Upon my list of problems with Microsoft Deployment Tools (MDT) I've run into a new problem. Dealing with untrusted publishers. If you're here, you likely have the below screen when trying to push out an application as quiet as possible.

The solution is quite simple. Using a VM or a system for testing, install the software and check off "Always Trust software from [Publisher]". What this does is place a certificate in the local computers certificate store that will rid future installs from Novell of this dialogue. What we do then, is export the certificate and put it into your install script. Follow the below to conquer this problem:

  1. In your test environment, install the program fully and be sure to click 'Always trust software from [Publisher]
  2. Run certmgr.msc and navigate to Trusted Publishers then Certificates
  3. The certificate from the publisher will show up there. Right click and click All Tasks -> Export. Save the file.

You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:

certutil -addstore "TrustedPublisher" MyCertificate.cer

Let me know if this helps or if there are any problems ^^.

63 Comments

  • This is another way to solve it
    certmgr.exe -add certificate.cer -c -s -r localMachine TrustedPublisher
     
    Hope it works! cheers

  • Works well. I will comment that on a Windows 7 workstation you need to run the dos window with the ‘run as’ administrator option for this to work. Otherwise, you get a message that the file cannot be found.

    Thanks for the tip!

  • @Ramiro: Thanks, never hurts to know multiple ways around problems.

    @Lee: Thanks for pointing that out, I wrote this as I worked with Microsoft Deployment Tools which runs under administrative rights, I overlooked the that most others will not have the luxury of an administrative session to boot!

  • Thanks a lot for publishing this.
    I had exactly the same problem. Your solution works like a charm.
    Cheers mate

  • Thanks a lot for posting this.

    I faced the same issue, and resolved using your solution.

    Thank you !!!

  • Thank you for the article :)

  • Hi,

    how to add the certificate in “Intermediate Certificate Authority” ? I tried certutil -addstore “Intermediate” MyCertificate.cer, however that didn’t work,

    Thanks,
    Thangaselvam

  • @Thangaselvan: Try ‘certutil -addstore CA {certname}.cer’

  • Thanks, it very useful.

  • Thanks,, it works … and is really useful

  • I am trying the Novell Client as well yet I still get prompted. In which format are you exporting the certificate?

  • I believe when I had done it I just stuck with the default setting of DER encoded. I would take a look at the certificates after you run the command and make sure your command is adding the certificate properly. If you do see your certificate in there, and then try to run through the program installation and it still asks, say yes, and see if there is any additional certificate added anywhere in the manager.

    Also, perhaps version changes carry different certificates?

  • Thanks, it worked

  • GREAT solution!!!

  • Thanks man,

    But how do you remove Trusted Publisher using certutil.exe?

  • Hi Teukka, I’m not sure off the back of my hand but type ‘certutil -delstore -?’ and it should give you enough to go from there.

  • Works Great – I needed this to install eLicenser for Cubase

  • Works like a charm! Very good info. Thanks.

  • You’re all welcome :)!

  • Thanks for providing this information. It was very useful.

  • Super useful article thank you!

  • Very good, love this technique I just learned. Thanks for posting!

  • Hi ,
    I use a particular site called PCDuo to connect remotely to PCs.
    This site usually prompts for installation of an Active X Control.
    When prompted for this , I had clcked more options and selected
    Always install software from PC Duo Publisher and then on the site has stopped working.
    If any one knows how to revert this setting please do let me know.
    Thanks,
    carol

  • I got this working eventually but had to use the -f switch to force the creation of the TrustedPublisher store.

    So my working command was: certutil -f -addstore “TrustedPublisher” MyCertificate.cer

    (For info, this was used with my Windows7 autounattend.xml setup during phase 4 – Specialize-> RunSynchronousCommand)

    Hope this helps someone.

  • Thanks a MILLION marc!!!!! I had to use the -f switch as well. I was trying to install the cert using a batch file right before installing a .msi application. I’m working on deploying windows 7 via sccm using a task sequence and the application will just hang without the -f switch. THANKS BUDDY!!!!

  • Add -f switch for forceful adding certificate into trusted publisher otherwise in WIN 7 it will throw error.
    certutil -addstore “TrustedPublisher” MyCertificate.cer

  • certutil -f -addstore “TrustedPublisher” MyCertificate.cer

  • I have two certificates(code signing and device driver signing) issued by GoDaddy.
    With one certificate this solution works but it doesn’t work with the other. The first one I used just for test and I need it to work with the other. Any suggestions please?

  • Thanks bro.

  • Thanks a lot man ! it worked like a charm for me.

  • What can I do to have the certificate placed in Trusted Root Certification Authorities\Local Computers, I mean, how can this be done? Thanks

  • Need help! I already have my reference image. I’m confused on where to copy the certificate. Can I copy it to C:\windows\system32 and then run:

    certutil -addstore “TrustedPublisher” c:\windows\system32\MyCertificate.cer ?

