What happened?
While using the latest version 3.5.1.33, the Rule "S-AesNotEnabled" causes false positives for newly created computer objects. Our use-case are pre-created objects for offline domain join (ODJ) for Autopilot installed devices via Intune. These will have a fresh creation and pwd last set date, but they have SPNs for normal computer objects (like "HOST" or "RestrictedKrbHost") and an empty msDS-SupportedEncryptionTypes. The attribute get filled once these devices process their GPOs for the first time and update their attributes. In the meantime, PingCastle will show the following entry under "Objects where AES usage with kerberos may be cause issues".
Example:
| Name |
Creation |
Last logon |
Pwd Last Set |
Distinguished name |
| <AutoPilotComputerName>$ |
2026-06-15 07:42:28Z |
Never |
2026-06-15 08:42:28Z |
CN=<AutoPilotComputerName>$,OU=Computers,OU=<Location>,DC=contoso,DC=com |
Proposed Fix
In:
|
private void ProcessNotAesEnabled(ADItem x, IAddAccountData data, DateTime dcWin2008Install) |
If the attribute msDS-SupportedEncryptionTypes is 0 or not set, the method ProcessNotAesEnabled could check for the DefaultDomainSupportedEncryptionTypes. As long as they are set securely for AES only (0x18 for AES or 0x38 to also enforce AES-Sk), the rule should not trigger. This has the benefit to not only apply to computer objects, but other object types as well.
What happened?
While using the latest version 3.5.1.33, the Rule "S-AesNotEnabled" causes false positives for newly created computer objects. Our use-case are pre-created objects for offline domain join (ODJ) for Autopilot installed devices via Intune. These will have a fresh creation and pwd last set date, but they have SPNs for normal computer objects (like "HOST" or "RestrictedKrbHost") and an empty msDS-SupportedEncryptionTypes. The attribute get filled once these devices process their GPOs for the first time and update their attributes. In the meantime, PingCastle will show the following entry under "Objects where AES usage with kerberos may be cause issues".
Example:
Proposed Fix
In:
pingcastle/PingCastleCommon/Healthcheck/AccountDataProcessor.cs
Line 86 in ba13fb8
If the attribute msDS-SupportedEncryptionTypes is 0 or not set, the method ProcessNotAesEnabled could check for the DefaultDomainSupportedEncryptionTypes. As long as they are set securely for AES only (0x18 for AES or 0x38 to also enforce AES-Sk), the rule should not trigger. This has the benefit to not only apply to computer objects, but other object types as well.