-
Bug
-
Resolution: Fixed
-
P2
-
8u112, 9
-
b160
-
x86
-
other
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8176111 | 8u131 | William Harnois | P2 | Closed | Fixed | b10 |
FULL PRODUCT VERSION :
Can not provide becaus installation is not possible
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 10.0.14393]
EXTRA RELEVANT SYSTEM CONFIGURATION :
X64 and Microsoft Deviceguard is enabled on the Client
A DESCRIPTION OF THE PROBLEM :
Hi,
Installation of JRE on Windows 10 with enabled Device Guard is not working.
If Device Guard is in audit mode or in enforcement mode on Windows 10, the JRE installation breaks with 1603.
Reason is a file called bspatch.exe used by JRE installer to merge Files.
This file has an wrong PE header, and Device guard cannot verify the Hash, so the execution is blocked with an access denied.
Solution is to compile bspatch.exe as part of the JRE installer with an correct PE header, and implement the fixed file in your JRE installer.
This Bug in the JRE installer will affect all Company’s using Windows 10 with Microsoft Device guard enabled to secure the client. No one will be able to install or patch JRE on their clients until this File is fixed within the installer of JRE.
Currently the only solution is to dissable Deviceguard, what is not an Option in this case, because we like to have an secure Client !
Currently there are two tickets running. One by MS and one by Oracle.
Dear Support feel free to contact me, to get more information to the 2 tickets and the technical background.
This Thrad has more or les the same topic, bspatch.exe get marked as Malware because the PE headder is wrong... JRE/SDK 1603 error, potential solution
And i wrote the same in an own Thread
https://community.oracle.com/message/14181819#14181819 
In the Oracle Ticket SR 3-13830236201 there is all the information how to reproduce the issue, as well as a zip File with information’s for reproduce.
Maybe your TSAnet (www.tsanet.org) Members could get in contact with TSAnet members of Microsoft to get in touch about the details.
Pleas fix this soon , i promis Oracle that you get contacted by other Companys who like to enable DG on Windows 10 Clients to have an Secure Client in future!
And as you shuld know Security is first !
regards
Paul
REGRESSION. Last worked in version 8u111
ADDITIONAL REGRESSION INFORMATION:
Every 7,8 and 9 version is efected
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Enable Deviceguard in Audit mode on Windows 10
pleas have a look at the Ticket SR 3-13830236201 there is an How to reproduce
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
JRE should be installed
ACTUAL -
Java installation Fails becaus BSPATCH.EXE is Blocked from Deviceguard
ERROR MESSAGES/STACK TRACES THAT OCCUR :
1603 / Access denied during Execution of BSPATCH.EXE
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
pleas have a look at the Ticket SR 3-13830236201 there is an How to reproduce
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Dissable Deviceguard, this is not an Solution!
Can not provide becaus installation is not possible
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 10.0.14393]
EXTRA RELEVANT SYSTEM CONFIGURATION :
X64 and Microsoft Deviceguard is enabled on the Client
A DESCRIPTION OF THE PROBLEM :
Hi,
Installation of JRE on Windows 10 with enabled Device Guard is not working.
If Device Guard is in audit mode or in enforcement mode on Windows 10, the JRE installation breaks with 1603.
Reason is a file called bspatch.exe used by JRE installer to merge Files.
This file has an wrong PE header, and Device guard cannot verify the Hash, so the execution is blocked with an access denied.
Solution is to compile bspatch.exe as part of the JRE installer with an correct PE header, and implement the fixed file in your JRE installer.
This Bug in the JRE installer will affect all Company’s using Windows 10 with Microsoft Device guard enabled to secure the client. No one will be able to install or patch JRE on their clients until this File is fixed within the installer of JRE.
Currently the only solution is to dissable Deviceguard, what is not an Option in this case, because we like to have an secure Client !
Currently there are two tickets running. One by MS and one by Oracle.
Dear Support feel free to contact me, to get more information to the 2 tickets and the technical background.
This Thrad has more or les the same topic, bspatch.exe get marked as Malware because the PE headder is wrong... JRE/SDK 1603 error, potential solution
And i wrote the same in an own Thread
https://community.oracle.com/message/14181819#14181819 
In the Oracle Ticket SR 3-13830236201 there is all the information how to reproduce the issue, as well as a zip File with information’s for reproduce.
Maybe your TSAnet (www.tsanet.org) Members could get in contact with TSAnet members of Microsoft to get in touch about the details.
Pleas fix this soon , i promis Oracle that you get contacted by other Companys who like to enable DG on Windows 10 Clients to have an Secure Client in future!
And as you shuld know Security is first !
regards
Paul
REGRESSION. Last worked in version 8u111
ADDITIONAL REGRESSION INFORMATION:
Every 7,8 and 9 version is efected
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Enable Deviceguard in Audit mode on Windows 10
pleas have a look at the Ticket SR 3-13830236201 there is an How to reproduce
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
JRE should be installed
ACTUAL -
Java installation Fails becaus BSPATCH.EXE is Blocked from Deviceguard
ERROR MESSAGES/STACK TRACES THAT OCCUR :
1603 / Access denied during Execution of BSPATCH.EXE
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
pleas have a look at the Ticket SR 3-13830236201 there is an How to reproduce
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Dissable Deviceguard, this is not an Solution!
- backported by
-
JDK-8176111 JRE installation fails with 1603 on Windows 10 with enabled Deviceguard
-
- Closed
-