    TIA
    Justin

  • Hey Justin. You can copy the certificate wherever you want. I have mine on a file server and here is my syntax:

    \\filserver\share\certutil.exe -addstore TrustedPublisher \\filserver\share\MyCertificate.cer

    The above syntax is all on one line with no breaks. This is working for me. You want to make sure you also have certadm.dll, certutil.exe, and MyCertificate.cer all in the same location. Hope that helps.

  • Adrian, thanks for the quick reply. So I don’t necessarily have to copy the cert to the deployed machine first with your solution. It looks like you are telling the computer to looked at your file share with certutil and add your cert from that location.

    Last question, where do I find certutil.exe and certadm.dll on a Win2008 R2 box?

    Sorry I’m a noob :)
    TIA
    Justin

  • No problem. And no you do not have to copy the cert to the deployed machine…i mean you can but its not necessary. Again all of my packages are on a file server.

    CertUtil.exe is part of the server admin tools. I think I used the one for the windows server 2003 admin tools. You can download it here….

    http://www.microsoft.com/en-us/download/details.aspx?id=16770

    After installing just do a search on the install directory for CertUtil

    I don’t think I’m using the CertUtil.exe for windows server 2008….i’m not sure and don’t remember. If thats what you need then I believe the server admin tools for server 2008 is just a feature you install.

    Good luck.

  • Forgot to add the -f switch in my example above. You DEFINITELY need that…

    Example: \\filserver\share\certutil.exe -f -addstore TrustedPublisher \\filserver\share\MyCertificate.cer

  • Got it working, thanks Adrian!

  • Cool. You got it.

  • I am getting the error “The requested operation requires elevation”. I am running certutil.exe in a local admin command prompt……don’t get it…help…

  • Thank you so much! This makes life a lot easier making silent Bio-Rad installations!

  • my working command was: certutil -addstore “TrustedPublisher” c:\temp\Novell.cer

  • Thanks Mate… It works

  • Hi.

    I am using MDT and adding this as a Run command line sequence. How would I add where the .cer file is located to below command?

    certutil -addstore “TrustedPublisher” MyCertificate.cer

    My deployment is fully online and everything is in the deploymentshare.

    I assume certutil -addstore “TrustedPublisher” C:\deploymentshare\MyCertificate.cer

    Is the above correct, is it okay to put it in the root?

    Or should I move it to the scripts folder?

  • I am trying to deploy an application in unattended install and reciece the same pop up when the installation is at 72%. I have been trying to resolve this issue for a week. I am using MDT 2012. I have followed the steps and obtained the cert. I created the scipt and included both the script and the certificate in the same folder as the application. Everything I am reading is telling me be sure that the script runs before the install of the application. I have been unable to do this. Can anyone help me with this? I am begging. I need to know specifically how to get the certificate to install before the application. Please help

  • Brandon,
    From what I’ve read.. if you’re installing a bunch of applications at once with MDT, they’ll install in alphabetical based on their listing in the “Applications” folder of your deployment share.

  • I believe I am having an issue related to the post above by Lee stating you need to run CMD with teh Run As command and run as administrator….

    I am trying to install an app that installs a couple drivers that are prompting the user to accept… I am pushing the install out wrapped in a WinBatch script through HP Radia (simular to SCCM but depending on who you talk to either much worse or much better LOL) so the WinBatch is being ran with System creds.

    the cmdline that is being ran is
    certmgr.msc -f -addstore “TrustedPublisher” C:\ESD\dist\blaze\deploy\3m1.cer (this is what is being logged as the cmd that is being run by WinBatch)
    If I run this through Radia with System creds I am getting a File Not found error but if I copy this cmdline into an Admin CMD prompt it runs perfect.

    Is this issue being caused by attempting to run as system vs as an admin?

    Bill

  • sorry I had been trying cert util and certmgr in the cmdline, I had changed it back to certutil already but pasted the wrong cmdline in above.

    Bill

  • This technique worked great for me on Windows 7 x64/x86 silent installs. At that time I was using a SHA-1 code signing cert. After upgrading my cert to SHA256 I am now getting the above “friendly” message box on Windows 7. It’s back. It is a Thawte cert and I’ve been emailing them about it. They really don’t have a solution and claim that it is supposed to work this way. I have been researching for a while with no luck. Does anyone have some additional insight that has not been discussed before? UAC is off and I am running my installation package as the administrator.

  • Hi Jim, , I am also potentially running into SHA256 issue on windows 7. silent install on windows 8 and above is working but its not working on windows 7. It gives the above trust dialog . Did you get any solution to your ? Does SHA-1 fixes the problem?

  • It worked for me.