.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.

Property	Value
ISM Control	ISM-1655
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	Operating system hardening
Topic	Hardening operating system configurations
Essential Eight	ML3
PSPF Levels	NC, OS, P, S, TS

Summary

.NET Framework 3.5 (including .NET 2.0 and 3.0) is disabled or removed to reduce the attack surface from legacy runtimes. Implement using the UserApplicationHardening-RemoveFeatures.ps1 script and deploy it through the Intune Scripts option.

.NET Framework 3.5 uses CLR version 2.0 and is delivered as a Windows optional feature that can be turned off independently. The modern .NET Framework 4.x is built into Windows 10/11, uses CLR 4.0 with the Security-Transparent model, and is not affected by this control. Key security reasons for disabling .NET 3.5 include:

PowerShell 2.0 dependency: The Windows PowerShell 2.0 optional feature requires .NET 3.5 / CLR 2.0. If .NET 3.5 is present, an attacker may re-enable PowerShell 2.0 to bypass AMSI and script-block logging (see ISM-1621).
Legacy Code Access Security (CAS): Older CAS policies can be misconfigured, allowing privilege escalation that .NET 4.x’s Security-Transparent model prevents.
Known CVEs: RCE vulnerabilities such as CVE-2019-0613, CVE-2018-8540, and CVE-2018-8421 affect .NET 3.5 specifically and may not be fully patched on all builds.
BinaryFormatter deserialization: .NET 3.5 applications frequently use BinaryFormatter, a known RCE vector from untrusted deserialisation payloads.¹

Design Decision

[!NOTE] The UserApplicationHardening-RemoveFeatures.ps1 script will be deployed via Intune Scripts to disable or remove the .NET Framework 3.5 (including .NET 2.0 and 3.0) feature.

Prerequisites

Permissions/Roles

Devices must be joined to Microsoft Entra ID, including hybrid joined and Workplace Joined (WPJ).²
Devices must be enrolled in Intune.²

Dependencies

Use of the Intune Management Extension to deploy scripts; plan to Deploy via the Intune ‘Scripts’ option.²
Devices must be running a supported Windows version (see Intune Management Extension prerequisites); the Intune management extension does not support Windows in S mode.²
Devices must be joined to Microsoft Entra ID (including hybrid join or WPJ) and enrolled in Intune; co-managed devices using Configuration Manager are supported.²
For devices behind firewalls and proxy servers, enable communication for Intune.²
The implementation uses the script UserApplicationHardening-RemoveFeatures.ps1 to disable .NET Framework 3.5 (includes 2.0 and 3.0) if installed.³

Implementation Steps

Use Intune Scripts option to deploy UserApplicationHardening-RemoveFeatures.ps1

Verify device prerequisites for the Intune management extension and script deployment.²
In the Intune console, assign the script UserApplicationHardening-RemoveFeatures.ps1 to target devices or user groups.³
The Intune management extension installs automatically when a PowerShell script or Win32 app is assigned to the device.²
After deployment, the script disables or removes .NET Framework 3.5 (includes 2.0 and 3.0) feature if installed.³
Verify the feature is disabled by running on a target device:
```
Get-WindowsOptionalFeature -Online -FeatureName NetFx3
```
The output should show State : Disabled. If it returns State : Enabled, the feature was not removed and the Intune script should be re-triggered or the feature disabled manually:
```
Disable-WindowsOptionalFeature -Online -FeatureName NetFx3 -NoRestart
```

[!CAUTION] Some legacy line-of-business applications compiled against .NET 2.0 or 3.5 will fail to start if this feature is removed. Before enforcement, inventory applications that depend on .NET 3.5 (check Programs and Features for “.NET Framework 3.5” as a listed dependency) and test in a non-production environment. Applications that cannot be updated may need to be excluded or migrated to .NET 4.x.

Microsoft .NET Framework 3.5 Deployment Considerations clarifies the deployment model for .NET 3.5 including how the payload is obtained and installed on Windows devices Microsoft .NET Framework 3.5 Deployment Considerations⁴
ASD Blueprint for User Application Hardening provides architecture-level guidance on applying Essential Eight hardening practices for app control and deployment ASD Blueprint: User application hardening⁵
.NET Framework 3.5 as a Windows Optional Feature explains how .NET 3.5 is delivered as an on-demand optional feature in Windows and must be explicitly enabled .NET Framework 3.5 as a Windows Optional Feature¹

🛡️ Essential 8 Guide