Skip to main content

Deliver DigiCert Trust Assistant using Group Policies

Using the Group Policy feature of Windows Server, you can deliver DigiCert​​®​​ Trust Assistant to users and computers in your Windows domain. This document describes how you can automate the installation, update, and uninstall DigiCert​​®​​ Trust Assistant using Group Policy.

Note

This feature is supported only on Windows computers that are joined to a Windows domain. For other operating systems, you may need to use another Device Management solution.

Prerequisites

  • Knowledge about Group Policy and how to configure them on Windows domain.

  • Administrator privileges to configure Group Policy.

  • Existing Group Policy Object (GPO) under your target Windows domain with appropriate groups, users, and computer security filter applied. You should create one GPO for testing purposes. Refer to official Microsoft documentation.

  • Shared network folder accessible by computers and users remotely (refer to official Microsoft documentation).

Place the installer on the shared network folder

Download the DigiCert​​®​​ Trust Assistant Windows installer. See Download installer.

  • Place this binary file on the shared network folder, and ensure that the target user, computer, or group has Read & execute permission to both the folder and the binary file.

  • You must also distribute the DigiCert Software KeyStore Provider installer if you are planning to use our DigiCert Software KeyStore. After installing DigiCert​​®​​ Trust Assistant, the installer will be available at:

    <install directory>/resources/dsksprovider.msi

Prepare the PowerShell installer script

You must use the Group Policy PowerShell script runner because Group Policy software installation supports installers in the format of Microsoft Software Installer (.msi) and the DigiCert​​®​​ Trust Assistant installer is provided as a bundled binary (.exe).

Note

DigiCert Software KeyStore Provider is provided as .msi, so you can install this application through Group Policy Software installation.

Copy the following PowerShell Installer Script to the Domain Controller in your Windows domain:

# Script to install DigiCert Trust Assistant. Can be used via GPO Startup/Shutdown/Logon/Logoff scripts
# Usage: DTAInstall.ps1 -i installer_path [-t install_type]
#        installer_path - UNC path of installer, for example: \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-Setup-1.0.0.exe
#                         * Make sure the user or computer that runs this script has read and execute permission to this file
#        install_type   - (optional) Specify 'user' or 'machine' to indicate type of install. Default is 'user'.
#                         * Specifying 'machine' will require Local Administrator privilege 
#                         * Default target installation directory is:
#                             'user'    -- %userprofile%\AppData\Local\Programs\DigiCert Trust Assistant
#                             'machine' -- C:\Program Files\DigiCert Trust Assistant
#
# Log from this script can be found in following locations:
#     install_type = 'user'   : %userprofile%\AppData\Local\Temp
#     install_type = 'machine': %systemdrive%\Windows\Temp
Param($i,$t='user')
$logfile = "$env:TEMP\DigiCert-Trust-Assistant-installation.log"
function WriteLog {
    Param ([string]$LogString)
    $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
    $LogMessage = "$Stamp $LogString"
    Add-content $LogFile -value $LogMessage
}
# Check installer_path
if (-not $i) {
    $msg = "-i option is required. Please specify UNC Path of the installer. For example: '-i \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-Setup-1.0.0.exe'"
    WriteLog $msg
    throw $msg
}
if (-not (Test-Path -Path $i)) {
    $msg = "$i not found, check if the file exists or permission is properly applied to user or computer."
    WriteLog $msg
    throw $msg
}
# Check install_type
if (($t -ne 'user') -and ($t -ne 'machine')) {
    $msg = "-t option needs to be either 'user' or 'machine'. Specified '$t'"
    WriteLog $msg
    throw $msg
}
# Fix below to change from default installation directory
if ($t -eq 'user') {
    $installDir = "$env:userprofile\AppData\Local\Programs\DigiCert Trust Assistant"
} else {
    $installDir = 'C:\Program Files\DigiCert Trust Assistant'
}
$install = $false
if (-not (Test-Path -Path "$installDir\DigiCert Trust Assistant.exe")) {
    $install = $true
    WriteLog "DTA not installed"
} else {
    $currentVersion = (Get-Item "$installDir\DigiCert Trust Assistant.exe").VersionInfo.FileVersion
    $newVersion = (Get-Item $i).VersionInfo.ProductVersion
    if ($currentVersion -ne $newVersion) {
        $install = $true
        WriteLog "DTA current version=$currentVersion, upgrading to $newVersion"
    }
}
if ($install) {
    WriteLog "Installing DTA using $i"
    $dArg = '/D="' + $installDir + '"'
    if ($t -eq 'user') {
        $process = start-process -FilePath $i -ArgumentList '/S',$dArg,'--force-run' -PassThru -Wait
    } else {
        $process = start-process -FilePath $i -ArgumentList '/S','/AllUsers',$dArg -PassThru -Wait
    }
    WriteLog "Process finished with exitcode=$($process.ExitCode)"
}

The usage of the script is described at the top of the script.

