When I first setup my standard desktop image, I struggled with weather or not to include Java by default.  Ultimately, I included Java with my standard image, but with the continual battery of security flaws and mid-week patch deployments I’ve decided to take a more aggressive approach to limiting threats.  With the latest exploit announced a few days ago, I created a security group (DisableJavaPlugIn) which included all computers except those I knew needed the Java plug-in.  I then created a group policy under Computer Configuration –> Preferences –> Windows Settings –> Registry.  The policy is rather straightforward in that I just create a new Registry Item that deletes HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Plug-in.  If you are working with a 64-bit version of Windows the path is HKEY_LOCAL_MACHINE\Software\Wow6432Node\JavaSoft\Java Plug-in.  I also have a separate entry that disables automatic updates because I push those out via SCCM.

In the group policy management console (gpmc), I linked this group policy to my various computer OU’s **as well as my OU which contains the security group**.  I then specify my security group (DisableJavaPlugIn) under security filtering in the gpmc so that this policy does not disable the plug-in for computers that need it.

Now if a user hits a website that tries to fire up Java it will display the following error:

If you later discover someone needs Java, you can easily re-enable the plug in by going to the control panel –> click the java icon –> security tab.  It will likely show “Enable Java content in the browser” checked.  If you un-check, click apply, then re-check the checkbox Java will have the appropriate registry keys restored and plug-ins will work without needing to reinstall Java.  You’ll also need to remove that computer from the security group that determines which computers have the plug-in disabled.

Hopefully, this little test will give me further insight into who actually uses Java.  At a later date I can then deploy a batch script to uninstall Java completely for those who truly have no need for Java.  You’ll need to double check your environment, but for me it will look like this:

@echo off
MsiExec.exe /x{26A24AE4-039D-4CA4-87B4-2F83217004FF} /quiet /norestart