Windows - Software - Uninstall Microsoft Silverlight

What the Silverlight removal Worklet does

This Automox Worklet™ detects and removes Microsoft Silverlight from Windows workstations and servers. Microsoft Silverlight reached end of support on October 12, 2021, and has received no security patches since. Any endpoint that still carries the plugin runs an unmaintained browser component that will never be fixed.

The evaluation script reads the standard Windows uninstall registry hives and matches DisplayName against "Microsoft Silverlight" on both 32-bit and 64-bit installs. On a 64-bit operating system, the Worklet opens HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall through the native 64-bit registry view, then walks HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall for the 32-bit Silverlight build. On a 32-bit operating system, it walks HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall directly. A match in any of those hives flags the endpoint for remediation.

The remediation script reads the UninstallString value from the matching registry key and executes it without user interaction. If the uninstall string contains msiexec, the Worklet calls msiexec.exe /x with the registry PSChildName (the product GUID) plus /qn and /norestart. If the uninstall string points to an executable, the Worklet runs that executable with the /S silent flag. Exit codes 0, 1641, and 3010 are treated as success per the standard Windows Installer contract; any other exit code leaves the endpoint flagged for the next evaluation pass.

Use this Worklet to retire Silverlight from any Windows endpoint that still has it installed, whether the install was carried forward from a legacy image, sideloaded by a user for a long-defunct streaming or training site, or left behind by an application uninstaller that did not clean its dependency.

Why retire end-of-life Microsoft Silverlight

Silverlight is a deprecated NPAPI browser plugin that Microsoft stopped supporting on October 12, 2021. No vendor patches, no CVE backports, no security advisories. Any vulnerability discovered after that date will sit unfixed on every endpoint that still has Silverlight installed. The plugin also fails CIS and vendor baseline controls that prohibit unsupported software (CIS Critical Security Control 2.3, "Address Unauthorized Software"), and it shows up as a finding in most enterprise vulnerability scanners as a known end-of-life component. Modern browsers (Chrome, Edge, Firefox) have already removed NPAPI plugin support, so the runtime no longer serves working web content; the only thing it serves now is risk.

Vulnerability scanners have flagged Silverlight as end-of-life for years, but the long tail of installs is the part that lingers: image builds that predate the 2021 EOL, kiosk endpoints running an internal app that never finished its HTML5 rewrite, build agents carrying Silverlight from a legacy automation script. Scheduling this Worklet against the Windows group walks the Uninstall hive at evaluation time, calls msiexec /x against the Silverlight ProductCode, and reports the per-host exit code so the next scanner pass returns a clean Silverlight finding instead of the same backlog.

How Silverlight removal works

1. Evaluation phase: The Worklet checks whether the operating system is 64-bit. On a 64-bit host, it opens the native 64-bit registry view of HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and iterates every subkey, comparing each DisplayName value against "Microsoft Silverlight". It then enumerates HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall using Get-ChildItem and Get-ItemProperty for the 32-bit install. On a 32-bit host, it enumerates HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall directly. A DisplayName match in any hive exits 1 and flags the endpoint for remediation. No match exits 0 and the endpoint is reported compliant.

2. Remediation phase: The Worklet relaunches under the native 64-bit PowerShell host via sysnative when running from a 32-bit Automox agent context. It re-reads the uninstall hives, retrieves the UninstallString for each matching Silverlight entry, and branches on the value. An msiexec-style string triggers Start-Process msiexec.exe /x $($version.PSChildName) /qn /norestart, where PSChildName is the product code GUID lifted straight from the registry key name. A non-msiexec string is invoked directly with the /S silent flag. The remediation tracks exit codes per uninstall call, treats 0, 1641 (reboot initiated), and 3010 (reboot required) as success, logs the uninstalled PSPath, and exits 0. Any other exit code exits 1 so the next evaluation re-flags the endpoint.

Silverlight removal requirements

• Windows endpoint (Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008 R2, 2012 R2, 2016, 2019, 2022) with PowerShell 5.1 or later available to the Automox agent

• Local administrator rights for the Automox agent (the default agent context already meets this), required to read the uninstall registry hives and invoke msiexec /x

• PowerShell execution policy that allows the Automox agent to run unsigned scripts (RemoteSigned or Bypass)

• Microsoft Silverlight registered in HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall or HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall with a populated UninstallString value; orphaned installs that lack a working uninstaller will require manual cleanup of HKLM:\SOFTWARE\Microsoft\Silverlight and the Program Files directories

• No browser, Outlook, or rich-client application actively loading the Silverlight runtime at policy run time; msiexec /x can fail with exit code 1603 if the plugin DLL is locked

• FixNow compatible – you can target a single endpoint or a group on demand from the Automox console without waiting for a scheduled policy window

Expected state after Silverlight removal

After a successful remediation, Microsoft Silverlight is gone from the Programs and Features list, the matching subkey under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (and Wow6432Node on 64-bit hosts) is removed, and the runtime DLLs under %ProgramFiles%\Microsoft Silverlight or %ProgramFiles(x86)%\Microsoft Silverlight are deleted by the uninstaller. The Automox activity log records the PSPath of every uninstalled key and the line "Microsoft Silverlight Uninstall Successful" alongside exit code 0.

Validate by opening an elevated PowerShell session on a sample endpoint and running Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object DisplayName -match Silverlight; an empty result confirms removal. Check that HKLM:\SOFTWARE\Microsoft\Silverlight no longer exists, and confirm that Get-AppLockerFileInformation or your enterprise vulnerability scanner no longer reports Silverlight on the host. On the next scheduled evaluation, the Worklet exits 0 with the message "Microsoft Silverlight was not found. Now Exiting" and the endpoint is reported compliant. Subsequent runs are no-ops, so the policy is safe to leave on a recurring schedule as a guardrail against image regressions or user re-installation attempts.