Summary
Update required by October 18, 2025: To maintain uninterrupted access, update PDQ Deploy & Inventory, PDQ Connect, and SmartDeploy to the latest versions. SimpleMDM is not impacted.
We recently rotated the digital certificates that validate PDQ products as a proactive security measure. This rotation replaces the trusted software signature Windows and security tools use to verify our applications; older versions signed with the previous certificate may stop installing, launching, or validating after the deadline.
Your data, systems, PDQ applications, and certificates are all secure.
Action required by October 18, 2025: Update your PDQ products to the latest versions. Older versions may no longer launch, install, or function properly after the certificate revocation takes effect. Please Note: You do not need to import a new certificate as part of the update process.
Before you start
- Who’s impacted: PDQ Deploy, PDQ Inventory, PDQ Connect, and SmartDeploy customers.
- Not impacted: SimpleMDM.
- Why this is happening: Malicious actors sometimes try to abuse trusted IT tools across the industry. Rotating certificates helps ensure PDQ software only runs in trusted, verified environments.
What happened
Earlier this year, we observed attempts by unauthorized users to misuse trial access, which is something many IT tools in our industry face. We quickly restricted trials and began working with partners to strengthen how we detect and prevent misuse.
This week, we were asked to rotate our product-signing certificate on an accelerated timeline. We acted immediately to keep products trusted and running in verified environments. We understand this short timeline was disruptive and appreciate your patience while we moved as quickly as the situation required.
Practically speaking, certificate rotation replaces the digital signature that operating systems and security tools use to confirm PDQ software is trusted. As a result, older builds that rely on the previous certificate may fail to install, launch, or validate after October 18, 2025. Updating to the latest versions ensures your software continues to run normally.
We’ve added additional verification and monitoring layers to reduce the likelihood of similar disruptions and to ensure future updates occur on normal schedules. This kind of short-notice rotation is not something we expect to happen again.
PDQ customer data, systems, products, and certificates are secure and have not been compromised
What you need to do
PDQ Deploy & PDQ Inventory
- Update to the latest versions:
- In the lower-right corner of Deploy or Inventory, click A new version is available, or
- Log in at portal.pdq.com to download the latest installers.
- In the lower-right corner of Deploy or Inventory, click A new version is available, or
- Run the installers to update your products.
- Restart your PDQ services or console to activate the new certificate.
- AllSigned environments (refers to PowerShell execution policies): Add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue to run smoothly. Guidance on this process is available here: All Signed PowerShell Execution Policy
SmartDeploy
- From the SmartDeploy Desktop Console, select Update available, or download the latest version at app.smartdeploy.com.
- Run the installer to update.
- Update SmartDeploy clients:
- In Computer Management, select client devices and click Update Client.
- Additional guidance is located here: Updating the SmartDeploy Client
PDQ Connect
- Agents will auto-update in the background to
5.10.5or later when devices remain online — no manual action needed in most environments. - If your agents are not automatically updating, please refer to the PDQ Connect Agent Not Updating Automatically KB to work around the issue
- If an agent isn't updated to
5.10.5or later by October 18, 2025, you’ll need to manually reinstall the agent.- If you previously deployed the PDQ Connect agent using a secondary deployment tool such as PDQ Deploy, Group Policy, or Intune, you will need to be sure to update the version in your file repository to
5.10.5, as well as any applicable detection rules which may cite earlier versions. Guidance on this process can be found on our Agent Installation KB.
- If you previously deployed the PDQ Connect agent using a secondary deployment tool such as PDQ Deploy, Group Policy, or Intune, you will need to be sure to update the version in your file repository to
- AllSigned environments (refers to PowerShell execution policies): Add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue to run smoothly. Guidance on this process is available here: PDQ Connect and All Signed PowerShell Environments
Verify and troubleshoot
-
Connect agent version: In Connect, check the Agent version column on the Devices page. Confirm
5.10.5or later. - If older versions are blocked or flagged: Update using the steps above. Once updated, flags should clear as the new certificate is recognized.
- If Deploy/Inventory won’t start after updating: Restart the PDQ services or the console to ensure the new certificate is active.
FAQ
No. This is a preventative security action. There has been no compromise to PDQ customers, applications, systems, or certificates.
Our products are digitally signed so operating systems and security tools can verify they’re legitimate. Rotating the certificate replaces the trusted software signature used to validate PDQ applications. Older builds signed with the previous certificate may stop installing, launching, or validating after the deadline.
The previous certificate will be revoked after October 18, 2025. Updating to current versions ensures your software continues to validate and function normally.
In this context, those are false positives related to the older signing certificate. Once you update to the latest versions (which are signed with the new certificate) and your security tool’s definitions are current, these detections should clear.
Older versions may fail to install, launch, or pass validation checks. To avoid disruption, update PDQ Deploy & Inventory, PDQ Connect, and SmartDeploy to the latest releases before the deadline. SimpleMDM is not impacted.
Most environments do not require changes. If you operate an all-signed or restricted environment that validates publisher certificates, add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue without interruption.
The process is the same. Download the latest installers from the appropriate portal and transfer them via secure media following your organization’s security procedures. Then install the updates on the target machines. For PDQ Deploy & Inventory, restart PDQ services or the console after updating to activate the new certificate.
For PDQ Connect, confirm the Agent version is 5.10.5 or later on the Devices page. For PDQ Deploy & Inventory and SmartDeploy, verify you’re on the latest available versions from the product UI or the customer portal. If an endpoint still shows detections after updating, ensure security definitions are current and re-scan.
No. Your licensing, data, and core functionality remain the same. This action only updates the cryptographic signature used to verify PDQ software.
We’ve implemented additional verification and monitoring layers to reduce the likelihood of similar disruptions. Future certificate rotations will follow normal release timelines, and this kind of short-notice change is not expected going forward.
SimpleMDM is not affected. This article is for existing customers; any pre-trial access changes are handled elsewhere and aren’t required here.
Need help?
- PDQ Deploy & Inventory Support: Submit a ticket
- PDQ Connect Support: Submit a ticket
- SmartDeploy Support: Submit a ticket
- Community Discord: Join the conversation
