Looking for a bug fix list for all versions of Threat Manager?
All bug fixes will automatically be added here!
Looking for Microsoft KB Updates? Skip to the Agent Updates section with the table of contents on the right
3.1 Updates
Threat Manager Patch Version 3.1.528 Released
February 26, 2026
- Fixed object linking in the threat description
- Fixed an issue where the threat details page failed to display for the “Potential BadSuccessor Abuse” threat when rollup was enabled and more than 10 affected objects were present
- Improved evidence formatting for the “Potential BadSuccessor Abuse” threat
- Improved the SIEM test message when using TCP
- Fixed pagination on the Service Accounts page
- Fixed the inconsistent design across steps in the confirmation dialogs
- Fixed a honeytoken policy configuration issue that caused intermittent failures
- Replaced the legacy modal dialog with an updated dialog component on the service configuration page for editing descriptions
- Added a validation check during installation that reports an error if the PowerShell execution policy is incompatible
- Added various styling fixes for look-and-feel consistency
Netwrix Threat Manager 3.1 Released
February 5, 2026
- Playbook Execution History - Fixed user name missing on the history tab for playbook execution.
- Threat Detection Tool Coverage - Threat detection for Kerberoast attacks now properly identifies attacks performed with alternative tooling, closing detection gaps.
- Threat Rollup Time Configuration - Threat detection configurations include default rollup time values to ensure consistent threat aggregation behavior across all detections.
- External Authentication Provider Naming - Users can successfully rename external authentication providers without encountering errors.
- Multi-Value Field Export - Multi-value fields such as tags export correctly to CSV files with proper formatting instead of as object references, making exported data immediately usable.
- Investigation Attribute Access - Fixed the description for object renames.
- Custom Threat Deletion - Deleting custom threats properly removes associated job objects from alert query responses, preventing orphaned data.
- Investigation Logging - Investigation queries with verbose logging complete without encountering parsing errors that could interrupt analysis.
- Log Export Progress - Users see visual progress feedback when exporting large log files, improving transparency during long-running exports and preventing confusion about system responsiveness.
- Email Report Delivery - Scheduled reports deliver successfully via email without encountering subscription errors, ensuring reliable report distribution.
- Login Compatibility - Users can successfully log in even when very old cached data exists in their browser storage, preventing access issues after extended periods between logins.
- Installer Action Execution - The installer only executes post-installation actions when installation completes successfully, preventing errors during failed installations.
3.0 Updates
Patch Version 3.0.668 Released
November 25, 2025
This release introduces performance enhancements to event processing and investigation workflows, stability improvements and more.
Important notes
- A PostgreSQL update is required. Allow additional time for the data migration process to complete.
- Netwrix Threat Prevention customers are strongly encouraged to update to the latest release for optimal performance.
Performance improvements
- Forged ticket threat detection now processes events significantly faster with optimized algorithms.
- Improved memory management reduces system resource usage during event processing.
- Enhanced caching mechanisms improve overall system responsiveness.
- Event service threading optimizations lower resource consumption under high event volume.
- Database query performance upgrades accelerate investigation loading times.
- Asynchronous logging minimizes the impact on core processing operations.
- Honeytoken threat detection is now disabled by default and can be enabled post-configuration.
Bug fixes
- Investigation save operations now show clear validation messages for missing required fields.
- Activity data displays correctly across multiple time zones.
- Entra ID synchronization completes successfully when handling large volumes of new risky objects (1000+).
- Entra ID verified domain synchronization no longer triggers sequence limit errors.
- User accounts with special characters can now log in successfully.
- Credential profile editor correctly displays credentials for all entries.
- Password spray threat detection properly resets counters for accurate identification.
- Tag details pages handle loading errors with clear error messaging.
- Direct member group information updates correctly during synchronization.
- Event table growth is now properly managed to prevent excessive storage use.
- Domain controller lists exclude removed systems as expected.
- Investigation file path filtering includes both file and folder event types.
- Security descriptor changes appear correctly in event details.
