1. SmartDeploy Help Center
  2. Release Notes
  3. Announcements

Update required: PDQ product certificate rotation occurred October 20, 2025

Summary

On October 20, 2025 19:30 EDT (GMT -4), PDQ's certificate was revoked and rotated: This requires an update of PDQ Deploy & Inventory (update to 19.5.0.0 or later), PDQ Connect (agent only, update to 5.10.5 or later), and SmartDeploy (console and clients, update to 3.0.2048 or later) to the latest versions at the time of revocation. SimpleMDM is not impacted.

 

There has been no compromise to PDQ customers, applications, systems, or certificates.

The certificate tied to older PDQ product versions was revoked and replaced under global security standards to prevent potential misuse. As a result, older versions will stop installing, launching, or validating after the deadline unless updated.

What to Expect with Certificate Revocation

 

On October 20, 2025, at 5:30 PM MDT (23:30 UTC), older, non-updated builds were blocked by Windows trust checks and failed to launch or install. Some customers may have seen different behavior depending on CRL cache timing, system policy, or other environmental variables.

PDQ Deploy/Inventory and SmartDeploy

  • SmartScreen block at launch: When attempting to open the application (desktop shortcut, Start menu, or launching the binary), Windows SmartScreen may block execution and display a prompt. Choosing Don’t run returns you to the previous app/window; choosing Run anyway triggers an administrator block with no path to proceed (UAC denial). Note: The theme color of the dialog varies by OS settings.

    Windows SmartScreen blocking launch of an older PDQ build

    UAC dialog showing administrator block prevents running older PDQ build

  • Timing variance: Enforcement may appear immediately or after a short delay due to Windows Certificate Revocation List (CRL) caching; Windows does not re-check on every launch, and behavior can vary across environments.
  • Resolution: Download and install the latest versions from the official portals/releases, then relaunch. See below for additional information on what you need to do. Remediation guidance for pre-revocation and post-revocation are identical.
  • Do not bypass OS protections: PDQ does not advise or recommend any attempt at registry/policy changes to circumvent SmartScreen/UAC. This undermines Windows kernel security defaults and is potentially damaging.
  • AllSigned environments: Add the new PDQ certificate to your Trusted Root CA Store; redownload any Package Library items (Deploy/Inventory) only if you enforce AllSigned. 

PDQ Connect (agents and installers)

  • Agent behavior at/after revocation: Non-updated agents may fail to install or check in. 
    • If the agent process is already running, Windows typically does not revalidate the certificate of the running process. SmartScreen behavior on machines with the agent installed is not fully predictable and may be silent.
    • It is unknown what Endpoint Detection and Response (EDR) applications like MS Defender and other AV/Anti-malware solutions will do with the services that are running with a revoked certificate.
  • AllSigned environments: Add the new PDQ certificate to Trusted Root CA to keep signed deployments running.

What you need to do

 

Action required: Update your PDQ products to the latest versions. Older versions may no longer launch, install, or function properly after the certificate revocation takes effect. Please note: You do not need to manually import a new certificate as part of the update process, except in AllSigned environments where adding the new certificate is required by policy (see product-specific instructions).

Update PDQ Deploy & PDQ Inventory

 

If you are running PDQ Deploy or PDQ Inventory versions below 19.3.350.0, those versions are not impacted by the certificate revocation event.

  1. Update to the latest versions:
    • In the lower-right corner of Deploy or Inventory, click A new version is available, or
    • Log in at portal.pdq.com to download the latest installers.
    • If you cannot log into portal.pdq.com, you can access the latest versions from pdq.com/releases (install version 19.5.0.0 or later).
  2. Run the installers to update your products.
  3. Restart your PDQ services or console to activate the new certificate.
  4. Need to access your license keys for any reason? Please see this article, Access Your License Keys.
  5. AllSigned environments (refers to PowerShell execution policies): Add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue to run smoothly. Guidance on this process is available here: All Signed PowerShell Execution Policy
    • The packages in the Package Library also utilized the same certificate. AllSigned environments will require a redownload of any packages you downloaded from the Package Library, but only in AllSigned environments. All other execution environments are excluded from this requirement.
    • If you do not know if you are in an AllSigned PowerShell execution environment, you probably aren't.


