Batch Script Not Working The Same From SetupComplete.cmd

Discussion in 'Windows 10' started by UpGrade4, Oct 23, 2019.

  1. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    42
    8
    0
    Hi all i have encountered a strange issue.

    I have a script that runs after windows 10 setup and i want to install OpenVPN by default silently (this works) and accept the certificate installation silently to do this now i have used and tested the code below via cmd:

    Code:
    certutil -addstore "TrustedPublisher" Tools\Silent\OpenVPN\OpenVPN.cer
    This works flawlessly and installs the certificate so no user interaction is required however, when ran after a setup via SetupComplete.cmd it does not work and you are prompted with the certificate installation box which needs to be accepted.

    Please can somebody explain why it doesn't work under this circumstance when it works correctly under Windows via cmd ? Please can somebody explain or show me how to bypass this and make it work?

    This is not the first time that i have encountered issues when running commands via SetupComplete.cmd i have managed to find ways around them previously but not for this.

    Maby @BAU or @abbodi1406 could help i know your guys scripting skills are unmatched!
     
  2. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    10,378
    41,542
    340
    Maybe -enterprise help?
    Code:
    certutil -enterprise -addstore TrustedPublisher Tools\Silent\OpenVPN\OpenVPN.cer
     
  3. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    42
    8
    0
    Thanks for the reply, i will try this suggestion after work today and ill let you know if it works
     
  4. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    489
    865
    10
    setupcomplete is run before any user is logged on, as system.
    You are not supposed to mess with CAs at machine level - when you run certutil as a logged on user certain stuff is inferred for you automatically.
    I think you have to add the certificate to the Trusted Root Certification as well to prevent prompts.
    And speaking of prompts - of course you did not deem it relevant, so we have to waste time testing or use our imagination to suspect it's about the certificate not being trusted as root. Anyway, if that's the case, an extra command should fix it:
    Code:
    certutil -addstore -f -v root Tools\Silent\OpenVPN\OpenVPN.cer
    certutil -addstore -f -v TrustedPublisher Tools\Silent\OpenVPN\OpenVPN.cer
    
    Not sure you need the enterprise stuff, but just in case:
    Code:
    certutil -addstore -enterprise -f -v root Tools\Silent\OpenVPN\OpenVPN.cer
    certutil -addstore -enterprise -f -v TrustedPublisher Tools\Silent\OpenVPN\OpenVPN.cer
    
     
  5. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    42
    8
    0
    Thanks, ill give this a test after work too ill let you know the result
     
  6. UpGrade4

    UpGrade4 MDL Novice

    Aug 22, 2012
    42
    8
    0
    @BAU @abbodi1406 Wanted to let you guys know i tested this. I was going to go in order of posts but the first one above worked perfectly! So i didnt get round to testing the other theories. Thank you both so much for your help!