Upon my list of problems with Microsoft Deployment Tools (MDT) I've run into a new problem. Dealing with untrusted publishers. If you're here, you likely have the below screen when trying to push out an application as quiet as possible.

The solution is quite simple. Using a VM or a system for testing, install the software and check off "Always Trust software from [Publisher]". What this does is place a certificate in the local computers certificate store that will rid future installs from Novell of this dialogue. What we do then, is export the certificate and put it into your install script. Follow the below to conquer this problem:

  1. In your test environment, install the program fully and be sure to click 'Always trust software from [Publisher]
  2. Run certmgr.msc and navigate to Trusted Publishers then Certificates
  3. The certificate from the publisher will show up there. Right click and click All Tasks -> Export. Save the file.

You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:

certutil -addstore "TrustedPublisher" MyCertificate.cer

Let me know if this helps or if there are any problems ^^.

Comments 57

  • It is really does not work for me for SHA256 under Win2008 R2
    However It works fine when I have switched to SHA1 back.

  • On Windows 7 and Windows 2008R2, you need to install a KB to support SHA256 (KB3033929 https://www.microsoft.com/en-us/download/details.aspx?id=46148&ppud=4).

    You need to install a hotfix on Windows 7 and Windows 2008R2 systems to get rid of the “Would you like to install this device software?” dialog (KB2921916 https://support.microsoft.com/en-us/kb/2921916)

    I wish MS had fixed KB3033929 so that the hotfix was not needed but unfortunately both are needed.

  • “You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:
    certutil -addstore “TrustedPublisher” MyCertificate.cer
    Let me know if this helps or if there are any problems ^^.”

    How can i enter this line into an install script with MDT?.. Do i need to export the certificate from the test machine, import it onto the MDT image server, and then run this script anywhere in the task-sequence? If i were to do that how would the deployment know where MyCertificate.cer is located?

    Is the solution something like:
    (Place MyCertificate.cer in deployment share) and to use the script like this-

    certutil -addstore “TrustedPublisher” \\$deploymentshare\MyCertificate.cer

    Could you (or anyone?) point me in a direction because this a very critical item.

  • This reply is for Jon. I did resolve my problem. I do use the techniques described here but I also needed to install a MS hotfix. http://support.microsoft.com/en-us/kb/2921916
    Once I installed this hotfix, my silent installation process now works for Sha2. So, at the end of the day, it’s a MS problem.

  • This solution works fine on Windows7, but on Vista there still a prompt (not the same prompt up here).

  • Doesn’t work for me :(

  • Yes, I would also not I attempted the install without installing the named Patch:

    https://support.microsoft.com/en-us/kb/2921916
    KB Article Number(s): 2921916

    It would not work.

    Once I installed the above patch
    Removed the certificate from the
    re-ran the cert import:

    certutil -addstore “TrustedPublisher” MicroFocus.cer

    I was able to then run the installer for the Client for Open Enterprise Server 2 SP4 (IR4) installer without being prompted for the cert “Allow Trusted Publisher” warning. This will allow me to either push the new installer via the AUTOUPDATE or via Zenworks / ZCM.

    Thanks for the Article!

    Patrick !

1 2

Leave a Reply

Your email address will not be published. Required fields are marked *