Looking for a bug fix list for all versions of PingCastle?
All bug fixes will automatically be added here!
3.5 Updates
PingCastle Patch Version 3.5.0.44 Released
March 5, 2026
- Fixed Authentication issues with PingCastle.exe using the --user and --password options to scan remote domains from both standalone systems and domain joined systems.
- Fixed Windows Authentication issues where Windows Authentication was creating accounts as internal users, working for the first sign in and then not working for subsequent sign ins.
- Fixed a SQL Migration issue in PingCastle Pro. This manifested as Report Import issues, emails not being sent and a specific sql error in the windows event log.
Netwrix PingCastle 3.5 Released
February 3, 2026
| Description | Case # | Escalation # |
|---|---|---|
| LAPS pie charts display incorrect data | 450719 | 395623 |
| Owner permissions for āRule Exceptionā are misconfigured | 455140 | 400752 |
| PingCastle Web UI does not start after EntraID credential update | 454716 | 400184 |
| [SMB2SignatureNotEnabled] Invalid SMB2_NegotiateResponse structure. | 395483 | |
| [Standard] The --services collection option is not listed in help | 394006 | |
| [Enterprise] Infrastructure ā Domains: Filters behave unexpectedly | 393666 | |
| [Enterprise] Add new Functional Levels for filtering | 392262 | |
| [Standard] Exit option incorrectly terminates the program. Expected behavior: go back one level | 361697 | |
| Running PingCastle from a non-domain-joined machine does not work | 391121 | |
| [Security] Update vulnerable packages | 400967 | |
| Report email notification not showing the maturity level | 411955 | 00466815 |
| Microsoft Defender ASR (attack surface reduction) | 410439 | 00463820 |
| āBulk actionsā are never ending - even if ādoneā | 407346 | 00460760 |
| Page Refresh on āDeleteā of Rule Exception removes Filter | 407345 | 00460757 |
| āActiveComputersā broken after exclusion of Win10 ESU | 407258 | 00460739 |
| For some large HTTP GET requests, PCE web application takes far too long | 406078 | 00459735 |
| Unable to delete Domain and Entity from PingCastle Enterprise. | 401714 | 00456124 |
| False Positive for A-SMB2SignatureNotEnabled on PingCastle 3.4.1.31 | 395206 | 00450402 |
| Exception: Some or all identity references could not be translated. | 395205 | 00450400 |
| Change UK spelling of Licence to US License | 410486 | |
| A-LimitBlankPasswordUse Check looking in wrong GPO list. | 410082 | |
| Healthcheck crashes Pingcastle when the domain name doesnāt match the domains in the license | 409982 | |
| PingCastle Interactive asks for server name twice when running scanners | 409659 | |
| A-AnonymousAuthorizedGPO healtcheck rule broken | 407648 | |
| DnsZoneUnsecureUpdate1 uses case-sensitive comparisons for zone name | 407576 | |
| Typo | 406128 | |
| PingCastleAutoUpdater Multiple Section Error | 405649 | |
| SMB1 Scanner signing check is invalid | 404003 | |
| Inconsistent Line Spacing on Domain Page | 398865 | |
| Change description for --server parameter in Help message | 397490 | |
| Canāt reproduce HealthCheck Rule P-DelegationDCsourcedeleg | 397380 | |
| Wrong technical explanation for HealthCheck Rule P-DelegationDCsourcedeleg | 397377 | |
| HealthCheck Rules StaledMS14_068 Should Validate Actual Patch Status and Configuration | 397283 | |
| HealthCheck Rule StaledMS17_010 Should Validate Installed Updates and SMBv1 Status | 397282 | |
| Wrong description to HealthCheck Rule P-PrivilegeEveryone | 397272 | |
| Canāt reproduce HealthCheck Rule A-DnsZoneAUCreateChild on 2025 domain. | 397270 | |
Update outdated docs.microsoft.com links to learn.microsoft.com for long-term reliability |
396943 | |
| Unclear Mapping Between Filters and Table Columns for domain page | 396550 | |
| Change Support Page link to Netwrix Support | 396310 | |
| Remove PingCastleUpdateService from installer folders | 396305 | |
| Entra: Ensure all authentications use oauth2/v2.0/token | 392840 | |
| AzureAD Scan - Random Blank Line | 390393 | |
| LAPS: Change MS LAPS to Windows LAPS. | 357401 |
All bug fixes will automatically be added here!
3.4 Updates
Patch Version 3.4.2.66 Released
October 02, 2025
Updated ESC2 Check
-
Privileged Mode Added: The ESC2 check now supports Privileged Mode to validate enrollment permissions on the Certification Authority.
-
Clearer Rule Text: Updated messaging makes it obvious when the risk is identified as ESC2.
-
Improved Guidance: Expanded technical explanations and remediation steps for easier issue resolution.
