Releases: netwrix/pingcastle
PingCastle 3.5.0.40
Release Notes
- Fixed Export computers and users options not being possible
- Fixed the outputs in both User and Computer reports to show better data
- LAPS attributes now only shows in computers
- BadPrimaryGroup issue resolved and header updated to be clear about it only working for enabled users (this is because this is how the risk works)
- Fixed the outputs in both User and Computer reports to show better data
- Fixed False positive from AzureADKrrberos Objects and our new updated HotFix scanner not excluding them
- Fixed regression in the bad primary group rule to not report on disabled accounts. This was a mix up between the Export and the Rule.
- Fixed an issue with A-DCLAPSign where mitigated Domain Controllers were incorrectly detected due to a change made when upgrading ASP.NET 8. New methodology implemented and code comments and trace logs improved.
- Entra ID Scan issue with users whose “Account needs to be secured” (MFA requirement with no MFA) from erroring and now falls back to the previous error saying to use a different browser
- Fixed an issue in privileged mode where the CA Scan could error if the CA registry location is in an unexpected location.
- Fixed an issue with the TenantID Column in Entra reports where it outputted the entire URL
- Updated P-UnconstrainedDelegation to capture disabled accounts as they are a significant risk still and updated the risk text.
- Fixed an issue with the “You are not using a supported version of PingCastle” banner on all reports
- PingCastle AutoUpdater Migration from pingcastle.exe.config to appsettings.console.json now triggers every time.
Packaging Update: Removed the old documentation pdf from the zip. Documentation is located here.
PingCastle 3.5.0.37
Release Notes
Privileged Mode Updates
- S-Vuln-MS14-068
- S-Vuln-MS17-010
- Detection now checks installed hotfixes on domain controllers.
Without Privileged Mode, these rules will no longer be evaluated.
Rule Updates & Fixes
DNS Zone Rules
A-DnsZoneUpdate1 & A-DnsZoneUpdate2
-
_msdcs.*zones are now classified as critical infrastructure -
Reporting has been expanded to include:
- Zone name
- Domain
- Distinguished Name
- Partition
This makes DNS details clearer and simplifies remediation planning.
P-Kerberoasting
-
Fixed duplicate findings when users belonged to multiple privileged groups making findings more focused.
-
The report now shows:
- One row per vulnerable user
- All associated groups and SPNs aggregated
T-SIDFiltering
- Fixed false positives on legacy Windows 2000 intra-forest trusts
- These trusts often have
TrustAttributes = 0due to historical domain upgrades - New CrossRef-based filtering logic correctly identifies within-forest trusts and no longer flags them as insecure
Microsoft Defender Attack Surface Reduction (ASR)
- Microsoft changed ASR policy locations in Windows Server 2025
- PingCastle now checks all three possible GPO paths
- Ensures reliable ASR detection across mixed server versions
Other Rule Fixes
-
A-DnsZoneAUCreateChild
- Fixed false negatives when no DNS partitions exist on a domain controller
- Previously, some environments were skipped entirely due to an unreachable code path
-
S-FolderOptions
- Remediation guidance now points to the correct GPO path
Platform Update: ASP.NET 8 Upgrade
PingCastle has been upgraded to ASP.NET 8 to align with PingCastle Enterprise and to hopefully reduce antivirus false-positive detections seen in some environments over the last few months.
What to expect
-
Larger executable (~200 MB)
- ASP.NET 8 is bundled directly into the executable to keep execution simple.
- No external runtime dependencies required
-
Configuration file change
- Configuration moves from
PingCastle.exe.configTo:appsettings.console.json
- Configuration moves from
-
Auto-update behavior change
-
If you use the PingCastleAutoUpdater.exe, two executions are required:
- First run: Downloads the new version
- Second run: Automatically migrates existing configuration to
appsettings.console.json
-
Update (February 5, 2026)
It was identified that PingCastle released with unsigned binaries due to a sequencing issue in the build and release pipelines. Due to that the release version has been updated from 3.5.0.33 to 3.5.0.37. No code changes were made between these versions, only build and release pipeline changes were made.
PingCastle 3.4.2.66
Release Date: 2025-10-06
End of support: 2026-04-30
Release Notes
ESC2 Check Updates
- Privileged Mode: Added support to validate enrollment permissions on the Certification Authority.
- Clearer Messaging: Risk identification for ESC2 is now explicit.
- Expanded Guidance: Improved technical explanations and remediation details.
Bug Fixes
- Exit Option: Fixed behavior to return one level up instead of terminating the program.
- SMB2SignatureNotEnabled: Corrected handling of invalid
SMB2_NegotiateResponsestructures. - LAPS Charts: Resolved incorrect data display in pie charts.
- Non-Domain Runs: Fixed issues running PingCastle on non-domain-joined machines.
- Help Output: Added missing
--servicescollection option to the help text.
Entra ID Terminology
- Standardized terminology to align with Microsoft Entra ID, replacing legacy Azure AD terms.
DNS Zone Update Improvements
- Added
DistinguishedNameproperty toHealthcheckDnsZones. - LDAP collection now includes DNs for
(objectClass=dnsZone)objects. - Filters CNF and replication artifacts.
AddRawDetailoutputs include DN and partition context for better precision.
Update
2025-10-16: Fixed zip layout for PingCastleAutoUpdater.exe
PingCastle 3.4.1.38
Release Date: 2025-07-11
End of support: 2026-01-10
PingCastle 3.4.1.35
Release Date: 2025-07-11
End of support: 2026-01-10
PingCastle 3.3.0.12
Release date: 2025-05-08
End of support: 2026-01-31
PingCastle 3.3.0.12_beta
This is a beta release that adds a new risk for BadSuccessor where delegations are detected on OUs that may allow abuse
Update: Added a fix where some ACLs were being incorrectly detected. EG: Full Control on users.
PingCastle 3.3.0.11
Release date: 2025-05-08
End of support: 2026-01-31
PingCastle 3.3.0.1
Release date: 2024-09-25
End of support: 2026-01-31
PingCastle 3.3.0.0
Release date: 2024-09-13
End of support: 2026-01-31