An Oracle Java SE to Microsoft Build of OpenJDK migration is the cleanest exit for any organisation already paying Microsoft for Azure, Unified Support, or Visual Studio. Microsoft Build of OpenJDK is a TCK-certified, free, production-grade OpenJDK distribution shipped by Microsoft and supported at no extra cost under your existing Microsoft agreement. Microsoft runs more than two million JVMs on it across Azure, LinkedIn, Bing, and Minecraft, which is a more rigorous production proof than any vendor data sheet. This playbook lays out the buyer-side framework we use to displace the Java SE Universal Subscription and defend our clients against the Employee Metric audit exposure that follows. We benchmark the migration against real engagements: 600+ Oracle programmes, $1.8B in advised spend, and a 100% Java audit defence record.
Microsoft Build of OpenJDK is the OpenJDK distribution that wins on commercial economics for Microsoft-aligned estates. Where Eclipse Temurin requires a separate commercial support contract for vendor-backed SLA coverage, and Amazon Corretto is bundled with AWS Support, Microsoft Build of OpenJDK is bundled with every existing Microsoft support relationship your organisation already pays for. If you have an Azure Support plan, Unified Support, Premier Support, or a Visual Studio Enterprise subscription, you already have production support for Microsoft Build of OpenJDK at no incremental cost. That is the structural advantage that flips the buyer-side math against the Oracle Java SE Universal Subscription Employee Metric.
Microsoft is not a casual OpenJDK distributor. Microsoft runs more than two million internal JVMs on this binary — across Azure platform services, LinkedIn (an entirely Java-based stack), Minecraft Java Edition, Bing search, and Microsoft 365 backend services. That production footprint is materially larger than Oracle's internal Java SE footprint, and it is the engineering basis for Microsoft's contribution back to the OpenJDK project. Microsoft is a Java Community Process executive committee member, an OpenJDK project committer across multiple JEPs, and an active contributor to GC, JIT, and observability improvements upstream. The distribution is not a re-badge — it is a first-party Microsoft engineering deliverable.
The right-size answer is not always Microsoft Build of OpenJDK. AWS-heavy estates with bundled AWS Support benefit more from Amazon Corretto. Estates with strict vendor-neutrality procurement rules benefit more from Eclipse Temurin. The buyer-side methodology selects the runtime per workload based on operational reality, not vendor preference. See the Oracle Java licensing guide for the Employee Metric exposure that drives the decision.
The bundled support story is the single most important fact in the buyer-side evaluation, and it is regularly misunderstood. Microsoft provides production support for Microsoft Build of OpenJDK at no additional cost to customers with a qualifying Microsoft support relationship. The qualifying relationships include any Azure Support plan (Developer, Standard, Professional Direct, Premier, Unified), any Visual Studio subscription with included support, and any Premier or Unified Support contract. The support covers JVMs running anywhere — on Azure, on AWS, on Google Cloud, on Oracle Cloud, on-premises, in physical, virtual, or containerised deployments.
What the bundled support does not cover is exotic non-LTS releases (the six-month feature releases between LTS versions), forward-port engineering, and bespoke binary builds. For estates that need to track the latest feature release for early validation, a parallel community-supported Temurin or Adoptium build is the right hedge — both can coexist in the estate. The Microsoft Build of OpenJDK is the production LTS runtime; the Temurin build is the feature-validation runtime. This dual-distribution pattern is one we recommend frequently for engineering organisations that need both stability and innovation visibility.
Buyer-side note: Microsoft does not publish a separate price list for Microsoft Build of OpenJDK because it is not a separately priced product. If your Microsoft account team offers you a "Java support add-on," push back — the support is already included. Get the inclusion language confirmed in writing on Microsoft letterhead before signing any incremental commitment.
We benchmark your estate against Microsoft Build of OpenJDK, Amazon Corretto, Eclipse Temurin, Azul Platform Core, and BellSoft Liberica to right-size the runtime per workload. Buyer-side methodology, ten-day turnaround.
The forensic discovery phase is identical across all OpenJDK migration targets. The audit defence framework requires a complete inventory of every Oracle Java installation in the estate, identified by vendor, version, deployment context, and licensing surface. Most organisations underestimate their Oracle Java footprint by a factor of three to ten because Oracle's binary is bundled inside dozens of third-party products and gets installed by default by package managers, developer tooling, and OEM endpoint images. The Employee Metric applies regardless of usage intensity, so every dormant binary on a workstation contributes to the audit exposure.
