Import-Certificate strange behavior running as admin

Question

Import-Certificate strange behavior running as admin

I have a driver install script that installs certificates and installs drivers.

I am running it as the built-in Administrator account which should have full admin rights (no Admin Approval mode, no UAC). This is all in Windows 10 1709.

Right now my setup is this:

installdrivers.ps1:

$root_dir = "$env:HOMEDRIVE/Drivers"
$output_dir = $root_dir + '/' + 'certs'

Get-ChildItem $output_dir | % {
    Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedPublisher -FilePath $_.FullName  | Out-Null
}

pnpunattend auditsystem /L

#leave at PowerShell prompt
powershell

The script works fine when run manually, either from a PoSH terminal, ISE, or from the GUI.

However, when I launch it on login (either via Start Menu startup, "RunOnce" registry key, or even as the login shell (set in registry in Winlogon) I get the below:

Import-Certificate : Access is denied. (Exception from HRESULT: 0x80070005
(E_ACCESSDENIED))
At C:\Drivers\x64\installdrivers.ps1:61 char:5
+     Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedP ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Certificate], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.CertificateServices.Commands.ImportCertificateCommand

I know my script is running as admin to some extent because the driver portion of the script completes fine.

I tried manually escalating upon calling the script but that makes no difference:

$new_process = New-Object System.Diagnostics.ProcessStartInfo "PowerShell"
$new_process.Arguments = "powershell.exe $Env:HOMEDRIVE\Drivers\x64\installdrivers.ps1"
$new_process.Verb = "runas"
[System.Diagnostics.Process]::Start($new_process)

Anybody have any idea what might be at play here?

EDIT:
Confirmed that certutil.exe does work:

certutil -Enterprise -addstore "TrustedPublisher" $_.FullName

Am I wrong in thinking that the above should be identical to the below in functionality?

Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedPublisher -FilePath $_.FullName

windows

powershell

permissions

asked on Stack Overflow Apr 23, 2018 by

Joenarr Bronarsson • edited Apr 23, 2018 by

Ansgar Wiechers

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0