Installing Certificate for CurrenUser/LocalMachine with no AdminRights?

I am trying to install an UWP App on win10. I want to automate the whole installing Process(install Certificate, Dependencies etc...)

So I Worte a little batch file that calls 2 Powershell scripts. One installs the dependencies(checks if they're already installed). The other one installs the Certificate and Adds the App to the system.

I am adding the Certificate to:

certutil -Enterprise -addstore "TrustedPublisher" .\cert.crt
certutil -Enterprise -addstore "Root" .\cert.crt
Import-Certificate -CertStoreLocation Cert:\LocalMachine\TrustedPublisher -FilePath .\cert.crt
Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath .\cert.crt
Add-AppxPackage -Path .\app.appxbundle

Now the Thing is that my client wants me to do that with no Admin Rights.

Therefore I thought installing the for the CurrentUser instead would work, as installing ther cert there doesn't need Admin rights.

So I changed my Script like this

certutil -addstore -user -f "TrustedPublisher" .\cert.crt
certutil -addstore -user -f "Root" .\cert.crt
Import-Certificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath .\cert.crt
Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath .\cert.crt
Add-AppxPackage -Path .\app.appxbundle

Also tried to add to "TrustedPeople" and "My" locations.

Installing the Certificate with no Admin rights worked fine. But installing the App itself failed with the Error.

"Add-AppxPackage : Deployment failed with HRESULT: 0x800B0109, A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider"

So the Certificate was kinda found but its not trusted. So my questions are:

1. Why does the System not "trust" the Cert even when install it in "CurrentUSer/TrutedPublisher"(difference to LocalMachine/TrustedPublisher) ?
2. Is there a way to install the Cert to localMachine without Admin Rights?
3. Can I install the App by directing it to the installed cert in CurrentUser?

I am new to the whole Deployment stuff on Windows, so I hope those Questions make sense :)

1. If the app is installed to the -system-, then it would be validating against the LocalMachine/TrustedPublisher. This is a basic security mechanism to prevent a random user from bypassing the security by "trusting" a cert and installing a random malicious piece of software without admin privileges; which could then be run by another user.
2. The correct way to get the Cert installed "without admin rights" is to use Group Policy to install a certificate see Distribute Certificates to Client Computers by Using Group Policy
3. No. Don't try to bypass the security. Basics are, you need an Admin to either install the cert in the LocalMachine/TrustedPublisher or to install the app. The easiest is to use a GPO to install the Cert first.