Web browsers do not process Java from the internet.

Property	Value
ISM Control	ISM-1486
Revision	1
Updated	Sep-21
Guideline	Not provided
Section	User application hardening
Topic	Hardening user application configurations
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

ISМ-1486 hardens user applications by preventing Java applets from executing in browsers, reducing exposure to Java-based exploits. By ensuring Java is not installed and by using a browser such as Edge that does not support Java applets, this control blocks common web-based vectors for Java-driven attacks.¹² Current state (2024–2025): All major modern browsers — Microsoft Edge (Chromium), Google Chrome, Mozilla Firefox, and Apple Safari — removed NPAPI plugin support between 2015 and 2020. Java applets therefore cannot execute in any supported modern browser by default. The primary residual risk is: (1) Internet Explorer 11 remains present on Windows devices and still loads the Java Runtime Environment (JRE) as a legacy NPAPI plugin; (2) the JRE is installed on a device and a niche browser with NPAPI support is present.²

The key actions for this control are therefore: ensure Internet Explorer 11 is disabled (not just unused), ensure the JRE is not installed on managed workstations, and confirm the Windows MDM security baseline disables Java permissions for any remaining IE-mode usage.

Justification

Not provided in source documentation.

Design Decision

[!NOTE] The Scripting of Java applets Baseline will be applied via Intune configuration profiles to disable Java applets, ensuring Java is not available on endpoints. Edge browser will be used because it does not support Java applets.

Prerequisites

Java is not installed by default on Windows 10 and Windows 11.¹
Baseline settings must disable Java applets by default.³
Java applets can be prevented from executing in the Internet Explorer Internet Zone.⁴
Java applets are disabled in the Restricted Sites Zone for mail clients, such as Outlook Express 6 and Outlook 2002.⁵
Client-side active content, including all Java and Flash content, is blocked on all Windows devices.²
Web browsers do not process Java from the internet.¹

Implementation Steps

Verify Java is not installed and modern browser is standard

Confirm Java is not installed by default on Windows 10 and Windows 11.¹ On managed endpoints, verify via Intune Discovered apps report that no Java Runtime Environment (JRE) package is present.
Confirm that Microsoft Edge (Chromium) is the standard browser in the environment. Edge does not support NPAPI and cannot load Java applets. ¹
If any legacy application requires Java in the browser, isolate it to a dedicated virtual machine or Remote Desktop session with no internet access, and block all other workstations from running java.exe via WDAC/AppLocker.

Disable Internet Explorer 11 via Intune

Internet Explorer 11 is the only Windows-included browser that can load the JRE plugin. Disable it to eliminate the NPAPI path entirely.
- In Intune → Devices → Configuration profiles → Create, select Settings catalog.
- Search for Internet Explorer and set Disable Internet Explorer 11 as a standalone browser = Enabled.
- Assign to all Windows 10/11 device groups.

[!NOTE] Internet Explorer 11 reached end-of-support on 15 June 2022. Microsoft recommends disabling it as a standalone browser via Group Policy or Intune. If IE compatibility is required for legacy internal sites, use Edge IE Mode which does not support legacy NPAPI plugins (including Java).

Configure the Windows MDM security baseline (Java permissions)

The Windows MDM security baseline includes a Java permissions setting for Internet Explorer security zones. Ensure this is set to Disable Java for all zones:
- In Intune → Endpoint Security → Security Baselines → Windows Security Baseline, confirm the profile is assigned and the Java permissions (Internet Zone) setting is configured to Disable Java.³

(Optional) Block JRE installation via WDAC/AppLocker

Create a WDAC deny rule (or AppLocker executable deny rule) for java.exe and javaw.exe targeting all standard users. This ensures that even if the JRE is inadvertently installed, browsers and other applications cannot launch it.
- Deploy the rule via Intune using the ApplicationControl CSP OMA-URI (see ISM-0843 for WDAC deployment guidance).

Mitigation guidance for poisoned Java applet vulnerability CVE-2011-1969 and related Java applet mitigations is covered in Microsoft Security Bulletin MS11-079 - Important Microsoft Security Bulletin MS11-079 - Important
Gateway-level web content filtering references ASD’s Blueprint Gateways for controlling web traffic and Java applet delivery through gateway protections ASD Blueprint Gateways

🛡️ Essential 8 Guide