“As of January 23, 2023 Oracle have changed the licensing model for Java. Formerly based on “Named User Plus (NUP)” for client devices and “Processors” for servers, Oracle Java is now licensed based on the “employee” count of an organisation. Depending on how many employees you have, this switch to Oracle Java licensing based on employee count could get expensive quickly.”
Ouch! Oracle Java licensing switches to employee count metric – The ITAM Review (itassetmanagement.net)
More info on licensing: Oracle Java SE Universal Subscription Global Price List
🍀Luckily there are lot’s of good and free options to using Oracle Java out there!
So, if you as many others are looking at uninstalling Java due to the new licensing model, continue reading this post as we will look at how to accomplish exactly that by using Intune and proactive remediation.
About the solution
This solution is based upon proactive remediation, PS App Deployment Toolkit (PSADT) and an Azure storage account.
Here are some resources on the threetopics:
- Tutorial – Proactive remediations – Microsoft Endpoint Manager | Microsoft Learn
- PSAppDeployToolkit/PSAppDeployToolkit (github.com)
- Storage account overview – Azure Storage | Microsoft Learn
Proactive remediation uses two scripts: Detection and Remediation. The detection script is used to detect whether remediation is used or not. In this case the detection script will detect Java and the remediation script is used to download and run the uninstallation package. As the detection script will run on a schedule, any new installations will be detected and remediated.
PSAppDeploymentToolkit (PSADT) is used to gather the uninstallation string(s) or productCode(s), should we need to uninstall Java. The MSEndpointMgr team has created a goo vlog on PSADT, go check it out! PowerShell App Deployment Toolkit – [Chapter 1 Fundamentals] – YouTube
As PSADT contains more than just a detection and remediation script, we cannot use it directly with proactive remediation. We will use the remediation script to download and run the uninstallation package (PSADT) from an Azure storage account.
- Proactive Remediation requires Windows Enterprise SKU
- Azure Storage Account requires an Azure subscription, which often times involve a cost
- Your devices must be enrolled and managed by Intune
Let’s rock enroll!
Download and prepare PSADT
- Navigate to: Uninstall Java – Proactive Remediation · NicklasAhlberg/Microsoft-Endpoint-Manager (github.com)
- Download both zip files:
- Optional: Extract “Uninstall-Java-Package.zip” and edit Deploy-Application.ps1 as per your needs. The editable lines are 26-38.
- Optional: If you extracted “Uninstall-Java-Package.zip”, you must compress it again.
❗Make sure you get the same structure as the original zip file.
- If you do not have an Azure Storage account already, follow the steps covered in this post https://www.rockenroll.tech/2021/10/24/create-an-azure-storage-account
- Navigate to: https://portal.azure.com
- Click: All services -> Search: Storage account -> Click: Storage accounts
- Click: the storage account you want to use
- Click: Containers
- Click: the Container you want to use
- Click: Upload
- Select: Uninstall-Java-Package.zip
- Click: Upload
- Now click the three dots to the right and click Generate SAS
- Change the Expiry date as per your need, I usually set it to one or two years in the future
- Make sure that HTTPS only is selected
- Click: Generate SAS Token and URL
- Copy the Blob SAS URL to Notepad for future reference
Edit the remediation script
We will need to edit the remediation script to include our SAS URL (from Step 18)
- Extract: Uninstall-Java-Detection_Remediation.zip
- Open: Java Uninstallation – Remediation.ps1 in your favorite editor, I use VS Code
- Paste the SAS URL at line 37 to declare the $DownloadURL variable
- Save and close: Uninstall-Java-Detection_Remediation.zip
Now it is time to upload the detection and remediation script to Intune and Proactive Remediation
- Navigate to: https://endpoint.microsoft.com
- Click: Reports -> Endpoint analytics -> Proactive remediations
- Click: +Create script package
- Name: I will use Uninstall Java using Proactive Remediation for this demo
- Click: Next
- Detection script file: Java Uninstallation – Detection.ps1
- Remediation script file: Java Uninstallation – Remediation.ps1
- Click: Next twice
- Assign to a group as per your need
- Add a schedule as per your need. You could create a tight schedule initially and change it to run less frequently when most devices have had Java uninstalled
- Optional: If needed, add an exclusion group
- Click: Next
- Click: Create
As soon as the schedule runs and Java is detected this little number will show up to let the user know that Java is being uninstalled.
If no user is currently logged on, it will all happen silently. It is possible to change this behavior by editing the remediation script and change row: 51 to this:
cmd /c start /WAIT "$ExtractedFolder\Uninstall-Java-Package\Deploy-Application.exe" -DeploymentType Uninstall
📄All log files will be found here: C:\Windows\Software
I like your thinking and the way you handle uninstallations with a ProActive Remediation. Since you are using the PSADTK, would it not be easier to use
Remove-MSIApplications -Name “Java*” -Wildcard
to get rid of all the Java installations on the system? Probably need to do some finetuning on the Java* and wildcard part, but Remove-MSIApplications is the function we use for uninstalling MSI applications with the PSADTK
Hi, thanks for reaching out!
Normally I would use Remove-MSIApplications but I have found that the approach that I use in the remediation script works a bit better in this case.