Release Notes

Fixed Export computers and users options not being possible
- Fixed the outputs in both User and Computer reports to show better data
  - LAPS attributes now only shows in computers
  - BadPrimaryGroup issue resolved and header updated to be clear about it only working for enabled users (this is because this is how the risk works)
Fixed False positive from AzureADKrrberos Objects and our new updated HotFix scanner not excluding them
Fixed regression in the bad primary group rule to not report on disabled accounts. This was a mix up between the Export and the Rule.
Fixed an issue with A-DCLAPSign where mitigated Domain Controllers were incorrectly detected due to a change made when upgrading ASP.NET 8. New methodology implemented and code comments and trace logs improved.
Entra ID Scan issue with users whose “Account needs to be secured” (MFA requirement with no MFA) from erroring and now falls back to the previous error saying to use a different browser
Fixed an issue in privileged mode where the CA Scan could error if the CA registry location is in an unexpected location.
Fixed an issue with the TenantID Column in Entra reports where it outputted the entire URL
Updated P-UnconstrainedDelegation to capture disabled accounts as they are a significant risk still and updated the risk text.
Fixed an issue with the “You are not using a supported version of PingCastle” banner on all reports
PingCastle AutoUpdater Migration from pingcastle.exe.config to appsettings.console.json now triggers every time.

Packaging Update: Removed the old documentation pdf from the zip. Documentation is located here.

Assets 3

03 Feb 14:25

JoeDibley

3.5.0.37

5b8a662

PingCastle 3.5.0.37

Release Notes

Privileged Mode Updates

S-Vuln-MS14-068
S-Vuln-MS17-010
- Detection now checks installed hotfixes on domain controllers.

Without Privileged Mode, these rules will no longer be evaluated.

Rule Updates & Fixes

DNS Zone Rules

A-DnsZoneUpdate1 & A-DnsZoneUpdate2

_msdcs.* zones are now classified as critical infrastructure
Reporting has been expanded to include:
- Zone name
- Domain
- Distinguished Name
- Partition

This makes DNS details clearer and simplifies remediation planning.

P-Kerberoasting

Fixed duplicate findings when users belonged to multiple privileged groups making findings more focused.
The report now shows:
- One row per vulnerable user
- All associated groups and SPNs aggregated

T-SIDFiltering

Fixed false positives on legacy Windows 2000 intra-forest trusts
These trusts often have TrustAttributes = 0 due to historical domain upgrades
New CrossRef-based filtering logic correctly identifies within-forest trusts and no longer flags them as insecure

Microsoft Defender Attack Surface Reduction (ASR)

Microsoft changed ASR policy locations in Windows Server 2025
PingCastle now checks all three possible GPO paths
Ensures reliable ASR detection across mixed server versions

Other Rule Fixes

A-DnsZoneAUCreateChild
- Fixed false negatives when no DNS partitions exist on a domain controller
- Previously, some environments were skipped entirely due to an unreachable code path
S-FolderOptions
- Remediation guidance now points to the correct GPO path

Platform Update: ASP.NET 8 Upgrade

PingCastle has been upgraded to ASP.NET 8 to align with PingCastle Enterprise and to hopefully reduce antivirus false-positive detections seen in some environments over the last few months.

What to expect

Larger executable (~200 MB)
- ASP.NET 8 is bundled directly into the executable to keep execution simple.
- No external runtime dependencies required
Configuration file change
- Configuration moves from PingCastle.exe.config To: appsettings.console.json
Auto-update behavior change
- If you use the PingCastleAutoUpdater.exe, two executions are required:
  1. First run: Downloads the new version
  2. Second run: Automatically migrates existing configuration to appsettings.console.json

Update (February 5, 2026)
It was identified that PingCastle released with unsigned binaries due to a sequencing issue in the build and release pipelines. Due to that the release version has been updated from 3.5.0.33 to 3.5.0.37. No code changes were made between these versions, only build and release pipeline changes were made.

Assets 3

06 Oct 11:03

JoeDibley

3.4.2.66

e02d230

PingCastle 3.4.2.66

Release Date: 2025-10-06
End of support: 2026-04-30

Release Notes

ESC2 Check Updates

Privileged Mode: Added support to validate enrollment permissions on the Certification Authority.
Clearer Messaging: Risk identification for ESC2 is now explicit.
Expanded Guidance: Improved technical explanations and remediation details.

Bug Fixes

Exit Option: Fixed behavior to return one level up instead of terminating the program.
SMB2SignatureNotEnabled: Corrected handling of invalid SMB2_NegotiateResponse structures.
LAPS Charts: Resolved incorrect data display in pie charts.
Non-Domain Runs: Fixed issues running PingCastle on non-domain-joined machines.
Help Output: Added missing --services collection option to the help text.