As patching technology like Shavlik or Secunia is quite expensive and as we are hitting budget constraints, a responsible sysadmin has to go "the extra mile" to keep his network safe.
Although we have a tool that detects vulnerable applications on the clients and has a reliable way to install updates, we don't have the actual patches.
This means we have to "roll our own patches". This turns out to be not that difficult except for the usual crap like Adobe software (Flash, Acrobat Reader) where you have to apply for a distribution license and of course Java.
Not only keeps Java nagging about updates to users who don't have the necessary privileges to install them (why don't they just use Windows update...) but when you install updates it kept the previous version. Oracle waked up from this stupidity and from 8u20 on the installation leaves you (the PRIVILEGED user, of course...) with some kind of option to delete older versions, but as we use unattended installations to update Java this doesn't work either.
Now I found a neat trick with WMI to do this uninstalling.
In a batch script you can query WMI for (well not all as it turns out...) applications and carry out operations with the results by using call...
Just open a command prompt and type wmic product to see the list of installed software (this can take a while)
To see all Java installations on your machine, type wmic product where "name like '%%Java%%'"
OK, you also might want to search on %%J2SE%%
Uninstall all those insecure versions of Java 7 with
wmic product where "name like '%%Java 7%%'" call uninstall /nointeractive
(do the query first without the call part to be sure...), OK my script is a bit more complex but with a little bit of googling you can find some examples :-)
I distribute the .cmd file with the tool and gone are those pesky Java installations.
Such a very useful command, how un-Microsoft like, I thought... Turns out it only lists programs installed with MSI packages. Oh well... my bad.