- Abnormal user behavior threat details display accurate interface elements.
- Integration test connections validate properly for new data sources.
- Threat detection logic now better excludes known false positive patterns.
- System dumps generate only when necessary, reducing diagnostic file clutter.
- Event linking maintains correct associations when domain controllers are re-added.
- Computer account tags apply correctly during synchronization.
- Database replication cleanup functions properly during service restarts.
- Sensitive role change detection handles multi-domain environments without warnings.
Patch Version 3.0.644 Released
September 18, 2025
Enhancements
- Event Service Performance – Enhanced scalability in event processing for environments with many connected clients.
- Data Processing Optimization – Implemented database schema improvements to speed up event handling and reduce storage overhead.
- Threat Detection Enhancement – Added configurable filtering to minimize duplicate threat notifications and improve alert precision.
- Process Monitoring – Introduced automated diagnostic collection for better monitoring and troubleshooting.
- Honey Token Management – Automatic disabling of honey-token threat detection when no monitoring policies are configured, lowering unnecessary load.
- Logging Framework – Upgraded logging with improved asynchronous processing and buffer monitoring.
- Hybrid Object Linking – Enhanced object linking to better support hybrid Active Directory and Azure environments with improved cross-platform identity correlation.
Bug Fixes
- Integration Configuration – Fixed an issue that prevented test connections to newly configured Threat Prevention data sources (used by Threat Manager).
Security Updates
- Dependencies – Updated JavaScript libraries (axios, superagent, testing frameworks) to address security vulnerabilities.
- Data Validation – Improved input sanitization in integration service database queries.
- Database Security – Upgraded PostgreSQL to version 14.19 for improved security and stability.
- Runtime Components – Updated .NET runtime prerequisites to version 8.0.19 for enhanced reliability.
Patch Version 3.0.628 Released
August 29, 2025
This release replaces hotfix 3.0.616, which was withdrawn after an issue was identified in Group Membership calculations during Active Directory synchronization. This issue has been resolved in 3.0.628, and all fixes and enhancements from 3.0.616 are included in this release.
Authentication & Authorization
- Added group-based authorization support in User Access for OpenID and SAML configurations
Performance Enhancements
- Optimized cache operations to significantly improve system performance under high load conditions
- Enhanced job scheduling performance through improved caching mechanisms with periodic refresh patterns
- Streamlined event processing to reduce memory consumption and improve throughput
Security Improvements
- Enhanced SSL certificate validation for secure service communications
- Improved credential handling for cross-domain authentication scenarios
System Stability
- Resolved service initialization issues that could prevent proper system startup
- Fixed critical service availability issues that could interrupt alert generation
- Corrected event processing failures that occurred under specific permission configurations
- Addressed database synchronization issues affecting user visibility
SIEM Integration
- Fixed message formatting issues that caused improper log splitting when special characters were present
- Resolved duplicate user entries in threat notifications
- Enhanced field inclusion for comprehensive SIEM output
Threat Detection
- Expanded reconnaissance detection capabilities with additional pattern-matching logic
- Improved playbook execution reliability for automated threat response
- Enhanced threat event population and correlation accuracy
User Interface
- Corrected password form styling on authentication pages
- Fixed subscription list display inconsistencies
- Resolved investigation query issues with wildcard patterns
Data Management
- Improved database view synchronization for complete user representation
- Enhanced honey token search functionality across domains
- Optimized database migration scripts for improved upgrade performance
Other
- Fixed an issue in Group Membership calculations during Active Directory synchronization
Patch Version 3.0.616 Released
August 14, 2025
Authentication & Authorization
- Added group-based authorization support in User Access for OpenID and SAML configurations
Performance Enhancements
- Optimized cache operations to significantly improve system performance under high load conditions
- Enhanced job scheduling performance through improved caching mechanisms with periodic refresh patterns
- Streamlined event processing to reduce memory consumption and improve throughput