Entra ID Terminology Standardization
- All terminology has been standardized to align with Entra ID, replacing legacy Azure AD language for consistency and clarity.
Modern Authentication for Email Notifications (Enterprise / Pro)
-
PingCastle now supports Modern Authentication with Office 365.
-
Uses an Entra app registration to send emails directly from the application instead of legacy SMTP basic auth.
-
By default, the app can send on behalf of anyone in the tenantāwe strongly recommend restricting this to a dedicated PingCastle mailbox via the setup process.
UI Improvement: Remove Domain from the Interface
-
Previously, domains could only be removed through a hidden link (
/Database/DeleteDomain/{DomainId}). -
A Delete Domain button is now available directly on the Domain Report page for a smoother user experience.
Enhanced DNS Zone Update Rules (A-DnsZoneUpdate1 / A-DnsZoneUpdate2)
-
DistinguishedName property added to
HealthcheckDnsZones. -
LDAP collection now captures DNs for
(objectClass=dnsZone)objects. -
Filters out CNF (conflict) and InProgress replication artifacts.
-
AddRawDetail outputs now include both DN and partition context (DomainDnsZones vs DefaultNamingContext) for precise object identification.
Bug Fixes
| Description | Case # | Escalation # |
|---|---|---|
| LAPS pie charts display incorrect data | 450719 | 395623 |
| Owner permissions for 'Rule Exception' are misconfigured | 455140 | 400752 |
| PingCastle Web UI does not start after EntraID credential update | 454716 | 400184 |
| [SMB2SignatureNotEnabled] Invalid SMB2_NegotiateResponse structure. | 395483 | |
| [Standard] The --services collection option is not listed in help | 394006 | |
| [Enterprise] Infrastructure ā Domains: Filters behave unexpectedly | 393666 | |
| [Enterprise] Add new Functional Levels for filtering | 392262 | |
| [Standard] Exit option incorrectly terminates the program. Expected behavior: go back one level | 361697 | |
| Running PingCastle from a non-domain-joined machine does not work | 391121 | |
| [Security] Update vulnerable packages | 400967 |
Patch Version 3.4.1.38 Released
July 16, 2025
| Title | DevOps ID | Case Number |
|---|---|---|
| False Positive for A-SMB2SignatureNotEnabled on PingCastle 3.4.1.31 | 395206 | 00450402 |
| Exception: Some or all identity references could not be translated. | 395205 | 00450400 |
Minor Version 3.4 Released
July 10, 2025
| Id | Title | Type | Case | |||
|---|---|---|---|---|---|---|
| 391119 | [Enterprise] The order of the buttons for Entities organization | Bug | ||||
| 392262 | Add new Functional Levels | Bug | ||||
| 393263 | Found legacy risk code. Convert or remove from repo | Bug | ||||
| 391011 | After the new exe file is copied with autoupgrade, the client will receive a non-working product | Bug | ||||
| 391976 | [Enterprise] push from the GlobalRiskScore page to the page with domains filtered by score does not work | Bug | ||||
| 391576 | [Pro/Enterprise] we need to revert or change the HTTPS Redirection change that was implemented with the HSTS changes... | Bug | ||||
| 391004 | [hilbert_map][Enterprise] The legend is not located near the mouse cursor, but somewhere to the side | Bug | ||||
| 359448 | Scanner: SMB detection of 3.1.1 does not work | Bug | ||||
| 391288 | [Enterprise] View details on Agent differents versions card do not redirect anywhere | Bug | ||||
| 391270 | [Pro] The Update page is missing / we should remove this option from configuration | Bug | ||||
| 390789 | [Enterprise] The product version is not added into the MSI | Bug | ||||
| 390673 | Entity "All Data" is missing in "Dashboard => All Domains" | Escalation | 447492 | |||
| 390790 | [Enterprise] the pingcastle exe is not part of the enterprise msi setup anymore | Bug | ||||
| 388602 | Claims Permissions on Entities not showing the Dashboard? | Bug | ||||
| 387290 | False Positives in S-Inactive | Escalation | 445547 | |||
| 389313 | Fix extensions in S-FolderOptions | Bug | Bug | |||
| 387441 | POST /api/AnomalyException Issue | Bug | ||||
| 387281 | Entra Scans: Application Missmatch | Bug | ||||
| 387329 | Configuring 'Number of Days' on Settings causes crash | Bug | ||||
| 386600 | [Enterprise] PingCastleEnterprise.Controllers.AccountController.Login / An exception was thrown while deserializing the token. | Bug | ||||
| 382141 | [Enterprise] When loading a report, n identical warning messages are written to the Application log | Bug | ||||
| 386246 | [OData] Parsing Select and Expand failed: Term '@odata.type' is not valid in a $select or $expand expression. | Bug | ||||
| 385980 | Installer: Destination Email | Bug | ||||