Install DigiCert Trust Assistant using Group Policy

The DigiCert​​®​​ Trust Assistant can be installed per machine or per user. In this section, both the methods are covered, but it is recommended to use per-machine installation when using Group Policy because the user cannot uninstall the application without local administrator privilege.

Per-machine installation

  1. Open Group Policy Management by selecting Windows Start Menu.

  2. Type “Group Policy Management” in the search box, and then click Group Policy Management.

  3. Under your domain, right-click the target Group Policy Object (GPO) and select Editto open the Group Policy Management editor.

  4. Navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) and double-click Startup from the right panel to open the Startup Properties dialog.

  5. Select the PowerShell Scripts tab. This step is crucial because the Scripts tab interface looks similar and the configuration will not work if configured from the Scripts tab.

  6. Select Add to open the Add a Script dialog.

  7. Select Browse and select the PowerShell Installer Script prepared in the earlier section.

  8. In the Script Parameters field, specify the parameters for this script:

    Specify -i <Universal Naming Convention path of installer> -t machine

    For example:

    -i \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-1.2.0-win-x64.exe -t machine

  9. Click OK twice to close the dialogs and apply the configuration.

Per-user installation

  1. Open Group Policy Management by selecting Windows Start Menu.

  2. Type “Group Policy Management” in the search box, then click Group Policy Management.

  3. Under your domain, right-click the target Group Policy Object (GPO) and select Editto open the Group Policy Management editor.

  4. Navigate to User Configuration > Policies > Windows SettingsScripts (Logon/Logoff) and double-click Logon from the right panel to open the Logon Properties dialog.

  5. Select the PowerShell Scripts tab. This step is crucial because the Scripts tab interface looks similar and the configuration will not work if configured from the Scripts tab.

  6. Select Add to open the Add a Script dialog.

  7. Select Browse and select the PowerShell Installer Script prepared in the earlier section.

  8. In the Script Parameters field, specify the parameters for this script:

    Specify -i <Universal Naming Convention path of installer>

    For example: -i \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-1.2.0-win-x64.exe

  9. Click OK twice to close the dialogs and apply the configuration.

Test the Group Policy for DigiCert Trust Assistant installation

Depending on whether the installation is per machine or per user, the timing of the application's installation differs. Perform the following and check whether DigiCert Trust Assistant is installed on the computer:

  • Per machine: Reboot your computer. The installation will be triggered during startup.

  • Per user: Sign out and sign in to your computer. The installation will be triggered during sign-in.

The installation may take a couple of minutes to finish.

Note

The installation may not start due to the latest Group Policy not being applied to the user machine. You can run the following command in the Windows command prompt to force-apply the Group Policy: > gpupdate /force

You may be asked to reboot the computer depending on the configuration.

You can also check the log output of the PowerShell Installer Script for the installation status. Check the following path for the log:

  • Per machine: %systemdrive%\Windows\Temp\DigiCert-Trust-Assistant-installation.log

  • Per user: %userprofile%\AppData\Local\Temp\DigiCert-Trust-Assistant-installation.log

Sample log output:

2024/09/29 00:17:57 DTA not installed
2024/09/29 00:17:57 Installing DTA using \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-1.2.0-win-x64.exe
2024/09/29 00:20:05 Process finished with exitcode=0

Update DigiCert Trust Assistant using Group Policy

  • Obtain and place the newer version of the installer in the shared directory. Make sure the target user, computer, and/or group has Read and execute permission to the binary.

  • Change the Universal Naming Convention path of the installer in the Script Parameters to the path of the new installer. Refer to step 8 of the installation steps for this parameter.

