Publish Date: April 26, 2021
Microsoft previously announced content digitally signed using Secure Hash Algorithm 1 (SHA-1) certificates is being retired in order to support evolving industry security standards. This is in line with our continued efforts to adopt Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors.
SHA-1 is a legacy cryptographic hashing algorithm that is no longer deemed secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
The .NET team is taking steps that will affect previously shipped .NET Framework releases and updates currently available for download from Microsoft. Some versions of .NET Frameworks detailed below will be unsupported and de-listed from the download center. This does not impact customers taking the latest updates via Windows Update. They already have the latest .NET Framework 4.8 and no further action is necessary.
Although we anticipate minimal impact, if you are an ISV and rely on an unsupported version, you will need to re-test your software with the latest supported version. If you are an IT administrator managing machines that are not automatically patched via Windows Update (WU) or Windows Server Update Services (WSUS), you will need to upgrade machines to a supported version of the .NET Framework runtime. There is no requirement that applications source code be rebuilt to target the newer version. In most cases, you should be able to run your application on the newer runtime with no changes.
.NET Framework 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5, 4.5.1
These versions of .NET Framework are currently out of support per the published lifecycle policy.
All bundles, installers, packages, and updates for these versions will be de-listed from the download center on July 26, 2021.
.NET Framework 3.5 SP1
.NET Framework 3.5 SP1 ships as a component of the Windows operating system starting with Windows 7/Server 2008 R2. On older operating systems like Windows Server 2008, .NET Framework 3.5 SP1 is installed out-of-band.
SHA-2 signed installers are being built and will be made available for .NET Framework 3.5 SP1 to be used on Windows Server 2008 SP2 in the coming weeks.
.NET Framework 4.6.2 – 4.8
.NET Framework 4.6.2 through 4.8 are currently in support. SHA-2 signed installers are available for these versions.
.NET Framework 4.5.2 – 4.6.1
While .NET Framework 4.5.2 through 4.6.1 are currently in support at the time of this announcement, their usage is extremely low. In order to meet the security needs of our customers with the resources we have, .NET 4.5.2 through 4.6.1 will be supported for 12 months, until April 26, 2022. After this date, these product versions will be out of support*, and all bundles, installers, packages, and updates for the these versions will be de-listed from the download center.
*Windows 10 Enterprise LTSC 2015 shipped with .NET Framework 4.6 built into the OS. This OS version is a long-term servicing channel (LTSC) release. We will continue to support .NET Framework 4.6 on Windows 10 Enterprise LTSC 2015 through end of support of the OS version (October 2025).
Customers currently using .NET Framework 4.5.2, 4.6, or 4.6.1 will need to upgrade to a more recent runtime version - at least, .NET Framework 4.6.2, but preferably .NET Framework 4.8.
.NET Framework 4.6.2 shipped nearly 5 years ago, and .NET Framework 4.8 shipped 2 years ago. Both versions are tested, stable runtimes for your applications. .NET Framework 4.6.2 and 4.8 are also broadly deployed via Windows Update (WU). If you are taking the latest updates, then you should already have .NET Framework 4.8 and no further action should be necessary.
If you are using an older .NET Framework 4.x version and have not already updated to .NET Framework 4.6.2 or a later version, applications only need to update the runtime on which they are running to a minimum version of 4.6.2 in order to stay supported. There is no requirement that applications be rebuilt to target the newer version of .NET. In most cases, you should be able to run your application on the newer runtime with no changes. We recommend you validate the functionality of your app is unaffected when running on the newer runtime version before you deploy to production.
If you are currently using .NET Framework 4.5.2 – 4.6.1, you may find these resources helpful:
Runtime changes between .NET Framework 4.5.2 and .NET Framework 4.6.2
We are committed to help you ensure your apps work on the latest versions of our software. Should you have any questions that remain unanswered, we’re here to help. You should engage with Microsoft Support through your regular channels for a resolution.
Additionally, if you run into compatibility or app issues as you transition to .NET Framework 4.6.2 or later, there’s App Assure. We’ll help you resolve compatibility issues at no additional cost. You can contact App Assure for remediation support or by email if you experience any challenges submitting your request (ACHELP@microsoft.com).
In case you have questions not covered in this document, please read this FAQ.