Update SmartDeploy, Console & Clients

  1. From the SmartDeploy Desktop Console, select Update available, or download the latest version at app.smartdeploy.com.
  2. Run the installer to update.
  3. Update SmartDeploy clients:

Troubleshooting SmartDeploy Update or Installation Issues

Use these targeted checks if updating the SmartDeploy console or clients does not proceed cleanly. These steps complement the update flow in What you need to do (above).

Console update and service communication

  • 1920 Error on install:
    • Download and decompress this zip file of the MongoFixOptions.ps1 script.
      • From an elevated PowerShell prompt, run the MongoFixOptions.ps1 script. For example: C:\path\to\script\ .\MongoFixOptions.ps1
      • Select option 6, Toggle Mongo & Console Authentication (enable/disable authentication in SmartDeploy's MongoDB connection string)
      • Retry starting the API service from the 1920 error window
    • If the script above does not work, delete the "C:\Program Files\SmartDeploy" directory, then run the sdsetup.exe again. From time to time, files may remain between updates that can cause unexpected behavior, including the 1920 error.
    • If neither of the above resolves the issue, collect your console logs and Submit a support ticket
      • Console logs are usually located in C:\SmartDeploy (default), but could be elsewhere depending on your setup preferences (e.g., D:\SmartDeploy):
        • C:\SmartDeploy\Logs\SDApiService.log
        • C:\SmartDeploy\Logs\SDConsole.log
  • API authentication errors: If you see “Unable to Authenticate with the provided SmartDeploy API Service URL”:
    1. Following the guidance in the following article fixes most of these errors: What if I am unable to log in and getting “SCRAM-SHA-256” errors in my SDApiService.log file?
    2. Verify API URL/authentication per: Unable to authenticate with the provided SmartDeploy Api Service URL.

Client updates

  • From Computer Management, select target devices and click Update Client. Confirm clients report healthy status afterward. If a client fails to update, reattempt or reinstall.

If issues persist

  • Confirm the console is on the latest version and re-run the client update from the console.
  • Reinstall affected clients to ensure they pick up the replacement certificate and current binaries.
  • If you continue to encounter API authentication or connectivity errors, capture the specific message and follow the two SmartDeploy KBs above to resolve common causes.


Update PDQ Connect Agents

 

Installer files
Any locally stored agent installers, including those embedded in images or deployment pipelines, must be replaced with newly downloaded installer files by October 20 to avoid failed installs or disruptions.

Connect agents will auto-update in the background to 5.10.5 or later when devices remain online. For those that are not auto-updating, there are two ways to force agents to update:

Option 1 – Use “Force Update” (Recommended) 
We’ve added a new Force update online agents button in PDQ Connect. This lets you update all online devices that haven’t yet updated automatically.

  • Click “View outdated agents” or “Outdated agents” to see which devices need updating.
  • Then click “Force update online agents.”

This performs an in-place agent upgrade and is the fastest way to get up to date.

Option 2 – Use the PDQ Connect Agent Reinstall Package
If the agent isn’t updating automatically or via the Force Update feature, use the new PDQ Connect Agent Reinstall Package. 

This PowerShell-based package:

  • Backs up your local PDQ Connect configuration,
  • Uninstalls the old agent,
  • Reinstalls the latest version, and
  • Restores your previous configuration so it doesn’t appear as a new device.

If you run into any issues or your agents are still not updating, please refer to the PDQ Connect Agent Not Updating Automatically KB to work around the issue

  • If an agent isn't updated to 5.10.5 or later by October 20, 2025, you may need to manually reinstall the agent.
    • If you previously deployed the PDQ Connect agent using a secondary deployment tool such as PDQ Deploy, Group Policy, or Intune, you will need to be sure to update the version in your file repository to 5.10.5 or later, as well as any applicable detection rules that may cite earlier versions. Guidance on this process can be found on our Agent Installation KB.
  • AllSigned environments (refers to PowerShell execution policies): Add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue to run smoothly. Guidance on this process is available here: PDQ Connect and All Signed PowerShell Environments


FAQ

What happened?

