Microsoft warns IT admins against using unsupported .NET runtimes on Windows

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,187
14,807
6,069
Content source
https://www.neowin.net/news/microsoft-warns-it-admins-against-using-unsupported-net-runtimes-on-windows/
Microsoft has highlighted that although the classic .NET Framework used to be a core component of Windows, the modern .NET Core is not. It is typically installed when needed by an application, but that also means that multiple versions of .NET can coexist.

While this approach brings several benefits such as modularity, ease of open-source cross-platform development, and faster updates, a potential drawback is that the presence of an unsupported runtime can open the door for malicious actors, stability issues, and compliance problems.

www.neowin.net

Microsoft warns IT admins against using unsupported .NET runtimes on Windows

Microsoft has 'strongly discouraged' the use of unsupported .NET runtimes, and explained how to remediate related issues.
www.neowin.net www.neowin.net
Click to expand...
 
  • Like
  • Applause
Reactions: Brownie2019, Andy Ful, Victor M and 3 others
What Microsoft is saying there is basically “.NET is an app platform now, not a built‑in Windows component” — and once it’s treated like any other app platform, leaving old, unsupported runtimes lying around becomes a security and stability liability.

Why this matters
.NET (Core/5/6/7/8…) is side‑by‑side and app-local now. That means:
  • Multiple versions can be installed at once.
  • Apps can be pinned to specific versions.
  • Old runtimes don’t automatically disappear when newer ones are installed.

When a specific .NET runtime goes out of support, it stops receiving security fixes. If that old runtime is still present:
  • Any app that still uses it is effectively “frozen” on a vulnerable platform.
  • Attackers can potentially target known bugs in that runtime if they can get code to run through it.
  • You may run into compliance issues (e.g. auditors complaining about unsupported components).

This is not unique to .NET – it’s the same story as:
  • Old Java runtimes left installed
  • Old Python/Ruby runtimes on servers
  • Old browser versions, PHP, IIS modules, etc.

For home users
For a typical desktop user, the risk is more about good hygiene than panic:
  • Don’t manually uninstall runtimes at random – you can break apps that still depend on them.
  • Keep Windows and your apps fully updated so they move to supported .NET versions when the vendor supports it.
  • If you see obviously ancient .NET runtimes in Apps & Features / Installed apps that you’re sure nothing uses (for example, something you installed years ago for software you no longer have), you can remove them – but do it gradually and test.

For IT admins / power users
What Microsoft really aims this at is IT environments:
  • Inventory your .NET runtimes (e.g. dotnet --list-runtimes on managed systems).
  • Map which apps depend on which versions.
  • Plan upgrades of line‑of‑business apps to supported runtimes.
  • Uninstall obsolete runtimes from systems where nothing needs them.

Bottom line
Unsupported .NET runtimes are just like any other unsupported software component: they increase your attack surface and can cause compliance headaches. The safe approach is:
  • Keep runtimes current and supported.
  • Phase out old ones in a controlled way, not blindly.

If you want, post a screenshot of your installed .NET runtimes (from Installed apps or dotnet --list-runtimes), and I can help you decide what looks normal and what might be safe to remove.
 
Sampei.Nihira said:
@Bot

It has always been a security issue.
I uninstalled all NETs from my Windows XP PC after the end of official extended support.

Danger - Sampei Nihira Security Config WinXP (POS Ready2009) 2020
Click to expand...
Uninstalling all .NET on an already unsupported system like XP is a very “attack surface–reduction first” approach, and in that specific context it does make sense – with some trade-offs.

On Windows XP specifically
Once XP (even POSReady 2009) was out of support:

  • .NET Framework stopped receiving security fixes.
  • Windows itself wasn’t being patched anymore (beyond the POSReady trick).
  • A lot of old .NET vulns were RCE from web content, Office docs, or local apps.

If:
  • You knew exactly which software you needed.
  • None of it really required .NET.
  • You were willing to give up anything that did depend on it.

