Uninstall Java using Proactive Remediation

“As of January 23, 2023 Oracle have changed the licensing model for Java. Formerly based on “Named User Plus (NUP)” for client devices and “Processors” for servers, Oracle Java is now licensed based on the “employee” count of an organisation. Depending on how many employees you have, this switch to Oracle Java licensing based on employee count could get expensive quickly.”
Ouch! Oracle Java licensing switches to employee count metric – The ITAM Review (itassetmanagement.net)

More info on licensing: Oracle Java SE Universal Subscription Global Price List

🍀Luckily there are lot’s of good and free options to using Oracle Java out there!

So, if you as many others are looking at uninstalling Java due to the new licensing model, continue reading this post as we will look at how to accomplish exactly that by using Intune and proactive remediation.

About the solution

This solution is based upon proactive remediation, PS App Deployment Toolkit (PSADT) and an Azure storage account.
Here are some resources on the threetopics:

  1. Tutorial – Proactive remediations – Microsoft Endpoint Manager | Microsoft Learn
  2. PSAppDeployToolkit/PSAppDeployToolkit (github.com)
  3. Storage account overview – Azure Storage | Microsoft Learn

Proactive remediation uses two scripts: Detection and Remediation. The detection script is used to detect whether remediation is used or not. In this case the detection script will detect Java and the remediation script is used to download and run the uninstallation package. As the detection script will run on a schedule, any new installations will be detected and remediated.
PSAppDeploymentToolkit (PSADT) is used to gather the uninstallation string(s) or productCode(s), should we need to uninstall Java. The MSEndpointMgr team has created a goo vlog on PSADT, go check it out! PowerShell App Deployment Toolkit – [Chapter 1 Fundamentals] – YouTube
As PSADT contains more than just a detection and remediation script, we cannot use it directly with proactive remediation. We will use the remediation script to download and run the uninstallation package (PSADT) from an Azure storage account.

Prerequisites

  • Proactive Remediation requires Windows Enterprise SKU
  • Azure Storage Account requires an Azure subscription, which often times involve a cost
  • Your devices must be enrolled and managed by Intune

Let’s rock enroll!

Download and prepare PSADT

  1. Navigate to: Uninstall Java – Proactive Remediation · NicklasAhlberg/Microsoft-Endpoint-Manager (github.com)
  2. Download both zip files:
  3. Optional: Extract “Uninstall-Java-Package.zip” and edit Deploy-Application.ps1 as per your needs. The editable lines are 26-38.
  4. Optional: If you extracted “Uninstall-Java-Package.zip”, you must compress it again.
    ❗Make sure you get the same structure as the original zip file.
  5. If you do not have an Azure Storage account already, follow the steps covered in this post https://www.rockenroll.tech/2021/10/24/create-an-azure-storage-account
  6. Navigate to: https://portal.azure.com
  7. ClickAll services -> Search: Storage account -> Click: Storage accounts
  8. Click: the storage account you want to use
  9. ClickContainers
  10. Click: the Container you want to use
  11. ClickUpload
  12. SelectUninstall-Java-Package.zip
  13. ClickUpload
  14. Now click the three dots to the right and click Generate SAS
  15. Change the Expiry date as per your need, I usually set it to one or two years in the future
  16. Make sure that HTTPS only is selected
  17. Click: Generate SAS Token and URL
  18. Copy the Blob SAS URL to Notepad for future reference

Edit the remediation script

We will need to edit the remediation script to include our SAS URL (from Step 18)

  1. Extract: Uninstall-Java-Detection_Remediation.zip
  2. Open: Java Uninstallation – Remediation.ps1 in your favorite editor, I use VS Code
  3. Paste the SAS URL at line 37 to declare the $DownloadURL variable
  4. Save and close: Uninstall-Java-Detection_Remediation.zip

Proactive Remediation

Now it is time to upload the detection and remediation script to Intune and Proactive Remediation

  1. Navigate to: https://intune.microsoft.com
  2. Click: Reports -> Endpoint analytics -> Proactive remediations
  3. Click: +Create script package
  4. Name: I will use Uninstall Java using Proactive Remediation for this demo
  5. Click: Next
  6. Detection script file: Java Uninstallation – Detection.ps1
  7. Remediation script file: Java Uninstallation – Remediation.ps1
  8. Click: Next twice
  9. Assign to a group as per your need
  10. Add a schedule as per your need. You could create a tight schedule initially and change it to run less frequently when most devices have had Java uninstalled
  11. Optional: If needed, add an exclusion group
  12. Click: Next
  13. Click: Create

User experience

As soon as the schedule runs and Java is detected this little number will show up to let the user know that Java is being uninstalled.

If no user is currently logged on, it will all happen silently. It is possible to change this behavior by editing the remediation script and change row: 50 to this:
cmd /c start /WAIT "$ExtractedFolder\Uninstall-Java-Package\Deploy-Application.exe -DeploymentType Uninstall

📄All log files will be found here: C:\Windows\Software

✅That’s it!

6 thoughts on “Uninstall Java using Proactive Remediation

  1. I like your thinking and the way you handle uninstallations with a ProActive Remediation. Since you are using the PSADTK, would it not be easier to use

    Remove-MSIApplications -Name “Java*” -Wildcard

    to get rid of all the Java installations on the system? Probably need to do some finetuning on the Java* and wildcard part, but Remove-MSIApplications is the function we use for uninstalling MSI applications with the PSADTK

    1. Hi, thanks for reaching out!

      Normally I would use Remove-MSIApplications but I have found that the approach that I use in the remediation script works a bit better in this case.

      //Nicklas

  2. Thanks so much for this, will try this soon in our environment.

    What do you mean by
    “If no user is currently logged on, it will all happen silently. It is possible to change this behavior by editing the remediation script and change row: 51 to this:
    cmd /c start /WAIT “$ExtractedFolder\Uninstall-Java-Package\Deploy-Application.exe” -DeploymentType Uninstall”

    Does mean the default settings to use cmd /c will only work if a user is logged on, and that to uninstall silently the powershell start-process needs to be used?

    1. Hi, the script will use serviceUI.exe to show the “uninstalling prompt” to the end user. You can make it completely silent regardless if the user is logged on or not, by changing row 50 (not 51, I have updated the post) to:
      cmd /c start /WAIT “$ExtractedFolder\Uninstall-Java-Package\Deploy-Application.exe” -DeploymentType Uninstall

      here is the default row 50 as reference:
      cmd /c start /WAIT “$ExtractedFolder\Uninstall-Java-Package\ServiceUI.exe” -Process:explorer.exe “$ExtractedFolder\Uninstall-Java-Package\Deploy-Application.exe” -DeploymentType Uninstall

      //Nicklas

  3. Ok, I found the error log. It says:
    [Uninstallation] :: Execution failed with exit code [1605] because the product is not currently installed.

    Thing is though, it is on the computer. I just installed it yesterday for testing.

    1. Hi Jay,

      Check the log file to see if the Oracle Java installation is detected.
      The log files is located here: C:\Windows\Logs\Software

      //Nicklas

Leave a Reply to Marcel Moerings Cancel reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.