| 378558 | [Object reference not set to an instance of an object.] None of the buttons for generating data for the demo on POK work | Bug | ||||
| 380747 | [AzureAD checks] The amount of properties we request has changed and decreased. | Bug | ||||
| 361560 | [Str] The version of the product that we currently build is lower than the one that has already been released to the public | Bug | ||||
| 376492 | [Enterprise] The AutoUpdater should be hidden from the product | Bug | ||||
| 378389 | [Report Import] Manual report loading is limited to 25 MB / hardcoded value in import.js file | Bug | ||||
| 381819 | [Standard] The risk model section is clickable and allows you to collapse this table / based on the formatting it shouldn't be like this | Bug | ||||
| 384119 | [Enterprise] Email field is not mandatory and is not checked for completeness user creation /edit | Bug | ||||
| 380181 | Error on Duplicate Email | Escalation | 440217 | |||
| 378617 | [Enterprise] Remove "New" tags from non-new functionality. | Bug | ||||
| 381947 | Umlaute are replaced with a "?" | Escalation | 441483 | |||
| 380204 | [Standard] launched from [Enterprise] folder - Could not load assembly when trying to collect AzureAD | Bug | ||||
| 380699 | [Checks] Typo in LDAP query for P-RODCKrbtgtOrphan | Bug | ||||
| 380169 | [Pro] AzureAD Config in installer results in non-working product. | Bug | ||||
| 375107 | [Pro/Enterprise] Enhance installer checks for IIS and ASP.NET | Bug | ||||
| 377326 | Deprecation of ProvisioningAPI | Feature | ||||
| 374720 | Implement filtering of ASR Rule based on presence of Exchange | Escalation | 435268 | |||
| 374636 | PingCastle not collecting Azure data | Escalation | 435212 | |||
| 377741 | Add AdminSDHolder to critical infrastructure list | User Story | ||||
| 364407 | Update the Windows SunBurst OS List | User Story | ||||
| 376493 | The Sunburn OS selector is unfull of version | Bug | ||||
| 376494 | The windows sunburn is incomplete with version | Bug | ||||
| 374321 | Client license is not automatically replaced at start | Escalation | 434838 | |||
| 374942 | [Pro/Enterprise] After installation, the customer will receive a non-working product. | Bug | Feature | |||
| 375105 | [Pro] EF Core Version Mismatch / Leads to a non-working product | Bug | ||||
| 374567 | Issue with LAPS Reporting in Pie Charts and Table | Escalation | 435091 | |||
| 368888 | Permissions on Entities | Escalation | 430048 | |||
| 365582 | PwdLastSet is missing in some of the outputs | Bug | ||||
| 392269 | Fix Typo | Bug | ||||
| 392270 | Fix Typo | Bug |
3.3 Updates
Patch Version 3.3.0.12 Released
May 20, 2025
PingCastle.exe
-
Resolved issue with Operating Systems
-
Feature: 365862
-
Support Case: 00445084
-
Related GitHub Issues:
Fixed detection logic for Windows 10/11 22H2 where versioning caused incorrect reporting.
PingCastle was marking supported Windows versions as obsolete due to outdated end-of-support dates. The lifecycle data has now been corrected.
PingCastle Pro and Enterprise
-
Fixed āCompareā button issue in UI
-
Bug: 385557
-
Support Case: 00444805
Clicking the āCompareā button previously led to a broken report/compare/undefined path due to failed report translation. This issue is now resolved.
Patch Version 3.3.0.11
May 01, 2025
| Description | Item Type (Escalation, Bug or Feature) | Case Number | Item ID |
|---|---|---|---|
| Umlaute are replaced with a "?" | Escalation | 00441483 | 381947 |
| SAML2 users can create a local Password | Escalation | 00440173 | 380100 |
| How do "Claim permissions" work? | Escalation | 00439906 | 379835 |
| Dashboard Viewer Claim: Does not work with claims-based authentication | Bug | N/A | 383400 |
| Deprecation of ProvisioningAPI | Feature | N/A | 377326 |
| PingCastle Error when creating or deleting a rule exception | Escalation | 00436107 | 376052 |
| internal exception occured | Escalation | 00442277 | 383432 |
| [ProvisioningAPI] rootDomain is not defined in the domains section | Bug | N/A | 380725 |
| Error on Duplicate Email | Escalation | 00440217 | 380181 |
| Implement filtering of ASR Rule based on presence of Exchange | Escalation | 00435268 | 374720 |
| PingCastle not collecting Azure data | Escalation | 00435212 | 374636 |
Merged Open Source Contributions
Updated ReportHelper.cs to support Windows Server 2025
Contributed by @FlorianGross
See: Pull Request #269
Bugfix List for PingCastle 3.3
February 27, 2025
No bugs were fixed in this update.
Version 3.3 - Release Notes & Bug Fixes
November 14, 2024
See the PingCastle v3.3 Bug Fix List for a list of bugs fixed in this version.