Install .NET Framework 3.5 via Intune — All Methods (2026 Guide)

Many legacy business applications — ERP systems, older in-house tools, hardware management software — still depend on .NET Framework 3.5, which is not installed by default on Windows 10 or Windows 11. Deploying it across a managed fleet via Intune has a few gotchas that trip people up, particularly around internet access, WSUS environments, and Windows 11 compatibility. This guide covers all three deployment methods with working scripts.

Detail
Last Updated	March 2026
Applies To	Windows 10, Windows 11, Microsoft Intune
Feature Name	NetFx3 (includes .NET 2.0 and 3.0)
Difficulty	Beginner to Intermediate

Why .NET 3.5 Is Not Simply an App Install

.NET Framework 3.5 is a Windows Optional Feature, not a standalone installer. This means it cannot be deployed as a regular Win32 EXE or MSI — the installation files come from the Windows component store or the Windows installation media (sources\sxs), not from a downloaded package.

This creates a challenge in managed environments: if a device cannot reach Windows Update (for example, it is WSUS-only or internet-restricted), the feature will fail to install unless you provide the source files yourself. The three methods below cover all scenarios.

Enable the .NET Framework 3.5 in Control Panel

Check Current Installation Status

Before deploying, verify whether .NET 3.5 is already present on a device:

Get-WindowsOptionalFeature -Online -FeatureName NetFx3 | Select-Object FeatureName, State

The State will return one of: Enabled, Disabled, or DisabledWithPayloadRemoved. The last value means the feature payload was stripped from the component store — in this case you must provide an offline source (Method 2 or 3), as Windows Update alone may not be sufficient.

Method 1: Online Install via Windows Update (Intune PowerShell Script)

The simplest approach — works when devices have direct internet access or access to Windows Update endpoints. Deploy this as an Intune Platform script (PowerShell script, run as SYSTEM, 64-bit):

# Install .NET Framework 3.5 via Windows Update source
try {
    $feature = Get-WindowsOptionalFeature -Online -FeatureName NetFx3
    if ($feature.State -eq "Enabled") {
        Write-Host ".NET Framework 3.5 is already installed. Exiting."
        exit 0
    }

    Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -NoRestart -ErrorAction Stop
    Write-Host ".NET Framework 3.5 installed successfully."
    exit 0
} catch {
    Write-Host "Installation failed: $_"
    exit 1
}

In Intune, go to Devices → Scripts and remediations → Platform scripts → Add and configure:

Run this script using the logged on credentials: No (run as SYSTEM)
Enforce script signature check: No
Run script in 64 bit PowerShell Host: Yes

Assign to your target group. This method requires that devices can reach *.windowsupdate.com and *.update.microsoft.com. If devices are WSUS-only, this will fail silently — use Method 2 instead.

Method 2: Offline Install via Win32 App with SxS Source

This is the most reliable method for WSUS-managed, air-gapped, or internet-restricted environments. You package the feature source files from the Windows installation media alongside an install script, and deploy it as a Win32 app.

Step 1: Extract the SxS Source Files

Mount a Windows ISO that matches your target OS version (Windows 10 22H2 or Windows 11 24H2 — the SxS files must match the OS build). Copy the sources\sxs folder from the mounted ISO to a working directory on your machine.

# Mount the ISO and copy SxS files
$isoPath = "C:\ISOs\Windows11_24H2.iso"
$mountResult = Mount-DiskImage -ImagePath $isoPath -PassThru
$driveLetter = ($mountResult | Get-Volume).DriveLetter
Copy-Item -Path "${driveLetter}:\sources\sxs" -Destination "C:\NetFx3Package\sxs" -Recurse
Dismount-DiskImage -ImagePath $isoPath

Step 2: Create the Install and Detection Scripts

Create install.ps1 in your package folder:

# install.ps1 — install .NET 3.5 from local SxS source with Windows Update fallback
$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$sxsPath = Join-Path $scriptDir "sxs"

try {
    $feature = Get-WindowsOptionalFeature -Online -FeatureName NetFx3
    if ($feature.State -eq "Enabled") {
        Write-Host "Already installed. Exiting."
        exit 0
    }

    if (Test-Path $sxsPath) {
        Write-Host "Installing from local SxS source: $sxsPath"
        dism /online /enable-feature /featurename:NetFX3 /All /Source:"$sxsPath" /LimitAccess /quiet
    } else {
        Write-Host "SxS not found, falling back to Windows Update..."
        Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -NoRestart
    }