Security Improvements
- Enhanced SSL certificate validation for secure service communications
- Improved credential handling for cross-domain authentication scenarios
System Stability
- Resolved service initialization issues that could prevent proper system startup
- Fixed critical service availability issues that could interrupt alert generation
- Corrected event processing failures that occurred under specific permission configurations
- Addressed database synchronization issues affecting user visibility
SIEM Integration
- Fixed message formatting issues that caused improper log splitting when special characters were present
- Resolved duplicate user entries in threat notifications
- Enhanced field inclusion for comprehensive SIEM output
Threat Detection
- Expanded reconnaissance detection capabilities with additional pattern-matching logic
- Improved playbook execution reliability for automated threat response
- Enhanced threat event population and correlation accuracy
User Interface
- Corrected password form styling on authentication pages
- Fixed subscription list display inconsistencies
- Resolved investigation query issues with wildcard patterns
Data Management
- Improved database view synchronization for complete user representation
- Enhanced honey token search functionality across domains
- Optimized database migration scripts for improved upgrade performance
Patch Version 3.0.587 Released
July 10, 2025
- Fixed license expiration issue in fresh installs
- Fixed event message service skipping LDAP ping events
- Fixed SSO authentication types incorrectly showing for the built-in admin
- Added “Starts With” and “Ends With” operators to “Attribute New Value” and “Attribute Old Value” investigation filters
Patch Version 3.0.564 Released
June 24, 2025
- Significantly reduced application load time after login
- Added a new and improved login page
- Improved admin password setup guidelines
- Fixed the issue where the user lands on the investigations page instead of the home dashboard
- Improved ordering in the main search bar results
- Fixed “Comments” flag for threats workflow
- Improved interface for configuring NTP integrations
- Improvements to User Access configuration:
- Removed deleted objects from the search results
- Added icons to search results to distinguish groups and users
- Fixed issues when adding new entries
- Made “Two-page login” the default setting for MFA
- Fixed various issues with SSO (OpenID, SAML) authentication providers
- Improved error handling and error notifications for internal authentication providers
- Fixed issues and improved the interface for MFA
- Added a new LDAP Filter for Service Accounts LDAP Recon
- Improved event inserter
- Added new metrics logging to improve performance monitoring
- Improved query performance when processing events
- Fixed an issue causing an AD sync failure due to a TGT lifetime silo lacking an associated policy
- Fixed an issue with Pass-The-Ticket false positives
Patch Version 3.0.516 Released
April 24, 2025
- Fixed the issue with deleting an Netwrix Threat Prevention configuration from integrations
- Added additional performance metrics and configuration options
- Fixed issues with the email service in SSL-enabled environments
- Fixed autocomplete for domain filter in investigations
- Fixed incorrect owner being displayed for some investigations
Patch Version 3.0.506
April 10, 2025
In this hotfix, we addressed various issues relating to the Netwrix Threat Manager.
- Improved Kerberoasting detection when “Weak Kerberos Encryption” setting is enabled
- Removed the requirement to perform “ping” during AD sync configuration
- Simplified OpenID authentication provider configuration form
- Updated User Access configuration for authentication providers
- Added guidelines for ADMIN password requirements in User Access
- Added a column to User Access to display the type of entry (user or group)
Patch Version 3.0.493 Released
March 27, 2025
In this hotfix, we addressed various issues relating to the Netwrix Threat Manager:
- Added Entra ID SAML integration
- Improved performance for threat detection
- Fixed the connection issue to NTP integration post 3.0.473 upgrade
- Fixed upgrade issues in large enterprise environments
- Added automatic cache refresh for the web application after upgrade
- Improved formatting and styling of emails
- Improved notifications during PostgreSQL upgrade
- Added evidence section to “Impossible Travel” threat details
Patch Version 3.0.480 Released
March 18, 2025
- Fixed email alert frequency for Abnormal User Behavior threat
- Fixed issues with login via group user access
- Fixed MFA reset for specific users in a group user access
- Fixed the issue which prevented recreating a previously deleted user access entry
Cumulative Update 3.0.473 for Netwrix Threat Manager is Now Available
March 6, 2025
No bugs were fixed in this update.
