Disabling Java Content in all Browsers with ConfigMgr Compliance Settings

Some organisations like to disable Java applets from running in a web browser for tighter security.  This can be done with group policy, but in our organisation I already manage Java settings across the enterprise with Configuration Manager’s Compliance Settings (as documented in my solution guide for Java), so I decided to use a Compliance Setting for this also.

The best way to disable Java in the browser is simply to deselect the “Enable Java content in the browser” setting in the Java Control Panel:

Capture

Doing that will change a fair number of registry keys, too many to manage or set individually. Thankfully, you can achieve the same result using the following command from your Java installation files:

“C:\Program Files\Java\<java version>\bin\ssvagent.exe” -disablewebjava

When Java in the browser is disabled, the following key is set in the registry, which we can use as a way of programatically detecting whether Java in the browser has been enabled or not:

Key: HKLM:\SOFTWARE\Oracle\JavaDeploy
Name: WebDeployJava
Value: disabled

Now I create a new setting in my “Java Settings” configuration item, which I’ll call “Java WebDeploy”:

Capture

In this setting I use two PowerShell scripts, one for discovery, and one for remediation, which you can find below.  The discovery script will use the registry key above to determine whether Java has been disabled in the browser or not, and the remediation script will run the command that disables web Java for all installed Java versions.

Capture

For my compliance rule, I simply use the value “Compliant” which is outputted by the script:

Capture

Once this setting has been deployed in a baseline to your computers, Java will be disabled in web browsers for each machine that has Java installed in the default locations.  Should a user manually enable it from the Java control panel, the ConfigMgr client will disable it again according to the compliance evaluation schedule you have defined.

Discovery Script


$key = "HKLM:\SOFTWARE\Oracle\JavaDeploy"
if (Test-Path $key)
    {
        if ((Get-ItemProperty -Path $key -Name WebDeployJava -ErrorAction SilentlyContinue | Select -ExpandProperty WebDeployJava) -ne "disabled")
            {
                Write-Host "Not Compliant"
            }
        Else {write-host "Compliant"}
    }
else {write-host "Compliant"}

Remediation Script


$JavaInstallPaths = @()

if (${env:ProgramFiles(x86)})
    {
        $path = "${env:ProgramFiles(x86)}\Java"
        if (Test-Path $path)
            {
                $JavaInstall = Get-ChildItem -Path "${env:ProgramFiles(x86)}\Java" | select -ExpandProperty FullName
                $JavaInstallPaths += $JavaInstall
            }
    }

if ($env:ProgramFiles)
    {
        $path = "$env:ProgramFiles\Java"
        if (Test-Path $path)
            {
                $JavaInstall = Get-ChildItem -Path "$env:ProgramFiles\Java" | select -ExpandProperty FullName
                $JavaInstallPaths += $JavaInstall
            }
    }

$JavaInstallPaths

foreach ($JavaInstallPath in $JavaInstallPaths)
    {
        Start-Process -FilePath "$JavaInstallPath\bin\ssvagent.exe" -ArgumentList "-disablewebjava" -Wait -Verb Runas
    }

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s