1. PDQ Deploy & Inventory Help Center
  2. Documentation
  3. Environmental
  4. How-to Guides

All Signed PowerShell Execution Policy

Purpose

You receive an error when running a PowerShell script or command from PDQ Deploy or PDQ Inventory similar to:

You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.

From Error Handling Wrapper.ps1

If you encounter an error similar to this when attempting to run a PowerShell script that did not come from PDQ.com, see this article about Signing Your PowerShell Scripts.

Resolution

PDQ.com signs each of our .ps1 files included in the product; this includes the error handling wrapper script that is used when executing PowerShell steps or remote commands, as well as any .ps1 in the package library with a code-signing certificate issued by Digicert. Any .ps1 file that is not provided directly from PDQ.com is not, and cannot be signed with this certificate. This includes any PowerShell directly entered into a PowerShell step, or PowerShell tool, but there is a workaround listed below to sign these yourself. If your organization requires all scripts to be signed, it is recommended to use an install step with a signed .ps1 as the installer file.

The installer file versions below can be downloaded from here: 

PDQ Deploy 19.5.0.0 

The thumbprint of the certs are:

PDQ Deploy and Inventory Version 19.5.0.0 and later:
Use this certificate

E706901A2E7EB16DA4D420BF61BBC47BFBBF8CE6
CN=PDQ.COM CORPORATION, O=PDQ.COM CORPORATION, L=South Salt Lake, S=Utah, C=US

PDQ Deploy and Inventory version 19.4.109.0:
This certificate was revoked on 2025-10-18

7B4313B6CDB8176DFAAB4125E51651E2A813AB74
CN=PDQ.COM CORPORATION, O=PDQ.COM CORPORATION, L=South Salt Lake, S=Utah, C=US

Version 19.3.360.0 - 19.4.408.0:
This certificate was revoked on 2025-10-18

8AB2A176E3B80545CE2E15ED12D186B9EF53C108
CN=PDQ.COM CORPORATION, O=PDQ.COM CORPORATION, L=South Salt Lake, S=Utah, C=US

Version 18.2.12.0 - 19.3.350.0:
This certificate expired on 2022-10-17

32AE19914C02705091C58368406293D642F39516
CN=PDQ.COM CORPORATION, O=PDQ.COM CORPORATION, L=Salt Lake City, S=Utah, C=US

This certificate is not included in the Trusted Publishers on Windows by default. This is the same code signing certificate with which we sign our applications. When the execution policy of "All-Signed" is set, this will only run scripts when the entire cert chain is installed and trusted. Conversely, installing a signed application does not have this requirement; the installed application must only have a valid signature.

In order to run a PowerShell script from our product when the "All-Signed" execution policy is set, you will need to install the certificate chain. There are a few ways to accomplish this on your remote machines. First, you must extract the certificate from the product itself. The below PowerShell command will export a .cer file that you can deploy in whichever manner you choose.

Defining the code-signing certificate as a variable:

$cert = (Get-AuthenticodeSignature -FilePath "C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployConsole.exe").SignerCertificate

Exporting the certificate to a file:

Export-Certificate -Cert $cert -Filepath C:\pdqcert.cer -Type Cert

Now that we have the certificate exported, we have a couple of options on how to install this certificate:

1. Group Policy - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy

If you have set your execution policy via group policy, this is the only option you can use

2. PowerShell - Importing the certificate created previously to the computer Trusted Publishers store.

Import-Certificate -Filepath C:\pdqcert.cer -CertStoreLocation Cert:\LocalMachine\TrustedPublisher\
 

WARNING: The certificate whose thumbprint starts with 709DF9 expired on October 18, 2019 and 32AE19 expired October 17, 2022. If you have previously imported these certificates, you will need to import the new one (8AB2A1, expires 09/12/2025).

Signing PowerShell Steps and Tools

When using a PowerShell step or a PowerShell tool, there are are scripts generated from the contents of these windows that are not signed unless the signature block is included. This signature block may be copied and pasted in after signing a script using the method described in Signing Your PowerShell Scripts.

A user.ps1 script is generated from the contents of a PowerShell step window. The below screenshot shows where you would need to paste the signature block in order to subsequently sign user.ps1.

1.png

A command.ps1 script is generated from the contents of a PowerShell tool window. The below screenshot shows where you would need to paste the signature block in order to subsequently sign command.ps1.

2.png

See Also

Article - Signing Your PowerShell Scripts
Article - Install a Certificate to the Trusted Root Certificate Authorities

Josh Mackelprang
Updated
Was this article helpful?

Related articles

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.