PDQ Deploy and PDQ Inventory require both console and target computers have certain firewall ports open.
In addition, use of the Central Server feature will require an additional open port on the PDQ console running in Server Mode.
Finally, using PowerShell scripts and commands will require WinRM to be enabled and the requisite Windows Firewall rules be created.
Firewall ports and exclusions are covered in the following:
Ports and Group Policy
IMPORTANT: The ports outlined in this KB are in addition to the normal ports open for such things as LDAP/AD, Kerberos, DNS, etc.. It is strongly recommended you do not disable or otherwise modify the firewall to block or impede the proper functioning of those ports.
Ports and Group Policy:
The following open ports are required on the Windows Firewall (or any other firewall) for proper functionality of both PDQ Deploy and PDQ Inventory. If you can manage remote computers using standard Windows administration tools you should be set since we use the same SMB protocol:
In light of recent ransomware attacks, it is important to note PDQ Deploy utilizes the version of SMB available in your network. In most cases, this will be the latest version, SMBv3, and will exclude SMBv1, which is the vulnerable version of SMB. SMBv1, is used by Windows XP and Windows Server 2003x, both of which are no longer supported by PDQ Deploy.
In Group Policy (recommended), the settings to open the ports above and ICMP are located in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
In the end, you should have something that looks like this (some additional objects have also been enabled):
Central Server can automatically create a Windows Firewall rule on the PDQ console running in Server Mode. The following is from the initial setup and is also available post-install via Options > Central Server, Change Settings. This is the window in PDQ Deploy (Inventory is nearly identical).
This is equivalent to the following command (PDQ Deploy):
netsh advfirewall firewall add rule name="PDQ Deploy" dir=in action=allow program="C:\Program Files[ (x86)]\Admin Arsenal\PDQ Deploy\PDQDeployService.exe" enable=yes localport=6336 remoteport=6336 protocol=tcp profile=[domain|private]
In addition to the above, the use of remote Powershell requires that WinRM be enabled on all machines and that Windows Firewall be configured to allow inbound Windows Remote Management. In Group Policy (recommended) the settings are located in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management >
PDQ Deploy and PDQ Inventory access the internet to perform regular tasks such as update the Package Library, Collection Library, Tools Library, and System Variables (used in collections). In addition to these regular connections, PDQ products periodically check for program updates, package updates, license expiration information, and for notifications from PDQ.com (For example, webcast notices, beta notices, etc.).
In order for these connections to function properly, PDQ products will require access to the following external sites:
You can test these connections by using Google Chrome or IE/Edge (friendly error messages turned off):
Can’t access ADMIN$ Using a Local User Account
Under The Hood: How PDQ Deploy Installs Software To Remote Computers (the same idea applies to PDQ Inventory as well).
Deploy: Configuring Central Server
Inventory: Configuring Central Server