As we use Remote Desktop Services, I assumed that if I made the change on one Session Host, it would apply to all user sessions on that host... I was wrong - the exceptions need to be set per user as they sit in the users profile.
As well as RDS, we also have PC and Laptop users that would need these Java exceptions too.
To push the setting out to all users, I needed to do the following:
1. Set the required exceptions on one machine
- Open Control Panel and select the Java applet (or you can likely find in C:\Program Files (x86)\Java\jre1.8.0_131\bin\javacpl.exe)
- On the Security tab, enter the sites you wish to be excluded.
2. Take copy of the exception.sites file and place on a network share
- Copy the exception.sites file from the users local profile (C:\Users\%username%%\AppData\LocalLow\Sun\Java\Deployment\security)
- Paste onto a network share that is available to 'everyone'
3. Create a Group Policy Object
- In Group Policy Management, create a new GPO (or use an existing GPO)
- Under 'User Configuration > Preferences > Windows Settings > Files', add a new File
Destination file: Where we wish to copy the exception.sites file to (local user profile - usually