| Discovery surface | What to look for | Audit exposure |
|---|---|---|
| Endpoint inventory (workstations) | Oracle JRE / JDK on Windows / macOS / Linux desktops | Employee Metric applies regardless of usage |
| Server-side application servers | Tomcat, Jetty, JBoss, WAS, custom JVMs | Production Java SE installations |
| Azure App Service / AKS / Functions | Bundled Java runtime selection in PaaS deployments | Microsoft-bundled by default; verify customer-supplied JVMs |
| Batch and ETL processing | Informatica, DataStage, custom Java batch | Server-side Java SE installations |
| Build and CI tooling | Azure DevOps, Jenkins, GitLab Runner, Maven, Gradle | Developer tooling Java; Oracle binaries trigger metric |
| Third-party software with bundled Java | Trading platforms, BI tooling, scientific applications | Oracle Java bundled inside vendor packages |
| Container images | Docker / OCI images on ACR and other registries | Each image with Oracle Java multiplies the surface |
| OT and ICS environments | SCADA, manufacturing, embedded engineering tooling | Frequently overlooked; high audit value |
The forensic discovery has to be performed under audit-defensible methodology. We combine endpoint scanning, package manager inventories, Azure Resource Graph queries, container registry scans, third-party vendor inventories, and structured interviews of OT / engineering teams to surface the embedded footprint. The output is an evidence-based Java installation register that drives both the migration plan and the audit defence. The Java Licensing service covers the discovery framework end to end and includes the audit defence work that follows. The Oracle audit guide covers the broader evidence-based defence methodology.
The Microsoft Build of OpenJDK deployment follows the same wave-based sequence we use for every OpenJDK migration. The technical deployment is straightforward because Microsoft's binary is bit-for-bit compatible with the Java SE specification, which is the same standard the Oracle binary implements. The complexity is operational, not technical: third-party software vendor confirmation, endpoint package replacement, container base image refresh, and audit-defensible removal of the Oracle binaries.
| Phase | Duration | Activity |
|---|---|---|
| 1. Pilot deployment | 2 weeks | Deploy Microsoft OpenJDK on 3 to 5 non-critical workloads; functional validation |
| 2. Performance baseline | 2 weeks | Compare GC behaviour, throughput, latency against Oracle baseline |
| 3. Wave 1 deployment | 4 weeks | Deploy to 20 to 30 percent of low-risk server workloads |
| 4. Wave 2 deployment | 6 weeks | Deploy to mid-risk workloads; retain Oracle binary fallback |
| 5. Wave 3 deployment | 8 weeks | Deploy to high-risk workloads; full rollback plan |
| 6. Container image refresh | 3 weeks | Replace Oracle Java base images in ACR / Docker Hub / private registries |
| 7. Endpoint rollout | 4 weeks | Workstation replacement via Intune / SCCM / Jamf / Workspace ONE |
| 8. Oracle Java removal | 3 weeks | Forensic removal of Oracle binaries; verification scan |
| 9. Audit-defensible documentation | 2 weeks | Evidence package for the future Oracle audit defence |
The endpoint rollout is the phase that surprises customers most often. Workstation Java is the largest contributor to the Employee Metric inflation because it expands the licensable population to every employee with any Oracle binary installed. Microsoft Build of OpenJDK is straightforward to deploy via Intune (Windows / macOS), SCCM (Windows), Jamf (macOS), or Workspace ONE (cross-platform). The deployment package is a standard MSI / PKG / TAR and integrates with existing endpoint management tooling without bespoke engineering. The forensic Oracle removal step is what creates the audit-defensible posture — partial removal is not a defence. Either the binary is gone and the scan proves it, or the audit exposure remains.
Buyer-side note: Do not begin the Oracle binary removal until Wave 3 is complete and the rollback windows on every workload have closed. Premature removal eliminates the safety net during the deployment. The audit-defensible documentation step is the one that protects you in the audit — it is not optional housekeeping.
The compatibility matrix is the artefact that determines whether Microsoft Build of OpenJDK can be the universal runtime or whether a multi-distribution estate is required. Most enterprise software vendors have certified Microsoft Build of OpenJDK directly, or have certified Eclipse Temurin or Adoptium and accept Microsoft Build as functionally equivalent. The list of vendors that explicitly support Microsoft Build of OpenJDK includes Microsoft (Azure, Power BI, Dynamics, Visual Studio), Atlassian (Jira, Confluence, Bitbucket), Adobe (AEM, Adobe Workfront), IBM (WebSphere, MQ on supported configurations), Red Hat (JBoss EAP on Red Hat), Pivotal / VMware (Spring, Tanzu), and many financial services platform vendors.
The vendors that historically required Oracle Java SE-only are now mostly an exception. Where Oracle Java SE-only contracts remain, the right approach is to negotiate compatibility coverage with the third-party vendor before migration — most are willing because their commercial interest is in customer retention, not Oracle's licensing model. Where the third-party vendor refuses to certify Microsoft Build of OpenJDK, the right answer is to accept Eclipse Temurin or Amazon Corretto for that specific workload and run a multi-distribution estate. The dual-distribution pattern is operationally manageable and we have implemented it across dozens of engagements.
