Want the full details? Click the link below!
Thank you to everyone who tested the pre-release and submitted feedback, your input helped us ship a better product.
What’s New
Certificate Template Checks — Domain Computer Coverage (356993)
Certificate template checks now allow domain computers to trigger regardless of whether msds-machineaccountquota is set. This delivers more comprehensive coverage of certificate authentication configurations across varied domain setups.
Enhanced P-AdminLogin with Password Reset Logic (419348)
The P-AdminLogin check has been updated to include password reset logic, improving detection and reporting of admin accounts with outdated or concerning password patterns.
SID Added to Migration Dropdown (425582)
The migration feature now surfaces SID (Security Identifier) directly in the dropdown, making it easier to identify and select the right domains during migration operations.
Bug Fixes and Miscellaneous Updates
| ID | Title | Type | Escalation # | Escalation Summary |
|---|---|---|---|---|
| 360982 | Detailed Cartography: Expand after collapse shows error | Bug | — | Fixed console error when expanding nodes after collapse in domain cartography view |
| 408398 | Wrong links in Documentation part of report | Bug | 408398 | Documentation links corrected to point to valid resources |
| 410767 | Documentation of required roles | Bug | 410767 | Documentation has been updated with detailed role requirements |
| 413093 | “Wrong License” Text Update | Bug | — | Updated error message text for clarity |
| 414399 | Entra ID: No MFA Column | Bug | — | Added MFA status column to Entra ID reporting |
| 414458 | Edit User Role Info Icons different to others | Bug | — | Standardized icon styling in user role management UI |
| 414526 | Webhooks are unclear | Bug | — | Improved webhook configuration documentation and UI labels |
| 414538 | Editing an agent resets its last login date | Bug | — | Fixed agent editor to preserve last login timestamp |
| 414544 | User-Based Licensing Note | Bug | — | Clarified user-based licensing messaging |
| 414714 | Scheduler: Refresh page doesn’t work in Edge | Bug | — | Fixed page refresh functionality in Microsoft Edge browser |
| 414984 | Custom Rules: Type Info Icon shows no info | Bug | — | Restored tooltip information for custom rules type selector |
| 415122 | Password Change not required on email change | Security Fix | — | A security gap where users could change email without password reset has been fixed; password reset is now enforced when email address changes |
| 415128 | Configuration and Mapping of External Logins is broken | Bug | — | Critical functionality for external authentication was non-functional; fixed to restore external login support |
| 415708 | Creating external users with password vulnerability | Security Fix | — | External user accounts were being created with explicit passwords; system now enforces passwordless authentication for external users |
| 416037 | Fixing release 3.5 build pipeline | Task | — | Updated build configuration for release process |
| 416104 | Low privilege users able to see/create/delete Scheduler | Security Fix | — | A privilege escalation vulnerability allowed non-admin users to access scheduler; access controls have been tightened to administrators only |
| 416129 | Custom Rules Download still produces XML | Bug | — | Custom rules export was generating legacy XML format instead of current format; corrected output format |
| 417468 | appsettings.console.json is not generated on update | Escalation | 417468 | Configuration file missing after running updates; deployment process now properly generates required config files |
| 418050 | Update Trust Types | Bug | — | Refreshed trust relationship type definitions |
| 418327 | Configuration Migration doesn’t work | Bug | — | Restored configuration migration functionality between instances |
| 418334 | Exceptions | Bug | — | Fixed exception handling in scanner engine |
| 418509 | Honeypot exclusions are not working in 3.5.0.40 | Bug | 418509 | Honeypot exclusion functionality has been restored |
| 418730 | GitHub PR - Typo in LDAP Filter (BuiltinDomain) | Bug | — | LDAP filter contained typo affecting BuiltinDomain detection; filter syntax corrected |
| 419388 | Config missing after running manual scan | Escalation | 419388 | Manual scans were deleting configuration files; scan process now preserves configuration state |
| 419591 | All links to “stigviewer” are broken | Escalation | 419591 | Documentation links to external STIG viewer resource were incorrect; links updated to valid URLs |
| 420381 | PingCastle Auto-Updater breaks configurations (~80 servers) | Escalation | 420381 | CRITICAL: Auto-updater in versions 3.5.0.37+ was corrupting config files on affected servers; update mechanism rewritten to prevent data loss |
| 420428 | DC vulnerability (MS17-010) | Escalation | 420428 | Check for MS17-010 (EternalBlue) vulnerability missing reporting; added detection for unpatched domain controllers |
| 422097 | Scan entraID | Feature | 422097 | Entra ID scanning capability has been added |
| 422172 | PWDNeverExpires doesn’t account for recent password changes | Bug | — | Enhanced check to properly evaluate recently changed passwords |
| 422175 | Computer Analysis: Delegation confusion | Bug | — | Clarified delegation reporting in computer analysis |
| 422249 | Exclusions taking ages to add and delete for AD Risks | Bug | — | Bulk exception operations were causing performance degradation; optimized database queries for exception handling |
