PingCastle v3.5 brings modern authentication support, improved scanning accuracy, and more!
Want the full details? Click the link below!
What’s Changed in Netwrix PingCastle 3.5
Modern Authentication for Email Notifications
PingCastle now supports Entra ID app registration for sending email notifications, replacing legacy SMTP basic auth.
- Supports certificate and secret-based authentication
- PowerShell scripts included to simplify setup
- We recommend restricting the app registration to a dedicated PingCastle mailbox
Privileged Mode
A new scanner option that enables deeper inspection for certain rules:
PingCastle.exe --healthcheck --privileged --server domain.local
Improves accuracy for:
- A-CertTempCustomSubject (ESC1) and A-CertTempAnyPurpose (ESC2) – Now checks CA Enrollment ACLs directly
- S-Vuln-MS14-068 and S-Vuln-MS17-010 – Checks installed hotfixes on domain controllers
Rule Updates
DNS Zone Rules (A-DnsZoneUpdate1 & A-DnsZoneUpdate2)
- Added
_msdcs.*zones to critical infrastructure detection - Reporting now shows zone name, domain, distinguished name, and partition
Kerberoasting (P-Kerberoasting)
The old report format created duplicate entries when a user belonged to multiple privileged groups, cluttering results and breaking action plan tracking in Enterprise. Now shows one line per vulnerable user with all groups and SPNs aggregated.
SID Filtering (T-SIDFiltering)
Fixed false positives on legacy Windows 2000 intra-forest trusts. These trusts have TrustAttributes = 0 from never being updated during domain upgrades, which PingCastle previously misread as a security risk. New CrossRef filtering logic correctly identifies within-forest trusts.
Microsoft Defender ASR
Microsoft moved ASR policy locations in Windows Server 2025. PingCastle now checks all three GPO paths to ensure coverage regardless of server version.
Other Rule Fixes
- A-DnsZoneAUCreateChild – Fixed false negatives when no DNS partitions exist on a DC. Some environments weren’t being checked at all due to an unreachable code path.
- S-FolderOptions – Remediation guidance now shows the correct GPO path.
ASP.NET 8 Upgrade
This release upgrades PingCastle to ASP.NET 8 to align it with PingCastle Enterprise and to help reduce antivirus false-positive detections that have occasionally impacted deployments.
Changes to be aware of:
- Larger executable (~200 MB)
The executable is now over 200 MB becauseASP.NET8 is bundled directly inside it. This keeps execution simple. - Configuration file change
Configuration moves fromPingCastle.exe.configtoappsettings.console.json. - Auto-update behavior
Customers using the auto-update feature must runPingCastleAutoUpdate.exetwice to complete the upgrade:- First run: Downloads the new version.
- Second run: Automatically migrates the existing configuration to
appsettings.console.json.
Other Changes
- Updated terminology from Azure AD to Entra ID throughout the product
- New “Delete Domain” button in the UI (no more hidden URLs)
- Improved installer with better prerequisite detection and default installation to Program Files
- The interface has been updated to align with updated Netwrix branding, ensuring a seamless, unified experience for security teams using multiple Netwrix products.
Security Updates
This release contains important security updates. For information on the security content of this release, please review the associated security advisory.
Version Discrepancy Notice: The public GitHub repository is currently one version ahead of the Standard, Pro, and Enterprise editions hosted on our website. This increment was purely to update the BasicEditionLicense for the public release which is not needed for licensed customers, no other changes were made.
Bug Fixes and Miscellaneous Updates
| Description | Case # | Escalation # |
|---|---|---|
| LAPS pie charts display incorrect data | 450719 | 395623 |
| Owner permissions for ‘Rule Exception’ are misconfigured | 455140 | 400752 |
| PingCastle Web UI does not start after EntraID credential update | 454716 | 400184 |
| [SMB2SignatureNotEnabled] Invalid SMB2_NegotiateResponse structure. | 395483 | |
| [Standard] The --services collection option is not listed in help | 394006 | |
| [Enterprise] Infrastructure → Domains: Filters behave unexpectedly | 393666 | |
| [Enterprise] Add new Functional Levels for filtering | 392262 | |
| [Standard] Exit option incorrectly terminates the program. Expected behavior: go back one level | 361697 | |
| Running PingCastle from a non-domain-joined machine does not work | 391121 | |
| [Security] Update vulnerable packages | 400967 | |
| Report email notification not showing the maturity level | 411955 | 00466815 |
| Microsoft Defender ASR (attack surface reduction) | 410439 | 00463820 |
| “Bulk actions” are never ending - even if “done” | 407346 | 00460760 |
| Page Refresh on “Delete” of Rule Exception removes Filter | 407345 | 00460757 |
| “ActiveComputers” broken after exclusion of Win10 ESU | 407258 | 00460739 |
| For some large HTTP GET requests, PCE web application takes far too long | 406078 | 00459735 |
| Unable to delete Domain and Entity from PingCastle Enterprise. | 401714 | 00456124 |
| False Positive for A-SMB2SignatureNotEnabled on PingCastle 3.4.1.31 | 395206 | 00450402 |
| Exception: Some or all identity references could not be translated. | 395205 | 00450400 |
| Change UK spelling of Licence to US License | 410486 | |
| A-LimitBlankPasswordUse Check looking in wrong GPO list. | 410082 | |
| Healthcheck crashes Pingcastle when the domain name doesn’t match the domains in the license | 409982 | |
| PingCastle Interactive asks for server name twice when running scanners | 409659 | |
| A-AnonymousAuthorizedGPO healtcheck rule broken | 407648 | |
| DnsZoneUnsecureUpdate1 uses case-sensitive comparisons for zone name | 407576 | |
| Typo | 406128 | |
| PingCastleAutoUpdater Multiple Section Error | 405649 | |
| SMB1 Scanner signing check is invalid | 404003 | |
| Inconsistent Line Spacing on Domain Page | 398865 | |
| Change description for --server parameter in Help message | 397490 | |
| Can’t reproduce HealthCheck Rule P-DelegationDCsourcedeleg | 397380 | |
| Wrong technical explanation for HealthCheck Rule P-DelegationDCsourcedeleg | 397377 | |
| HealthCheck Rules StaledMS14_068 Should Validate Actual Patch Status and Configuration | 397283 | |
| HealthCheck Rule StaledMS17_010 Should Validate Installed Updates and SMBv1 Status | 397282 | |
| Wrong description to HealthCheck Rule P-PrivilegeEveryone | 397272 | |
| Can’t reproduce HealthCheck Rule A-DnsZoneAUCreateChild on 2025 domain. | 397270 | |
Update outdated docs.microsoft.com links to learn.microsoft.com for long-term reliability |
396943 | |
| Unclear Mapping Between Filters and Table Columns for domain page | 396550 | |
| Change Support Page link to Netwrix Support | 396310 | |
| Remove PingCastleUpdateService from installer folders | 396305 | |
| Entra: Ensure all authentications use oauth2/v2.0/token | 392840 | |
| AzureAD Scan - Random Blank Line | 390393 | |
| LAPS: Change MS LAPS to Windows LAPS. | 357401 |
Plan your upgrade
Netwrix PingCastle 3.3 will reach its end of support life on August 3, 2026. To learn more, please read the Netwrix End-of-Support Policy.
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| If you feel the product is broken and not working as intended… | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: PingCastle > Discussions & Questions |
| If you have a feature request… | Let our product team know directly: PingCastle > Ideas |
| If you have something cool to show… | Show everyone what you built: PingCastle > Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!
