Uninstall .NET Runtime 5.0.17 and Below

What the .NET 5 removal Worklet does

This Automox Worklet™ uninstalls .NET 5 Runtime builds at or below version 5.0.17 from Windows endpoints. The evaluation script enumerates the standard Windows uninstall registry hives, identifies every .NET 5.0.x Runtime component, compares each DisplayVersion to the 5.0.17 threshold, and reports the endpoint non-compliant when any matching build is present. The remediation script then runs the uninstaller for each flagged component using the registry key name as the identifier.

The Worklet inspects three registry locations to catch every install context: the 64-bit HKLM hive at HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall, the 32-bit Wow6432Node hive at HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, and each loaded per-user HKU hive for installations run under a user account. Get-Package and dotnet --list-runtimes are useful for spot-checking endpoints by hand, but the Worklet does not rely on them because Get-Package misses installs that were not registered with the MSI provider and dotnet --list-runtimes is not present until the SDK is installed.

For MSI-based installations the Worklet calls MSIExec.exe /x {RegistryKeyName} /qn /norestart for each component. For EXE-based installations it extracts the executable path from the UninstallString and passes /uninstall /quiet /norestart. Exit codes 0, 1641, and 3010 are treated as success (1641 indicates the uninstaller initiated a reboot; 3010 indicates a reboot is suggested). Any other exit code is logged with the component name so an admin can triage a stuck endpoint without re-running the policy.

Why retire .NET 5 from production

.NET 5 reached end of support on May 10, 2022, and Microsoft has not shipped security patches for the 5.0.x train since 5.0.17. Every .NET advisory disclosed after that date – including post-EOL items such as CVE-2023-33128 –ships fixes only for the supported LTS trains (.NET 6 and .NET 8 at the time of writing), so vulnerability scanners continue to flag any 5.0.x install against subsequent .NET CVEs without a remediation path on the 5.x line. PCI-DSS 6.3.3, HIPAA 164.308(a)(5)(ii)(B), and SOC 2 CC7.1 all require unsupported software to be removed from systems handling regulated data, and CIS Benchmark control 2.3 calls out unsupported runtimes specifically.

An EOL runtime tends to linger on the long tail of endpoints that nobody routinely patches by hand: developer workstations carrying a .NET 5 Runtime from a 2021 project, Windows Servers where an internal app shipped against 5.0.x and the app team moved on, lab machines spun up from an older image and never reimaged. Running this Worklet on a recurring policy iterates the 64-bit, 32-bit, and per-user Uninstall hives, calls the appropriate uninstaller silently against every matching version, and reports the per-endpoint exit codes so a PCI-DSS 6.3.3 or SOC 2 CC7.1 reviewer can see exactly which hosts still trailed support at audit close.

How .NET 5 detection and removal works

1. Evaluation phase: The Worklet walks HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, then iterates loaded HKU profile hives to cover per-user installs. For each uninstall key it reads DisplayName, DisplayVersion, and the registry key name. DisplayName is matched against the pattern *\.NET Runtime* with an additional *5.0* check. Versions are parsed with [Version] and compared against 5.0.17. If any match is at or below the threshold, the endpoint is reported non-compliant.

2. Remediation phase: The remediation script performs its own independent registry scan across the same three hive locations. For each matching component it checks whether the UninstallString references msiexec and calls MSIExec.exe /x {RegistryKeyName} /qn /norestart; for EXE-based installers it parses the UninstallString and passes /uninstall /quiet /norestart. Exit codes 0, 1641, and 3010 are counted as success. Any other exit code is written to the Automox console with the component name so the admin can isolate the failing endpoint. A summary of successful and failed uninstalls is printed at completion.

.NET 5 removal requirements

• Windows endpoint running Windows 10, Windows 11, Windows Server 2016, 2019, or 2022 with the Automox agent installed

• PowerShell 5.1 or later (the default on supported Windows versions)

• Local Administrator privileges to read all three uninstall registry hives and run the uninstaller (the default Automox agent context already meets this)

• Both 32-bit and 64-bit installations of .NET 5 Runtime are covered; no policy variables to configure

• Confirm that no production application on the endpoint depends on .NET 5 Runtime before scheduling; applications must be retargeted to .NET 6 LTS or .NET 8 LTS first

Expected state after .NET 5 removal

After remediation, no .NET 5.0.x Runtime component appears under HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, or any HKU hive. Control Panel › Programs and Features no longer lists Microsoft .NET Runtime - 5.x entries. Side-by-side .NET 6, .NET 7, and .NET 8 runtimes are unaffected because their DisplayName and DisplayVersion values do not match the Worklet's filter, and applications retargeted to a supported runtime continue to start normally.

Validate the endpoint with two commands: dotnet --list-runtimes (no Microsoft.NETCore.App 5.0.x entries should be returned) and Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall | Where-Object { $_.GetValue("DisplayName") -like "*\.NET Runtime*5.0*" } (returns nothing). For audit evidence, export the next Automox evaluation result for the policy; the endpoint should report compliant, and the timestamp closes the loop for PCI-DSS, HIPAA, and SOC 2 evidence of EOL runtime removal.