…then completely removing .NET on XP was a valid hardening step. It closes off an entire class of runtime exploits and browser/Office‑integrated components (ClickOnce, XBAPs, some add‑ins, etc.).

The downside, of course, is:
  • Any .NET‑based tooling, utilities, or newer apps are just impossible to run.
  • You’re effectively locking that system to legacy, non‑.NET software only.

For a highly locked‑down XP box like the one in your config thread, that’s consistent with a “minimal features, minimal attack surface” strategy.

Modern Windows vs XP
On Windows 10/11 it’s a bit different:

  • Some .NET Framework components are considered part of the OS and kept patched.
  • Many Microsoft and third‑party apps rely on specific .NET versions.
  • You still get security updates for supported .NET versions.

So the “XP move” (rip out all .NET) isn’t really practical or necessary on fully supported systems. The more realistic strategy is:
  • Avoid leaving unsupported .NET versions installed.
  • Keep only the minimum runtime versions your apps truly require.
  • Regularly remove legacy runtimes when the last dependent app is gone.

Bottom line
For an end‑of‑life OS like XP, removing .NET entirely can be a rational hardening measure if you accept the functionality loss. On supported Windows versions, it’s usually better to:
  • Keep .NET up to date and supported.
  • Aggressively remove only the obsolete runtimes you no longer need.

If you ever want to go over a current system (e.g. Win10/11) and figure out which .NET versions you can safely drop, feel free to post what’s installed and what software you’re using.
 
  • Like
Reactions: Sampei.Nihira
Sampei.Nihira said:
@Bot

Thank you:
Click to expand...
Your XP setup in that thread is a textbook example of “minimize features, minimize risk”, so removing .NET there is perfectly consistent with your overall hardening strategy.

If you ever decide to document a similar approach for newer systems (Win10/11) — e.g. which .NET versions you keep, which you remove, and how you verify dependencies — it would likely be useful for other hardening‑focused members too.

If you want, you can also post your current OS and list of installed .NET runtimes, and I can help you outline a minimal, still‑functional set.
 
  • Like
Reactions: Sorrento
I still have my Windows 3.0 setup discs, living in my loft along with original Office, on floppy, I have no reason to keep them though reminders of another time maybe? I may have them cremated with me :D:D
 
  • Wow
  • HaHa
Reactions: Sampei.Nihira and Parkinsond
Sorrento said:
I still have my Windows 3.0 setup discs, living in my loft along with original Office, on floppy, I have no reason to keep them though reminders of another time maybe? I may have them cremated with me :D:D
Click to expand...
The oldest OS I kept was W7 for some colleagues old PCs which failed to load W 10.
 
  • Like
Reactions: Sampei.Nihira and Sorrento
It was only a few weeks ago when clearing the garage out I had to dump my (loved) collection of old PC bits, many floppy drives ribbon cables, junk of all sorts totally unseeded now, many Ethernet cables, why did I hang on to these things so long? I also have some pre hi-fi magazines, usually 'The Tape Recorder' or similar from the 1950's/60's & speaker drivers specs etc.. from my later father that I look at occasionally, they will never go...
 
  • Like
  • Applause
Reactions: Parkinsond and Sampei.Nihira
Sorrento said:
It was only a few weeks ago when clearing the garage out I had to dump my (loved) collection of old PC bits, many floppy drives ribbon cables, junk of all sorts totally unseeded now, many Ethernet cables, why did I hang on to these things so long? I also have some pre hi-fi magazines, usually 'The Tape Recorder' or similar from the 1950's/60's & speaker drivers specs etc.. from my later father that I look at occasionally, they will never go...
Click to expand...
I do not get rid of such stuff; ethernet cables are still used, old dvd can be used as cup base.
I still own a very old tp-link modem router before the era of wifi; still functioning.
 
  • Hundred Points
  • Like
Reactions: Sorrento and Sampei.Nihira
You must log in or register to reply here.

You may also like...