Compliance Items and Compliance Baselines in ConfigMgr is so powerful! And with some PowerShell magic you can almost use it to do anything you like on a Windows based computer – Only your imagination that will be the showstopper! Smilefjes

Here I will show how you can uninstall software using WMI and Compliance Items in SCCM. However, it is important that you read the following articles as the uninstallation process uses win32_product WMI class which is known for its evilness. Thanks to Kaido, Jürg and Torsten for pointing this one out. A updated post as been created using a better and more reliable way of doing this with the SMS_InstalledSoftware class. Check out this post for a better way and instructions: http://bit.ly/1N3xwLQ

Win32_Product is evil:

  1. http://gregramsey.net/2012/02/20/win32_product-is-evil
  2. http://blogs.catapultsystems.com/cnackers/archive/2012/02/20/win32_product-is-evil
  3. http://blogs.technet.com/b/askds/archive/2012/04/19/how-to-not-use-win32-product-in-group-policy-filtering.aspx

If you want to play with the Win32_Product class anyway follow these steps however it is not recommended for production:

Well, I had a customer that wanted me to 1. Identify all computers running any Java applications and 2. uninstall it if it existed. I quickly told about Compliance baselines which can

  1. Discover java and report non-compliance
  2. Remediate non-compliance by uninstalling Java
  3. Report back compliance

all in one operation. 30 minutes later we had a working solution which we deployed to the organization.

Let’s start by creating the CI in your ConfigMgr Environment

On The server:

image

image

image

image

Detection Script:

#Detect Software
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Java"}

Remediation Script:

#Uninstall Software
$app = Get-WmiObject -Class Win32_Product | Where-Object { 
$_.Name -match "Java" 
}
foreach ($a in $app) {$a.Uninstall()}

image

image

Now that we have a working Compliance Item we can create a Compliance Baseline which is based on the CI we just created.

image

image

Click OK, rigth click the baseline and choose deploy.

image

Choose that you want to Remediate noncompliant rules. Select appropriate collection and a suited schedule.

One the Client:

Next is to go to the client and check if the CI and Baseline is doing what it’s supposed to to. Just so you know I am not cheating – check out the screenshots below which shows Java installed and then uninstalled after running the rules.

Java installed:

image

Compliance baseline is unknown or Non-Compliant

image

Java is uninstalled automatically:

image

Let’s work together for a more secure environement without Java – Cheers! Smilefjes