Oracle Java Part 3: Removing with Intune
Oracle’s Java is one of the most widely used pieces of software in the world. Oracle makes it really easy for users to download it, no doubt helping to maintain its proliferation in the marketplace. And it’s free!
Unfortunately, modern distributions are no longer free for commercial users, and it seems as if Oracle has gone out of its way to make it as difficult as possible to understand a company’s obligations for licensing costs that many are left unaware when Oracle comes knocking for payment. It’s a matter of when, not if.
Fortunately, this multi-part series is here to help IT professionals navigate Oracle’s licensing scheme and avoid a potential audit.
Part 1: Understanding the licensing.
Part 2: Detecting with Intune.
Get outta here!
So now that we understand the licensing and we have spent some time understanding the presence of Oracle’s Java on infrastructure, now it is time to get rid of it all! I have provided a script below to assist with that.
VERY FIRST THING TO KEEP IN MIND: This script will only remove licensed versions of Oracle Java and keep all free-to-use versions on the device. Remove mentions of the IsVersionInRange function if you wish to have it remote all versions regardless.
As an app
NEXT THING TO KEEP IN MIND:This script, as provided below, is designed to be packaged as an Intunewin application with the purpose of allowing users to uninstall licensed versions at will from the Company Portal. Since uninstalling requires a UAC elevation, we wanted users a way to remove the Oracle Java as part of testing an approved alternative. If you want to do this, do the following.
- Package the app as an Intunewin file
- For the detection, this script will create a transcript file at C:\TEMP\java_uninstall.log. Have the Intune app detection rule look for this log.
- This script accesses the registry and thus needs 64-bit Powershell. Call the sysnative version with this install command:
- %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\<SCRIPTNAME>.ps1
- Use the same for uninstall command but with the name of the uninstall script. The app allows users to “uninstall.” Doing so with the script will basically delete the detection file. The user can then “install” in the uninstaller again.
As a remediation
Combined with the detection script provided in Part 2, you can use this script as the remediation part of the proactive remediation (refer to part 2). Just make sure this runs in the system context as well!
As mentioned in the “as an app” section, the script has transcription for the purpose of detecting as an app. If you wish to remove that for a remediation, feel free to do so. However, there is no harm in leaving it as-is. Alternatively, you can have the logs go right to the IME diagnostic folder for uploading to Intune.
There you have it! You should be well on your way to keeping Oracle from knocking on your door. If you have any questions, please leave them in the comments! You can also find the scripts on my Github!
Uninstall “app” script below.
######## ## ## Script to detect instances of Oracle Java and then remove them. ## ## Script has transcription as detection method for the "installation" of this script ## as an app in Company Portal. This is intended to use as a way for users to delete ## the apps themselves. Transcribe file will need to be removed for the app to be "uninstalled" ## and the user be able to run it again. ## ## You can remove the transcription if desired for a remediation. ## ######### # Transcript path set to allow for collecting diagnostics from Intune device page $TranscriptPath = "C:\TEMP" # Make sure to update the log name! $TranscriptName = "java_uninstall.log" new-item $TranscriptPath -ItemType Directory -Force # stopping orphaned transcripts try { stop-transcript|out-null } catch [System.InvalidOperationException] {} Start-Transcript -Path $TranscriptPath\$TranscriptName -Append # Defined versions of Oracle Java to target for uninstallation. NOTE: This is a greater than/less than # lookup, meaning the min need to be the last free OLC or NFTC version $versionRanges = @( @{ Min = [version]"1.5.0.220"; Max = [version]"2.0.0" }, @{ Min = [version]"6.0.450"; Max = [version]"7.0.0" }, @{ Min = [version]"7.0.800"; Max = [version]"8.0.0" }, @{ Min = [version]"8.0.2020.8"; Max = [version]"9.0.0" }, @{ Min = [version]"11.0.0"; Max = [version]"17.0.0.0" }, @{ Min = [version]"17.0.12.0"; Max = [version]"18.0.0" } ) # Function to determine if the software is in the range of licensed # versions to be uninstalled. function IsVersionInRange($version) { foreach ($range in $versionRanges) { if ($version -gt $range.Min -and $version -lt $range.Max) { return $true } } return $false } # Get the list of installed applications from the registry $installedApps = Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue $installedApps += Get-ItemProperty -Path "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue # Filter the applications to find those with "Java" or "Oracle" in their display name or "Oracle" as their publisher $appsToUninstall = $installedApps | Where-Object { $_.DisplayName -match "Java|Oracle" -or $_.Publisher -match "Oracle" } # Check if there are any applications to uninstall if ($appsToUninstall.Count -eq 0) { Write-Host "No applications to uninstall." } else { # Uninstall each application found using the MSI product code foreach ($app in $appsToUninstall) { # display the versions found $version = [version]$app.DisplayVersion $name = $app.DisplayName Write-Host "`nFound! Name: $name Version: $version`n" # This next section will uninstall application if version is found in range. Will also uninstall Java Auto Updater # If you wish for it to remove all Oracle java versions, replace the "if" statement with the below. # # if ($app.PSChildName -match "^\{.*\}$" -or $name -match "Java Auto Updater") { # if ($app.PSChildName -match "^\{.*\}$" -and ((IsVersionInRange $version) -or ($name -match "Java Auto Updater"))) { $productCode = $app.PSChildName Write-Host "Uninstalling $($app.DisplayName) with product code $productCode" Start-Process -FilePath "msiexec.exe" -ArgumentList "/x $productCode /quiet /norestart" -NoNewWindow -Wait # Verify uninstallation $uninstalledApp = Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\$productCode" -ErrorAction SilentlyContinue $uninstalledApp += Get-ItemProperty -Path "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\$productCode" -ErrorAction SilentlyContinue if (-not $uninstalledApp) { Write-Host "$($app.DisplayName) has been successfully uninstalled.`n" } else { Write-Host "Failed to uninstall $($app.DisplayName)." } } else { Write-Host "Instance `"$name`" does not need to be removed.`n" } } } Stop-TranscriptUninstaller for the uninstaller
# Define the path to the file $filePath = "C:\TEMP\java_uninstall.log" # Check if the file exists if (Test-Path $filePath) { # Remove the file Remove-Item $filePath -Force Write-Output "File removed successfully." } else { Write-Output "File not found." }
