Critical and Security Updates

This release includes new critical updates for locale formatting, @AuraEnabled Apex methods, actions, and other changes. Also check out updates on the Security Updates page, and previously released and newly enforced critical updates.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate each update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is permanently activated by Salesforce. For more details, see Respond to Critical Updates.

The Security Updates page in Setup gives a list of security updates that affect your org. Each updates comes with step-by-step recommendations for actions to take in your org.

New Critical Updates

These critical updates are new in Winter ’20.

Enable ICU Locale Formats (Critical Update)
To help you do business wherever you are, we’re adopting the International Components for Unicode (ICU) formats for dates and times. These new formats replace Oracle’s Java 8 Development Kit (JDK8) formats. ICU sets the international standard for these formats for all locales. The new formats provide a consistent experience across the Salesforce platform and improve integration with ICU-compliant applications across the globe.
Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile (Critical Update)
This critical update gives you more control over which guest or portal users can access Apex classes containing @AuraEnabled methods.
Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile (Critical Update)
This critical update gives you more control over which authenticated users can access Apex classes containing @AuraEnabled methods.
Use with sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update)
This critical update changes the behavior of @AuraEnabled Apex controllers that don’t specify with sharing or without sharing to default to with sharing.
Enforce Access Modifiers on Apex Properties in Lightning Component Markup (Critical Update)
This critical update makes Lightning components consistent with the usage of Apex properties in other contexts. For example, a markup expression can no longer access an Apex property with a private Apex getter.
Route My Domains Through Salesforce Edge (Critical Update)
We’re accelerating domain requests for My Domains. With this update, you keep the same My Domain address, but requests go through Salesforce Edge. Salesforce Edge uses machine-learning technology to improve connectivity and performance. You can acknowledge this update to let Salesforce move your org’s My Domain to the new service before the July 2020 auto-activation date.
Migrate Legacy Policies to the Enhanced Transaction Security Framework (Critical Update)
With Salesforce’s new enhanced transaction security policy framework, you can create transaction security policies that execute actions on any standard or custom object. Now that the new framework in generally available, we are retiring the legacy framework in the Summer ’20 release. To prepare for this retirement and take advantage of the new features, migrate your legacy transaction security policies to the new framework as soon as possible.
Enable Partial Save for Invocable Actions (Critical Update)
This critical update improves the behaviors and effects of failed invocable actions. It only affects external REST API calls to invocable actions done in bulk. With this update, when invoking a set of actions in a single request, a single failed invocable action no longer causes the entire transaction to fail. Without this update, if a single invocable action fails, other invocable actions within the transaction are rolled back and the entire transaction fails.
Require a Deployment and Show the Right Actions (Critical Update)
This update requires that you select a deployment for the Actions & Recommendations component. When you configure Lightning Flow for Service, a deployment lets you control the actions that agents can start when they need an action that doesn’t appear in the component’s to-do list.
Require Customize Application Permission for Direct Read Access to Custom Metadata Types (Critical Update)
Users without the Customize Application permission can read unprotected custom metadata types using different APIs that are provided by Salesforce. Following the “secure by default” approach, read access for users who don’t have the Customize Application permission is revoked with this update. This change affects Visualforce pages and Lightning components that directly reference custom metadata types. For custom metadata types, an admin can explicitly grant access to a specific profile or permission set.

Previously Released Critical Updates

These critical updates were announced in a previous release and are still available.

Enable Manual Account Sharing in Enterprise Territory Management (Previously Released Critical Update)
This update changes the TerritoryManual reason code in AccountShare records to Territory2AssociationManual and is required to let users share accounts manually with territory groups. This critical update was first made available in Spring ’19.
Prevent Creation of Function Expressions in Dynamically Created Aura Components (Previously Released Critical Update)
To improve security and stability, this critical update prevents attribute values passed to $A.createComponent() or $A.createComponents() from being interpreted as Aura function expressions. This critical update was first made available in Summer ’19.
Stabilize the Hostname for My Domain URLs in Sandboxes (Previously Released Critical Update)
We’re removing instance names from MyDomain URLs for sandboxes. The instance name identifies where your Salesforce sandbox org is hosted. Removing the instance name makes the URL cleaner and easier for users to remember, for example, MyDomain--SandboxName.my.salesforce.com replaces MyDomain--SandboxName.cs5.my.salesforce.com. This critical update was first made available in Summer ’18.
Remove Instance Names from URLs for Visualforce, Community Builder, Site.com Studio, and Content Files (Previously Released Critical Update)
We’re removing the instance names from Visualforce, Community Builder, Site.com Studio, and content file URLs. An instance name identifies where your Salesforce org is hosted. Instanceless domains are cleaner and easier for users to remember. This critical update applies to orgs that have a deployed My Domain. After this update, a URL that includes the instance name, such as a bookmark, automatically redirects to the new hostname. This critical update was first made available in Spring ’18.

Enforced Critical Updates

These critical updates were announced in a previous release and are now enforced.

