Security Update Available: AD Agent 3.1.0
Recommended upgrade for customers running the Remote AD Agent
AD Agent 3.1.0 is now available
We recommend that all customers running the Remote AD Agent upgrade to version 3.1.0.
Download AD Agent 3.1.0Dear Customer,
During recent penetration testing performed on the Octopus platform, a hardening gap was identified in the Remote AD Agent. The API client secret used by the agent to authenticate to the AD Service was stored on disk in plaintext within the agent configuration file.
While access to the file is restricted to privileged users on the agent host, an attacker who obtained Administrator or LocalSystem access to that host could read the secret directly.
This issue has been addressed in AD Agent 3.1.0, released on May 8, 2026. We recommend that all customers running the Remote AD Agent upgrade to this version.
Who is affected?
Remote AD Agent is used mainly for SaaS customers, but it may also be used in some on-premises installations. Customers running the Remote AD Agent should plan to upgrade to AD Agent 3.1.0.
What changed in AD Agent 3.1.0
In version 3.1.0, the plaintext client secret is replaced by an encrypted envelope using AES-256-GCM, wrapped with RSA-OAEP-SHA256. The envelope is bound to a non-extractable RSA-2048 keypair held in the host TPM 2.0.
The key is machine-scoped and ACL-restricted to LocalSystem and the local Administrators group. As a result, the secret cannot be extracted from the configuration file even if the file itself is readable.
On hosts without TPM 2.0, a software-KSP fallback is used. This fallback is still non-extractable, but it provides lower assurance. In this case, the agent logs a warning.
All cryptography uses FIPS 140-3 approved algorithms and runs cleanly on FIPS-mode Windows.
Additional hardening
- The agent wire protocol with the AD Service is unchanged.
- No server-side configuration is required.
- The appsettings.Production.json configuration file is now ACL-hardened to LocalSystem and Administrators only.
- The installation wizard now requires UAC elevation.
Upgrade procedure
In-place upgrade from 3.0.0 to 3.1.0 is not supported. To migrate without losing your replica or directory configuration, please follow the steps below:
- Delete the existing agent from the agent host.
- Add a new agent in the Management Console and install it on the host.
- Edit the replica to select the new agent and unselect the old one.
- Delete the old agent entry from the Management Console.
Important notes
- The agent service must run as LocalSystem or as an account that is a member of the local Administrators group on the host.
- Non-administrative service accounts, including group Managed Service Accounts, are not supported in AD Agent 3.1.0.
- Service-account-aware ACLs are planned for the upcoming AD Agent 3.1.1 release.
- A TPM reset, host re-image, or hardware replacement will invalidate the encrypted client secret. Recovery is straightforward — re-run the wizard on the host.
Support and assistance
Our support team is happy to schedule an upgrade window with you or walk through the migration steps.
For any questions, please contact us at support@doubleoctopus.com