Part 1: Uninstall Java (or any other software) with ConfigMgr Compliance Baselines

Compliance Items and Compliance Baselines in ConfigMgr is so powerful! And with some PowerShell magic you can almost use it to do anything you like on a Windows based computer – Only your imagination that will be the showstopper! Smilefjes

Here I will show how you can uninstall software using WMI and Compliance Items in SCCM. However, it is important that you read the following articles as the uninstallation process uses win32_product WMI class which is known for its evilness. Thanks to Kaido, Jürg and Torsten for pointing this one out. A updated post as been created using a better and more reliable way of doing this with the SMS_InstalledSoftware class. Check out this post for a better way and instructions: http://bit.ly/1N3xwLQ

Win32_Product is evil:

  1. http://gregramsey.net/2012/02/20/win32_product-is-evil
  2. http://blogs.catapultsystems.com/cnackers/archive/2012/02/20/win32_product-is-evil
  3. http://blogs.technet.com/b/askds/archive/2012/04/19/how-to-not-use-win32-product-in-group-policy-filtering.aspx

If you want to play with the Win32_Product class anyway follow these steps however it is not recommended for production:

Well, I had a customer that wanted me to 1. Identify all computers running any Java applications and 2. uninstall it if it existed. I quickly told about Compliance baselines which can

  1. Discover java and report non-compliance
  2. Remediate non-compliance by uninstalling Java
  3. Report back compliance

all in one operation. 30 minutes later we had a working solution which we deployed to the organization.

Let’s start by creating the CI in your ConfigMgr Environment

On The server:

image

image

image

image

Detection Script:

Remediation Script:

image

image

Now that we have a working Compliance Item we can create a Compliance Baseline which is based on the CI we just created.

image

image

Click OK, rigth click the baseline and choose deploy.

image

Choose that you want to Remediate noncompliant rules. Select appropriate collection and a suited schedule.

One the Client:

Next is to go to the client and check if the CI and Baseline is doing what it’s supposed to to. Just so you know I am not cheating – check out the screenshots below which shows Java installed and then uninstalled after running the rules.

Java installed:

image

Compliance baseline is unknown or Non-Compliant

image

Java is uninstalled automatically:

image

Let’s work together for a more secure environement without Java – Cheers! Smilefjes

By | 2015-11-25T14:19:41+00:00 November 25th, 2015|Configuration Manager (SCCM), General info, Powershell|8 Comments

About the Author:

Marius A. Skovli

Microsoft Enterprise Client Management Evangelist with: 10+ years experience within Microsoft System Management Solutions

Extensive experience across Private and Public Sector
Passion for Community Driven work, volunteering within Microsoft technology
Great belief that sharing experience within fellow peers is key to creating a sustainable society
Strong commitment to System Center User Group Norway as co-founder and current leader

I am a technology enthusiast working as a consultant for the consultant company CTGlobal. I have always been passionate about IT and have the last 10 + years worked with Management and Automation within Microsoft technology. Back in 2005/6 I started working with System Management Server (SMS) 2003 and have been working with Enterprise Client Management ever since, where i today focus on helping customers design and implement solutions based on System Center Configuration Manager and/or Enterprise Mobility Suite from Microsoft. Other parts of my work consists of speaking and presenting at different events and seminars, doing research and blog about solutions I find and products I work with. I truly believe in a strong community where knowledge and know-how is essential. Creating creative arenas where it is possible for peers to spread the word about new technologies and solutions is key and as an act on this I co-founded System Center User Group Norway (www.scug.no). SCUG is an initiative where we discuss, preach and present new technologies and solutions in the System Center Space from Microsoft. This is a free arena for everybody to join that is interested in/or enthusiastic about Microsoft Cloud Platform (Enterprise Client Management or Cloud and Datacenter).

Specialties:
System Center Configuration Manager (SCCM2007-SCCM2012), Enterprise Mobility and Intune, Windows and Windows server deployment.

8 Comments

  1. Juerg Koller November 25, 2015 at 14:46 - Reply

    Hi Marius
    Ever watched what happens in your Application Eventlog, if you query the Win32_Product Class? This Class is evil. (take a Web search on “Win32_Product Evil” and you will find a lot of Entries, e.g. this http://blogs.technet.com/b/askds/archive/2012/04/19/how-to-not-use-win32-product-in-group-policy-filtering.aspx
    With the CM Agent installed, activate the Asset Intelligence Classes and take the SMS_InstalledSoftware Class instead
    Kind regards
    Jürg

    • Marius A. Skovli
      Marius A. Skovli November 25, 2015 at 22:11 - Reply

      Yes, but the SMS_InstalledSoftware class does not define any methods. https://msdn.microsoft.com/en-us/library/cc144824.aspx

      So you could query if the software is installed (Like below example), but not uninstall it with a method like .Uninstall. If I am correct.

      #Detect Software
      Get-WmiObject -Query “SELECT * FROM SMS_InstalledSoftware” -Namespace “rootcimv2sms” | Where-Object {
      $_.ProductName -match “Java”}

      However I will moderate/change the post and also see if I can come up with a alternative solution. Thanks for tip! 🙂

  2. Steffen November 25, 2015 at 21:05 - Reply

    This is clever, but wouldn’t it remove all, even the newest java?

    • Marius A. Skovli
      Marius A. Skovli November 25, 2015 at 21:53 - Reply

      Tis is true. It should remove any Applications named anything Java which was the purpose for this customer. If you want to remove a specific version try this instead (Java 7 Update 51 as an example):

      Detection Script:
      #Detect Software
      Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match “Java 7 Update 51”}

      Remediation Script:
      #Uninstall Software
      $app = Get-WmiObject -Class Win32_Product | Where-Object {
      $_.Name -match “Java 7 Update 51”
      }
      foreach ($a in $app) {$a.Uninstall()}

      • Alex October 19, 2016 at 19:49 - Reply

        $app = Get-WmiObject -Class Win32_Product | Where-Object {
        $_.Name -like “Java*Update*”
        }
        foreach ($a in $app) {$a.Uninstall()}

  3. Compliance Software June 28, 2016 at 11:11 - Reply

    Thanks for sharing!

  4. Dan Swanson January 24, 2017 at 17:47 - Reply

    This is great. I’m curious how you would go about removing certain versions of software that do not include the version in the product name of the software. For instance, we want to remove certain versions of a program called Zoom. We have multiple versions in our environment, but they are all named Zoom, not Zoom 3.5.1.2.

    Thanks for posting this!

Leave A Comment