Java

F*** Java JRE: Deploying Exceptions & Configs via PowerShell and Intune

JB

05 Jan 2025 — 2 min read

Java. The gift that keeps on giving… headaches. Whether it’s security prompts, missing exceptions, or users swearing their apps worked yesterday, we’ve all been there. This week at 3AMDeploy, I decided to wrangle Java into submission by standardizing its exceptions and configurations across all computers, regardless of who’s logged in. Spoiler: It involved PowerShell, Intune, and a lot of caffeine.

The Problem

Java loves its user-specific settings. By default, exceptions and configuration files live in %APPDATA%, meaning every user on a system can have their own special version of chaos. What if you want all users to play nice with the same trusted sites and settings? Time to override.

The Plan

We’ll:

Create system-wide Java settings using deployment.properties and exception.sites. (just create on your computer or test VM, and copy over - as easy as making babies)
Deploy them to C:\Windows\Sun\Java\Deployment so they apply universally.
Push the whole setup to all devices using Intune and PowerShell.

The Tools

PowerShell: To script the deployment process.
Intune: To deliver the script to endpoints.
Coffee: Because scripting is never complete without it.

The Script

Here’s the PowerShell script I cooked up. It creates the necessary directories, copies the config files, and ensures proper permissions. No fuss, no muss.

# Define paths
$javaDeployPath = "C:\Windows\Sun\Java\Deployment"
$securityPath = "$javaDeployPath\security"
$deploymentFile = "$javaDeployPath\deployment.properties"
$exceptionFile = "$securityPath\exception.sites"

# Create directories if they don't exist
if (!(Test-Path -Path $javaDeployPath)) {
    Write-Host "Creating Java Deployment directory..."
    New-Item -ItemType Directory -Force -Path $javaDeployPath
}

if (!(Test-Path -Path $securityPath)) {
    Write-Host "Creating Security directory..."
    New-Item -ItemType Directory -Force -Path $securityPath
}

# Add the deployment.properties content
$deploymentContent = @"
deployment.security.level=MEDIUM
deployment.security.askgrantdialog.notinca=false
deployment.expiration.check.enabled=false
"@

Set-Content -Path $deploymentFile -Value $deploymentContent
Write-Host "Created deployment.properties file."

# Add the exception.sites content
$exceptionContent = @"
https://example.com
https://anotherexample.com
"@

Set-Content -Path $exceptionFile -Value $exceptionContent
Write-Host "Created exception.sites file."

# Set permissions for all users
Write-Host "Setting permissions..."
icacls $javaDeployPath /grant "Everyone:F" /T

Write-Host "Java configuration successfully deployed."

Deploying with Intune

Upload the PowerShell script to Intune as a Device Configuration Script.
Assign it to the target device group.
Sit back and relax while Intune pushes the script to all endpoints.

Lessons Learned

Test first: Always run the script on a test device before deploying to production. Trust me on this one.
Permissions matter: Java will ignore your config files without the correct access rights.
Naming consistency: Stick with predictable paths like C:\Windows\Sun\Java\Deployment to save yourself future grief.

The Outcome

All users now have the same Java settings and trusted sites, regardless of who logs in. No more frantic calls about “blocked applications” or missing exceptions. It’s the kind of victory that makes a sysadmin’s coffee taste just a little sweeter.

Have a better way to handle Java chaos? Drop your thoughts below—let’s commiserate or celebrate together.

Until the next 3 AM fix, keep those deployments smooth.