Upon my list of problems with Microsoft Deployment Tools (MDT) I've run into a new problem. Dealing with untrusted publishers. If you're here, you likely have the below screen when trying to push out an application as quiet as possible.

The solution is quite simple. Using a VM or a system for testing, install the software and check off "Always Trust software from [Publisher]". What this does is place a certificate in the local computers certificate store that will rid future installs from Novell of this dialogue. What we do then, is export the certificate and put it into your install script. Follow the below to conquer this problem:

  1. In your test environment, install the program fully and be sure to click 'Always trust software from [Publisher]
  2. Run certmgr.msc and navigate to Trusted Publishers then Certificates
  3. The certificate from the publisher will show up there. Right click and click All Tasks -> Export. Save the file.

You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:

certutil -addstore "TrustedPublisher" MyCertificate.cer

Let me know if this helps or if there are any problems ^^.

65 Comments

  • # DenisJanuary 20, 2016 at 1:39 pm

    It is really does not work for me for SHA256 under Win2008 R2
    However It works fine when I have switched to SHA1 back.

  • # MikeGFebruary 2, 2016 at 5:59 pm

    On Windows 7 and Windows 2008R2, you need to install a KB to support SHA256 (KB3033929 https://www.microsoft.com/en-us/download/details.aspx?id=46148&ppud=4).

    You need to install a hotfix on Windows 7 and Windows 2008R2 systems to get rid of the “Would you like to install this device software?” dialog (KB2921916 https://support.microsoft.com/en-us/kb/2921916)

    I wish MS had fixed KB3033929 so that the hotfix was not needed but unfortunately both are needed.

  • # SamirMay 11, 2016 at 3:39 pm

    “You now have the certificate from the test environment. You need to import this to the computers being deployed to prior to the install. Simply run the following command in your install script before the program install:
    certutil -addstore “TrustedPublisher” MyCertificate.cer
    Let me know if this helps or if there are any problems ^^.”

    How can i enter this line into an install script with MDT?.. Do i need to export the certificate from the test machine, import it onto the MDT image server, and then run this script anywhere in the task-sequence? If i were to do that how would the deployment know where MyCertificate.cer is located?

    Is the solution something like:
    (Place MyCertificate.cer in deployment share) and to use the script like this-

    certutil -addstore “TrustedPublisher” \\$deploymentshare\MyCertificate.cer

    Could you (or anyone?) point me in a direction because this a very critical item.

  • # Jim KMay 12, 2016 at 1:55 pm

    This reply is for Jon. I did resolve my problem. I do use the techniques described here but I also needed to install a MS hotfix. http://support.microsoft.com/en-us/kb/2921916
    Once I installed this hotfix, my silent installation process now works for Sha2. So, at the end of the day, it’s a MS problem.

  • # EnniswenJune 21, 2016 at 5:03 am

    This solution works fine on Windows7, but on Vista there still a prompt (not the same prompt up here).

  • # Somtoo Okoye naija blogOctober 25, 2016 at 2:56 pm

    Doesn’t work for me 🙁

  • # Patrick WolfeNovember 17, 2016 at 11:55 am

    Yes, I would also not I attempted the install without installing the named Patch:

    https://support.microsoft.com/en-us/kb/2921916
    KB Article Number(s): 2921916

    It would not work.

    Once I installed the above patch
    Removed the certificate from the
    re-ran the cert import:

    certutil -addstore “TrustedPublisher” MicroFocus.cer

    I was able to then run the installer for the Client for Open Enterprise Server 2 SP4 (IR4) installer without being prompted for the cert “Allow Trusted Publisher” warning. This will allow me to either push the new installer via the AUTOUPDATE or via Zenworks / ZCM.

    Thanks for the Article!

    Patrick !

  • # ChrisSeptember 18, 2017 at 10:31 am

    This solution works fine on Windows7. Many Thanks ! 🙂

  • # DaflibbleNovember 27, 2017 at 9:47 am

    Now the question is what to do when the driver certificate has also expired?

  • # DavidoApril 2, 2018 at 9:59 am

    This worked fine for me! Thank you.

  • # Larry WorkmanJune 19, 2018 at 12:25 am

    I’m not sure why this is not working for me. Trying to install OES client sp4 v8 and I cannot get it to stop prompting to install or don’t install. I’ve exported the cert, imported and no matter what I try it prompts me. This is on a windows 7 fully patched system.Wish I knew what the magic formula was. I’m one prompt from fully unattended.

  • # Nemo99August 3, 2018 at 9:29 am

    Great solution, works fine! Thank you very much for sharing!

  • # DanNovember 2, 2018 at 12:24 pm

    Works for the DocuSign Print Driver 3.1.4 as of 11/2/18.

    Thanks!

  • # Javier LlorenteAugust 16, 2020 at 10:17 am

    Thanks a lot for the info. At first, it failed, but was just because it was the first certificate and the store did not exist yet. It worked by adding the ‘-f’ switch:

    certutil -addstore “TrustedPublisher” MyCertificate.cer

    For information: done with MDT build 8456 deploying Windows 10 version 2004 with Oracle VirtualBox 6.1.12.

  • # AnonSeptember 1, 2021 at 2:57 am

    Thanks 😉