| 422878 | Exception not in use | Escalation | 422878 | Exceptions configured in the system were not being applied to scan results; exception filtering logic fixed |
| 423164 | Exception for Windows Server 2012 not working | Escalation | 423164 | Exceptions targeting Windows Server 2012 systems were being ignored; corrected version matching logic |
| 423476 | There is no delete API for reports | Bug | — | Added report deletion capability to REST API |
| 423757 | Slow speed for bulk exceptions on enterprise | Bug | — | Optimized bulk exception operations for large environments |
| 423914 | Pingcastle exception | Bug | 423914 | Exception handling has been improved |
| 423921 | “Number of domains NOT audited” showing wrong information | Escalation | 423921 | Dashboard maturity detail incorrectly filtering domains audited/not audited. Filter links pointed to empty results; corrected to show proper domain audit status. |
| 424072 | Remove AI-assisted taglines from public repo | Task | — | Cleaned up source code comments in public GitHub repository |
| 425012 | Create domain action plan gives blank page | Bug | — | Fixed UI blank page error when generating domain action plans |
| 425072 | Changes to Multi-Schema UI | Bug | — | Multi-domain schema UI was not properly reflecting recent changes; UI state management corrected |
| 425245 | KB Scanner Slow in Compute Risks | Bug | — | Optimized knowledge base scanning performance |
| 426194 | Error opening file “ad_gc_rules_3.5.0.44.xlsx” | Escalation | 426194 | Custom rules file download was corrupted or inaccessible; file generation and delivery pipeline repaired |
| 426386 | S-AesNotEnabled - RC4 deprecation score issue | Escalation | 426386 | RC4 deprecation check (S-AesNotEnabled) was returning incorrect scores due to algorithm change; scoring logic updated for RC4 phase-out |
| 426591 | Slow Migration for high numbers of domains | Bug | — | Improved migration performance for multi-domain environments |
| 426793 | Bulk import: Reapply exceptions is dead slow | Escalation | 426793 | CRITICAL: Bulk exception reapplication operations timing out on large datasets; rewrote batch processing to use async operations |
| 431913 | SMTP configuration in appsettings.console.json not being read | Bug | — | Fixed configuration file parsing for console SMTP settings |
| 432143 | appsettings.console.json missing from download links | Bug | — | Console configuration file was not included in downloads; added to package manifest |
| 433142 | Bulk actions crash Enterprise with large domains | Bug | — | Bulk operations crashing when processing very large Active Directory domains; optimized memory handling and added pagination |
| 434171 | Schema Change UI: Codeblock display | Bug | — | Improved code block display in schema UI tabs with better formatting and copy functionality. |
| 434415 | PingCastle Date Format is in US? | Bug | — | Standardized date formatting to use local browser formats with 24-hour clock instead of US format. |
| 434419 | Standardise PingCastle Date Formats | Bug | — | Unified inconsistent date formats across domains view, report view, and compare reports to use consistent 24-hour format stored in UTC. |
| 435001 | Auto-Redirect when making exceptions failing | Bug | — | Fixed issue where Enterprise failed to redirect page after creating an exception. |
| 435360 | Deleting an action plan after you use the dropdown filters the page is returned unfiltered | Bug | — | Corrected filter persistence; page now maintains dropdown filters after deleting an action plan. |
| 435500 | A-MembershipEveryone: BUILTIN\Users exclusion causes false positive | Bug | — | Fixed string mismatch in exclusion logic that prevented BUILTIN\Users from being correctly excluded from A-MembershipEveryone risk assessment. |
| 435829 | OIDC logout does not end the provider session | Bug | — | Enhanced OIDC logout to properly redirect to provider’s end-session endpoint, terminating IdP session in addition to local cookie clearing. |
| 435867 | Remove System.Private.Uri 4.3.0 transitive dependency | Task | — | Removed obsolete System.Private.Uri 4.3.0 transitive dependency; .NET 8 runtime implementation takes precedence eliminating CVE-2019-0980, CVE-2019-0981, CVE-2019-0657 risk. |
| 435947 | S-AesNotEnabled incorrectly includes disabled accounts in risk score | Bug | — | Corrected S-AesNotEnabled rule to exclude disabled accounts from risk count, as disabled accounts cannot be AS-REP Roasted. |
| 436767 | Conflicting warnings when setting up login on fresh system | Bug | — | Fixed password requirement validation to display only one correct error message instead of conflicting inline and header warnings on initial admin setup. |
| 436841 | Entity - missing error handling for missing permissions | Bug | — | Improved authorization error handling; users without permission to access an entity now receive clear “Access Denied” message instead of redirect to login. |
Need help with this update?
There are many different ways to get help with our products!
| Situation | Action |
|---|---|
| If you feel the product is broken and not working as intended… | Contact Support |
| If you have a question you’d like to ask other experts… | Create a discussion in the community: PingCastle > Discussions & Questions |
| If you have a feature request… | Let our product team know directly: PingCastle > Ideas |
| If you have something cool to show… | Show everyone what you built: PingCastle > Show & Tell |
What are your thoughts?
We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!