Uninstall DigiCert Trust Assistant using Group Policy

To uninstall DigiCert​​®​​ Trust Assistant using Group Policy, you must use a different PowerShell script:

# Script to uninstall DigiCert Trust Assistant (both PerUser and PerMachine). 
# Can be used via GPO Startup/Shutdown/Logon/Logoff scripts
#
# Log from this script can be found in following locations:
#     install_type = 'user'   : %userprofile%\AppData\Local\Temp
#     install_type = 'machine': %systemdrive%\Windows\Temp

# Following is the default installation directory
$installDirPerMachine = 'C:\Program Files\DigiCert Trust Assistant'
$installDirPerUser = "$env:userprofile\AppData\Local\Programs\DigiCert Trust Assistant"

$logfile = "$env:TEMP\DigiCert-Trust-Assistant-installation.log"
function WriteLog {
    Param ([string]$LogString)
    $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
    $LogMessage = "$Stamp $LogString"
    Add-content $LogFile -value $LogMessage
}

if (Test-Path -Path "$installDirPerMachine\DigiCert Trust Assistant.exe") {
    WriteLog "Uninstalling DTA (PerMachine)"
    $process = start-process -FilePath "$installDirPerMachine\Uninstall DigiCert Trust Assistant.exe" -ArgumentList '/S' -PassThru -Wait
    WriteLog "Process finished with exitcode=$($process.ExitCode)"
}
if (Test-Path -Path "$installDirPerUser\DigiCert Trust Assistant.exe") {
    WriteLog "Uninstalling DTA (PerUser)"
    $process = start-process -FilePath "$installDirPerUser\Uninstall DigiCert Trust Assistant.exe" -ArgumentList '/S' -PassThru -Wait
    WriteLog "Process finished with exitcode=$($process.ExitCode)"
}

Copy the above PowerShell Uninstaller Script to the Domain Controller. The configuration steps are the same as the installation, but use the different script at Step 7 and omit Step 8 because Script Parameters are not required.

The uninstall script creates a result log in the same path as the installer. Here is a sample log output for uninstallation:

2024/09/29 23:52:06 Uninstalling DTA (All users)
2024/09/29 23:52:12 Process finished with exitcode=0

Install DigiCert Software KeyStore Provider using Group Policy

For DigiCert Software KeyStore Provider, you can use the .msi Group Policy Software installation. As this requires local administrator privilege, you can use only the Computer Configuration instead of User Configuration. Follow the steps below (refer to official Microsoft documentation for more detailed information):

  1. In the Group Policy Management editor of your target GPO, navigate to Computer Configuration > PoliciesSoftware Settings.

  2. Right-click Software installation and select New > Package to open the file selection dialog.

  3. Select the installer from the shared network folder and click Open.

  4. On the Deploy Software dialog, select Assigned and click OK.

On the target user's computer, reboot and check if the DigiCert Software KeyStore application is installed.

Note

The installation may not start due to the latest Group Policy not being applied to the user machine. You can run the following command in the Windows command prompt to force-apply the Group Policy:

> gpupdate /force

You may be asked to reboot the computer depending on the configuration.

Update DigiCert Software KeyStore Provider using Group Policy

  1. In the Group Policy Management editor of your target GPO, navigate to Computer Configuration > Policies > Software Settings.

  2. Right-click Software installation and select New > Package to open file selection dialog.

  3. Select the new installer from the shared network folder and click Open.

  4. On the Deploy Software dialog, select Advanced and click OK to open the Properties dialog.

  5. Select the Upgrades tab and click Add.

  6. Under Package to upgrade, select the previous version installation and select Package can upgrade over the previous version radio button.

  7. Click OK twice to finish the configuration.

On the target user's computer, reboot and check if the DigiCert Software KeyStore application is upgraded. Run the gpupdate /force command if required.

Uninstall DigiCert Software KeyStore Provider using Group Policy

  1. In the Group Policy Management editor of your target GPO, navigate to Computer Configuration > PoliciesSoftware Settings and select Software installation.

  2. Right-click the DigiCert Software KeyStore installation on the right pane and select All Tasks > Remove...

  3. Select the Immediately uninstall the software from users and computers radio button and click OK.

  4. Repeat if there are multiple installations for updates.

On the target user's computer, reboot and check that DigiCert Software KeyStore application is uninstalled. Run the gpupdate /force command if required.

Troubleshooting:

Sometimes the .msi file does not install and shows the following warning in the Windows Event Viewer:

The assignment of application DigiCert Software Keystore from DTA Target Machines failed. The error was: %%1274

This is usually an issue with asynchronous policy processing and can be resolved by enabling the following Group Policy, which forces the computer to wait for the network to be available before starting the installation:

Under the same GPO, navigate to Computer Configuration > PoliciesAdministrative Templates > System > Logon and set Always wait for the network at computer startup and logon to Enabled.