    $result = Get-WindowsOptionalFeature -Online -FeatureName NetFx3
    if ($result.State -eq "Enabled") {
        Write-Host "Installation successful."
        exit 0
    } else {
        Write-Host "Installation failed — feature state: $($result.State)"
        exit 1
    }
} catch {
    Write-Host "Error: $_"
    exit 1
}

Create detection.ps1 for the Win32 app detection rule:

# detection.ps1 — detect if .NET Framework 3.5 is installed
$feature = Get-WindowsOptionalFeature -Online -FeatureName NetFx3
if ($feature.State -eq "Enabled") {
    Write-Host "Installed"
    exit 0
} else {
    exit 1
}

Step 3: Package and Deploy as Win32 App

Your package folder should contain:

install.ps1
detection.ps1
sxs\ folder (copied from the Windows ISO)

Package it with the Microsoft Win32 Content Prep Tool:

.\IntuneWinAppUtil.exe -c "C:\NetFx3Package" -s install.ps1 -o "C:\Output"

In Intune, go to Apps → Windows → Add → Windows app (Win32) and configure:

Install command: powershell.exe -ExecutionPolicy Bypass -File install.ps1
Uninstall command: powershell.exe -ExecutionPolicy Bypass -Command "Disable-WindowsOptionalFeature -Online -FeatureName NetFx3 -NoRestart"
Install behavior: System
Detection rule: Use a custom detection script → upload detection.ps1

Method 3: WSUS Environment — Allow Feature on Demand via GPO

If your devices are managed by WSUS and cannot reach Windows Update directly, you can configure a Group Policy that allows optional feature downloads specifically from Windows Update while keeping WSUS for regular patching:

Computer Configuration → Administrative Templates → System → Specify settings for optional component installation and component repair

Enable the policy and check “Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)”. Once the GPO is applied, Method 1’s PowerShell script will work without the SxS source.

Alternatively, configure the same setting via Intune Settings Catalog: search for “Specify settings for optional component installation” under Administrative Templates → System.

Important: SxS Files Must Match the OS Version

This is the most common reason offline installations fail. The SxS source files from a Windows 11 24H2 ISO will not install successfully on a Windows 10 22H2 device, and vice versa. If you manage multiple OS versions in your fleet, you either need to:

Create separate Win32 app packages for each OS version with the matching SxS files, and use Requirements rules in Intune to target the correct package per OS build
Or skip the offline SxS method and use Method 1 (online) or Method 3 (GPO to allow FoD from Windows Update)

Troubleshooting

Issue	Cause	Fix
Error 0x800F0954	Device is WSUS-managed, cannot reach Windows Update for FoD	Use offline SxS method or enable FoD GPO
Error 0x800F081F	Source files not found or SxS version mismatch	Verify SxS matches exact OS build; check path in DISM command
State stays “DisabledWithPayloadRemoved”	Component store payload was stripped	Must use offline SxS source — Windows Update alone is insufficient
Intune reports install as failed but feature is Enabled	Script exited with wrong code or detection rule misconfigured	Verify detection.ps1 exits 0 when State = Enabled; check 64-bit PS host setting
PowerShell script fails on Windows 11 but works on Windows 10	Known compatibility issue with some Windows 11 builds	Switch to DISM command in the install script instead of Enable-WindowsOptionalFeature

Summary

.NET Framework 3.5 deployment via Intune is straightforward once you understand the source file dependency. Choose your method based on your environment’s internet access and WSUS configuration:

Internet access available → Platform script with Enable-WindowsOptionalFeature (Method 1)
WSUS / internet-restricted → Win32 app with offline SxS source from matching Windows ISO (Method 2)
WSUS but FoD allowed → GPO or Settings Catalog to enable Feature on Demand from Windows Update (Method 3)
Always verify the SxS source version matches the target OS build — version mismatch is the most common failure point
Use a custom PowerShell detection script checking Get-WindowsOptionalFeature -FeatureName NetFx3 for reliable detection in Intune