With the known Java threat on the loose, I've pushed a GPO to disable Java within IE. However, I'd like to disable Java across all browsers. Java provides documentation on how to do this via their new control panel: How do I disable Java in my web browser?
I'd like to push out this setting via Group Policy. I imagine this should be able to be done by identifying the registry setting that is modified by the Java Control Panel.
Has anyone identified the registry settings needed to disable Java across all browsers?
Update: Microsoft has published KB 2751647 which describes the necessary settings:
http://support.microsoft.com/kb/2751647
For these scenarios, I usually just take a before/after snapshot using reg.
Make the configuration setting changes...
Then using a decent text editor like Notepad++ with the Compare add-in to identify the differences in each before/after file set.
If you have both x86 and x64 platforms, you will most likely need two different sets of registry values and GPO's, as almost everyone uses 32-bit java even if the platform is x64.
I found a change under:
A key was added:
After testing, it looks like there are way too many registry keys that would need to be modified to have this be a viable option. Additionally, it would only work for java 7 update 10 and above. Given that information, and the release of Java 7 update 11, I've simply pushed out the latest release via GPO.
Firefox can find the Java plugin with two methods, both must be disabled:
The tool RegFromApp is probably better to find registry changes. It doesn't do snapshots, it watches while the changes are made, and it can be told to watch only to changes made by a certain process. This gives you a much smaller, cleaner registry file, with less clutter. Unfortunately I once noticed that even this tool sometimes lists changes that must have been coming from somewhere else.