Batch Script Not Working The Same From SetupComplete.cmd

Discussion in 'Windows 10' started by UpGrade4, Oct 23, 2019.

  1. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    44
    9
    0
    #1 UpGrade4, Oct 23, 2019
    Hi all i have encountered a strange issue.

    I have a script that runs after windows 10 setup and i want to install OpenVPN by default silently (this works) and accept the certificate installation silently to do this now i have used and tested the code below via cmd:

    Code:
    certutil -addstore "TrustedPublisher" Tools\Silent\OpenVPN\OpenVPN.cer
    This works flawlessly and installs the certificate so no user interaction is required however, when ran after a setup via SetupComplete.cmd it does not work and you are prompted with the certificate installation box which needs to be accepted.

    Please can somebody explain why it doesn't work under this circumstance when it works correctly under Windows via cmd ? Please can somebody explain or show me how to bypass this and make it work?

    This is not the first time that i have encountered issues when running commands via SetupComplete.cmd i have managed to find ways around them previously but not for this.

    Maby @BAU or @abbodi1406 could help i know your guys scripting skills are unmatched!
     
  2. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    16,222
    84,900
    340
    #2 abbodi1406, Oct 23, 2019
    Maybe -enterprise help?
    Code:
    certutil -enterprise -addstore TrustedPublisher Tools\Silent\OpenVPN\OpenVPN.cer
     
  3. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    44
    9
    0
    #3 UpGrade4, Oct 23, 2019 (OP)
    Thanks for the reply, i will try this suggestion after work today and ill let you know if it works
     
  4. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,693
    60
    #4 AveYo, Oct 23, 2019
    setupcomplete is run before any user is logged on, as system.
    You are not supposed to mess with CAs at machine level - when you run certutil as a logged on user certain stuff is inferred for you automatically.
    I think you have to add the certificate to the Trusted Root Certification as well to prevent prompts.
    And speaking of prompts - of course you did not deem it relevant, so we have to waste time testing or use our imagination to suspect it's about the certificate not being trusted as root. Anyway, if that's the case, an extra command should fix it:
    Code:
    certutil -addstore -f -v root Tools\Silent\OpenVPN\OpenVPN.cer
certutil -addstore -f -v TrustedPublisher Tools\Silent\OpenVPN\OpenVPN.cer
    Not sure you need the enterprise stuff, but just in case:
    Code:
    certutil -addstore -enterprise -f -v root Tools\Silent\OpenVPN\OpenVPN.cer
certutil -addstore -enterprise -f -v TrustedPublisher Tools\Silent\OpenVPN\OpenVPN.cer
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    44
    9
    0
    #5 UpGrade4, Oct 23, 2019 (OP)
    Thanks, ill give this a test after work too ill let you know the result
     
  6. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    44
    9
    0
    #6 UpGrade4, Oct 27, 2019 (OP)
    @BAU @abbodi1406 Wanted to let you guys know i tested this. I was going to go in order of posts but the first one above worked perfectly! So i didnt get round to testing the other theories. Thank you both so much for your help!