Share via

[Import-Certificate], UnauthorizedAccessException E_ACCESSDENIED when tring to import cert into Cert:\LocalMachine\TrustedPublisher

Julien POULAIN 10 Reputation points
2024-05-17T07:40:14.98+00:00

Hi,

I'm really struggling with this one! So a bit of context first : I'm using a powershell module that I've made on my own. This module automatically creates à hyper-v VM, installs windows in it, runs scripts that install applications silently, syspreps and makes all of this into a wim ready to be deployed with configuration manager. I use PowerShell Direct to create remote PS sessions to run the code inside the VM. I do using on the host Invoke-Command -Session $Session -ScriptBlock $ScriptBlock. $ScriptBlock containsthe code to be executed remotly.

In some script, I try to import certificates into the local machine TrustedPublisher store to make app install totaly silent. On a fresh windows install on the VM, it's not working.

The code I'm using for this is

Import-Certificate -FilePath ".\adafruit_industries.cer" -CertStoreLocation "Cert:\LocalMachine\TrustedPublisher"

The error is

Accès refusé. (Exception de HRESULT : 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo          : NotSpecified: (:) [Import-Certificate], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Commands.ImportCertificateCommand
+ PSComputerName        : wim-test-wif

Eveything is run on the vm with the local administrator account, since it's a french version of windows, the account name is Administrateur.

If I log in to the VM with a graphical session using the administrator account, open the Computer Cert Manager App (certlm) and brows what's inside TrustedPublisher, there is nothing. And then, the very same exact code that before didn't work, suddently works! For any certificate! I've tried may things, did a lot of research, i still cannot understand what's going on.

Oddly, whith a fresh install, i can import certificat in the localmachine Root store:

Import-Certificate -FilePath ".\adafruit_industries.cer" -CertStoreLocation "Cert:\LocalMachine\Root"

So I'm wondering what's different that makes it work with the Root store but not the TrustedPulisher one.

I'm also wondering if there is something that needs to be initiated so that the Administrateur user cann access the TrustedPublisher store. Does it have something to do with the graphical session or the fact that the account is name Administrateur and not Administrator ? I don't know.

I tried before importing the cert to set-location to the store or to browse it but nothing changes. I tried with certutils, no better luck.

Any piece of advice would be much appreciated!

Thanks,

PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,915 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Blood Wolf Merlin 0 Reputation points
    2024-07-02T03:45:46.1066667+00:00

    I am running into this exact same issue using Windows Sandbox.

    What I have noticed is that if I manually import the cert into LocalMachine\TrustedPublisher a folder is created called Publishers.

    If I delete the manually imported cert and then re-run the same command the certificate will now import.

    Edit: Less than five minutes after posting I have found the answer on reddit.

    I am going to be honest I don't know what this part if( Get-WMIObject Win32_LogicalDisk | Where-Object { $_.DriveType -eq 4 -and ( $_.DeviceID -eq ($Certificate).Substring(0,2) ) }){

    does but I was able to modify it to work.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.