Turn On Lightning Experience (Critical Update, Enforced)
Salesforce is turning on Lightning Experience on a rolling basis in Winter ’20. Users still have access to Salesforce Classic after Lightning Experience is turned on. But Lightning Experience is where you want to be for driving business growth and improving productivity. To get ready, verify your org’s existing features and customizations in the new interface, and prepare your users with change management best practices. This critical update was first made available in Spring ’19.
Restrict Use of Salesforce Classic HTML-Based Email Templates to Secure Browsers (Critical Update, Enforced)
Restrict Use of Salesforce Classic HTML-Based Email Templates was a critical update in Summer ’18 and is enforced in Winter ’20. This critical update prevents using HTML-based email templates, such as custom, Visualforce, or standard HTML templates, when accessing Salesforce from Microsoft Internet Explorer. Internet Explorer doesn’t support the Salesforce Content Security Policy (CSP), so it can’t provide the required browser protection. We recommend a browser with CSP support, such as Microsoft Edge, Google Chrome, or Mozilla Firefox.
Improve Email Security with Redesigned DKIM Keys (Critical Update, Enforced)
Improve Email Security with Redesigned DKIM Keys was a critical update in Winter ’19 and is enforced in Winter ’20. To address potential security vulnerabilities with DomainKeys Identified Mail (DKIM) keys, we improved the way they’re created. You no longer have to work with public and private keys. Instead, Salesforce publishes the TXT record containing your public key to DNS. We also added automatic key rotation to reduce the risk of your keys becoming compromised by a third party. Keys generated via the old method continue to work, but in Winter ’20, when you generate new keys, you must use the more secure method. And, because sharing keys can introduce security vulnerabilities, we removed the ability to import DKIM keys.
Require TLS 1.2 for HTTPS Connections (Critical Update, Enforced)
Require TLS 1.2 for HTTPS Connections was a critical update in Summer ’19 and is enforced in Winter ’20 on October 25, 2019. To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. All inbound connections to or outbound connections from your Salesforce org must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.
Require TLS 1.2 for HTTPS Connections in Communities and Sites (Critical Update, Enforced)
Require TLS 1.2 for HTTPS Connections in Communities and Sites was a critical update in Summer ’19 and is enforced in Winter ’20 on October 25, 2019. To maintain the highest security standards and promote the safety of your data, Salesforce is disabling the older Transport Layer Security (TLS) 1.1 encryption protocol. All inbound connections to or outbound connections from your Salesforce communities, sites, and portals must use TLS 1.2. Verify that your browser access, API integrations, and other Salesforce features are compliant with TLS 1.2.
API Only Users Can Access Only Salesforce APIs (Critical Update, Enforced)
API Only Users Can Access Only Salesforce APIs was a critical update in Spring ’19 and is enforced in Winter ’20. This critical update ensures that if a user has the API Only User permission, they can access Salesforce only via APIs, regardless of their other permissions.
Block Certain Fields in the User Record for Orgs with Communities and Portals (Security and Critical Update, Enforced)
Salesforce is giving customers the option to enable a user setting that allows the hiding of certain personal information fields on the user records in orgs with communities or portals. The fields are hidden from view when external users are accessing user records. External users can still see their own user records.
Restrict the Use of Standard External Profiles for Self-Registration and Assignment to Users (Security and Critical Update, Enforced)
This update restricts the use of standard external profiles for self-registration and assignment to users.

Postponed Critical Updates

These critical updates were announced in a previous release and the auto-activation date is postponed.

Disable Access to Non-global Apex Controller Methods in Managed Packages (Critical Update, Postponed)
This critical update, released in Summer ’17, was scheduled for auto-activation in Winter ’20, but has been postponed to Spring ’20. The critical update corrects access controls on Apex controller methods in managed packages. When this update is enabled, only methods marked with the global access modifier are accessible by Aura components from outside the package namespace. These access controls prevent you from using unsupported API methods that the package author didn’t intend for global access.
Check for Null Record Variables or Null Values of Lookup Relationship Fields in Process and Flow Formulas (Critical Update, Postponed)
This critical update, released in Spring ‘19, was scheduled for auto-activation in Summer ‘19, but has been postponed to Spring ’20. The critical update was previously called “Return Null Values in Process and Flow Formulas.”
Enable Improved Caching of Org Schema (Critical Update, Postponed)
This critical update was scheduled for auto-activation in Summer ’19 but has been postponed to Spring ’20. This critical update enables improved caching of org schema details and resolves known issues with version-specific object and field handling.

Retired Critical Updates

These critical updates were announced in a previous release but have been retired. They have been removed from the Critical Update Console and won’t be activated.

Use without sharing for @AuraEnabled Apex Controllers with Implicit Sharing (Critical Update, Retired)
This critical update, released in Spring ‘18, was scheduled for auto-activation in Winter ’20, but has been retired.

New Security Updates

These security updates are new in Winter ’20.

Automatically Assign Records Created by Guest Users to a Default Owner (Security Update)
To increase the security of your Salesforce data, set up your org so that guest users are no longer automatically the owner of records they create. Instead, when a guest user creates a record, the record is assigned to a default active user in the org, who becomes the owner.
View All Users and Other Permissions Disabled in Guest User Profiles (Security Update)
Guest users typically don’t need access to view all users in a Salesforce org, so to promote data security, we disabled the View All Users permission in guest user profiles. If you have an org created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Enable UI Tier Architecture, Remove People from Direct Messages, View Topics, and Send Non-Commercial Email.