Version 3.0 - Release Notes & Bug Fixes
October 8, 2024
See the Netwrix Threat Manager 3.0 Bug Fix List for a list of bugs fixed in this version.
Agent Updates
Agent Packages for Microsoft KB Update (March 10, 2026) Released
March 12, 2026
Bug Fixes and Miscellaneous Updates
On March 10, 2026 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 8.0.0.42
- 7.5.0.287
- 7.4.0.293
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager , you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
Agent Packages for Microsoft KB Update (February 10, 2026) Released
February 12, 2026
On February 10, 2026 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 8.0.0.36
- 7.5.0.274
- 7.4.0.291
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager, you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
Agent Packages for Microsoft KB Update (January 13, 2026) Released
January 15, 2026
On January 13, 2026 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 8.0.0.29
- 7.5.0.272
- 7.4.0.289
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager, you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
Agent Packages for Microsoft KB Update (November 11, 2025) Released
November 18, 2025
On November 11, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 7.5.0.252
- 7.4.0.280
- 7.3.9.332
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager, you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
Agent Packages for Microsoft KB Update (October 14, 2025) Released
October 17, 2025
On October 14, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 7.5.0.242
- 7.4.0.269
- 7.3.9.325
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager, you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
Agent Packages for Microsoft KB Update (September 9, 2025) Released
September 11, 2025
On September 9, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
The updated builds are:
- 7.5.0.234
- 7.4.0.246
- 7.3.9.317
If you’re leveraging Threat Prevention agents to provide Netwrix Threat Manager with AD event data you may need to update your agents to maintain compatibility with the latest Microsoft KBs. No changes are required to the Netwrix Threat Manager installation itself.
Agent Packages for Microsoft KB Update (August 12, 2025) Released
August 14, 2025
On August 12, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
The updated builds are:
- 7.5.0.227
- 7.4.0.233
- 7.3.9.309
If you’re leveraging Threat Prevention agents to provide Netwrix Threat Manager with AD event data you may need to update your agents to maintain compatibility with the latest Microsoft KBs. No changes are required to the Netwrix Threat Manager installation itself.
Agent Packages for Microsoft KB Update (July 8, 2025) Released
July 15, 2025
On July 8, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 7.5.0.216
- 7.4.0.227
- 7.3.9.303
- 7.3.7.473
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager, you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
Agent Packages for Microsoft KB Update (June 10, 2025) Released
June 13, 2025
On June 10, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
The updated builds are:
- 7.3.7.469
- 7.3.9.297
- 7.4.0.219
- 7.5.0.205
If you’re leveraging Threat Prevention agents to provide Netwrix Threat Manager with AD event data you may need to update your agents to maintain compatibility with the latest Microsoft KBs. No changes are required to the Netwrix Threat Manager installation itself.
Agent Packages for Microsoft KB Update (May 13, 2025) Released
May 15, 2025
On May 13, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
The updated builds are:
- 7.3.9.286
- 7.4.0.201
- 7.5.0.188
If you’re leveraging Threat Prevention agents to provide Netwrix Threat Manager with AD event data you may need to update your agents to maintain compatibility with the latest Microsoft KBs. No changes are required to the Netwrix Threat Manager installation itself.
Agent Packages for Microsoft KB Update (April 8, 2025) Released
April 10, 2025
On November 11, 2025 Microsoft distributed KBs that conflict with existing Netwrix Threat Prevention agents. If these KBs are applied to your systems, they will conflict with current agents, as described in this announcement.
Netwrix has issued updated agent packages that have support for new Microsoft KBs.
Updated agent builds:
- 7.5.0.252
- 7.4.0.280
- 7.3.9.332
If you are using Threat Prevention agents to provide AD event data to Netwrix Threat Manager, you may need to update your agents to maintain compatibility. No updates are required to the Threat Manager installation itself.
The following versions may have limited or no support. Please see the