the Group Policy Object (GPO)
1) Locate the File setting in the GPO. Right click on it and choose Properties, go to the Common tab and click the checkbox next to Item-Level Targeting. Once you’ve done that, click the Targeting… button.
Computer Configuration / Preferences / Windows Settings / Files
2) Click New Item / WMI Query
3) As this configuration file is for Java 8, let’s target Java 8 in this query. Fill in the Query text box with the following:
SELECT * FROM CIM_DataFile WHERE (Path LIKE '\\Program Files%\\Java\\jre1.8%\\bin\\' AND FileName = 'java' AND Extension = 'exe')
4) Locate the Registry setting in the GPO. Right click on it and choose Properties, go to the Common tab and click the checkbox next to Item-Level Targeting. Once you’ve done that, click the Targeting… button.
Computer Configuration / Preferences / Windows Settings / Registry
5) Click New Item / Environment Variable
6) For the 32-bit Windows registry entries; set the Name to Processor_Architecture and the Value to x86.
7) For the 64-bit Windows registry entries; set the Name to Processor_Architecture and the Value to AMD64.
You now have Java managed and you only needed one GPO to do it. This will manage both 32-bit and 64-bit versions of Windows and will only target computers that have the Java Runtime Environment installed.