We benchmark every third-party software vendor in your estate against Microsoft Build of OpenJDK and produce a written compatibility matrix that protects you on day one. Buyer-side methodology.
The migration to Microsoft Build of OpenJDK closes future Oracle Java SE exposure. It does not close the historical exposure. Oracle's GLAS / LMS Java audit team reviews the customer's historical Oracle Java SE deployment to determine retroactive Employee Metric exposure and publishes a back-licence claim. The defence framework is the same regardless of which OpenJDK distribution the customer migrated to — the forensic defence sits alongside the migration, not after it.
The forensic defence framework contains four lines of argument. First, the licensing model in effect at the time of deployment was the historical metric (Processor or NUP), not the 2023 Employee Metric — Oracle's retroactive application is contestable and we have contested it successfully multiple times. Second, the actual Oracle binary deployment count, not the inferred deployment from desktop installation telemetry, is the basis for any back-licence claim — Oracle's audit methodology routinely overstates by a factor of two to four. Third, the Oracle Java No-Fee Terms and Conditions (NFTC) that applied to JDK 17 between September 2021 and September 2024 created a covered-deployment window that excludes those deployments from back-licence claims under the prior commercial subscription. Fourth, the bundled-Java distributions of Oracle Java that came with Oracle products (Database, WebLogic, Fusion Middleware) carry application-specific entitlement and cannot be treated as standalone Java deployments.
We hold a 100% Java audit defence record across the Java engagements we have run since 2019. The defence framework only works when the customer engages before the audit progresses to formal claim — once the claim is in writing the negotiating position is materially weaker. Anonymised case: a European insurer faced an opening Oracle Java back-licence demand of 6,400 Employee-Metric subscriptions; the forensic defence reduced the final settlement by 38% and converted the remainder to a one-off non-renewing exit fee tied to the Microsoft Build of OpenJDK migration timeline. The Audit Defence service covers the full engagement framework.
Yes. Microsoft Build of OpenJDK is a TCK-certified, free, production-grade distribution of OpenJDK shipped and supported by Microsoft. Microsoft runs more than two million JVMs internally on it across Azure, LinkedIn, Minecraft, and Bing. Microsoft ships long-term support builds for OpenJDK 11, 17, 21, and 25 with quarterly security updates aligned to the Java SE specification. The distribution is bit-for-bit compatible with the Java SE specification, which is the standard the Oracle binary also implements. The Oracle Java SE to Microsoft Build of OpenJDK migration is a like-for-like runtime replacement at the bytecode level.
No. Microsoft provides production support for Microsoft Build of OpenJDK at no additional cost to customers with an Azure subscription, an Azure Support plan, a Visual Studio subscription, or a Unified Support contract. The support covers JVMs running anywhere — on Azure, on other clouds, on-premises, or in containers. For customers without an existing Microsoft support relationship, support is available through Premier and Unified Support contracts. The Azure-bundled support model is the major commercial advantage over Oracle Java SE Employee Metric pricing.
Microsoft Build of OpenJDK is the right default for Azure-heavy estates where Microsoft support is bundled with the customer's existing subscription. Amazon Corretto is the right default for AWS-heavy estates with bundled AWS support. Eclipse Temurin is the right default when vendor neutrality is a procurement requirement or when third-party software vendors certify against Adoptium. The three distributions are functionally equivalent at the Java SE specification level; the choice is operationally and contractually driven, not technical.
Most major vendors do. Microsoft, Atlassian, Adobe, Spring, IBM, Red Hat, and many financial services platform vendors have explicitly certified Microsoft Build of OpenJDK or treat it as an Eclipse Temurin-equivalent distribution. Some legacy software with Oracle Java SE-only support contracts requires renegotiation. We maintain a compatibility matrix on every engagement and confirm vendor coverage in writing before migration. Vendors that refuse Microsoft Build of OpenJDK coverage are usually willing to accept Eclipse Temurin or Amazon Corretto. The Oracle Java SE to Microsoft Build of OpenJDK migration plan includes the compatibility matrix as a deliverable.
The audit defence framework is the same regardless of which OpenJDK distribution the customer migrated to. Oracle's GLAS team examines the historical Oracle Java SE footprint, applies the Employee Metric retroactively, and publishes a back-licence claim. The defence framework reduces or eliminates the claim through four lines of argument: contesting the retroactive application of the new metric, contesting the inflated installation count from telemetry, applying the NFTC covered-deployment window for JDK 17, and excluding bundled-Java distributions that carry application-specific entitlement. We hold a 100% Java audit defence record across engagements run since 2019.
Twice a month. Oracle pricing moves, audit-defence tactics, migration economics, ULA exit playbooks. Written by former Oracle insiders, never marketing.
No spam. Unsubscribe any time. Independent — not affiliated with Oracle Corporation.