PDQ identified threat actors attempting to misuse PDQ Connect during free trials. These were not legitimate customers but individuals testing ways to use the product inappropriately, including as part of a potential process to distribute malware. While PDQ systems and customer data remain secure and unaffected, the situation required review by industry partners.

Under global certificate security standards, if there is evidence of potential misuse, even if no compromise has occurred, certificates must be revoked and replaced. Following that review, the existing certificate was revoked and a replacement was issued to maintain compliance and product trust.

When did this happen?

The certificate revocation and replacement occurred during the week of October 7, 2025, and required customers to update to the latest product versions before October 20, 2025 to avoid service disruption.

Is this a breach?

No. This was a preventative security action. There has been no compromise to PDQ customers, applications, systems, or certificates. PDQ systems and customer data remain secure and unaffected.

Why was the certificate revoked?

Under the global standards set by the Certificate Authorities / Browser Forum (CABF), if there is evidence of potential misuse, certificates must be revoked and replaced even when no compromise has occurred. After a review with our partners, the previous certificate was revoked and a replacement was issued to maintain compliance and product trust.

PDQ worked closely with Microsoft, DigiCert, and other partners to respond immediately, issue new certificates, and maintain compliance with CABF standards.

What does “certificate revocation and replacement” mean in practice?

PDQ products are digitally signed so operating systems and security tools can verify they’re legitimate. Revocation and replacement change the trusted software signature used to validate PDQ applications. Older builds signed with the previous certificate may stop installing, launching, or validating after the deadline unless updated to the latest versions.

Why the deadline?

The previous certificate was no longer trusted after October 20, 2025. Updating to current versions ensures your software continues to validate and function normally.

Why are some security tools (e.g., Microsoft Defender) flagging PDQ software?

In this context, those are false positives related to the older certificate and outdated applications or agents. After you update to the latest versions (signed with the replacement certificate) and ensure your security tool’s definitions are current, these detections should clear.

Do I need to import a new certificate?

In most environments, no manual import is required; updating installs versions signed with the replacement certificate. In AllSigned environments or similarly restricted configurations, follow the product-specific steps to add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue without interruption.

What happens if I don’t update by the deadline?

Older versions may fail to install, launch, or pass validation checks. To avoid disruption, update PDQ Deploy & Inventory, PDQ Connect (agent), and SmartDeploy (console and clients) to the latest releases before the deadline. SimpleMDM is not impacted.

What about devices that are offline or air-gapped?

The process is the same. Download the latest installers from the appropriate portal and transfer them via secure media following your organization’s security procedures. Then install the updates on the target machines. For PDQ Deploy & Inventory, restart PDQ services or the console after updating to activate the replacement certificate.

How can I verify I’m on the new, trusted versions?

For PDQ Connect, confirm the Agent version is 5.10.5 or later on the Devices page. For PDQ Deploy & Inventory and SmartDeploy, verify you’re on the latest available versions from the product UI or the customer portal. If an endpoint still shows detections after updating, ensure security definitions are current and re-scan.

Do I need to change my firewall or allowlists?

Most environments do not require changes. If you operate an all-signed or restricted environment that validates publisher certificates, add the new PDQ certificate to your Trusted Root CA Store so signed deployments continue without interruption.

What is PDQ doing to prevent this from happening again?

PDQ is implementing additional safeguards to further isolate potential misuse and ensure continued reliability. We’ve strengthened verification and monitoring layers and adjusted internal processes to reduce the likelihood of similar disruptions.

Will this happen again?

Future certificate actions are expected to follow normal release timelines. PDQ acted quickly to protect customers and maintain compliance, and PDQ systems and customer data remain secure and unaffected.

Do trials or SimpleMDM change?

SimpleMDM is not affected. This article is for existing customers; any pre-trial access changes are handled elsewhere and aren’t required here.

Need help?

Brigg Angus
Updated
Was this article helpful?

Related articles

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.