Deliver DigiCert Trust Assistant using Group Policies
Using the Group Policy feature of Windows Server, you can deliver DigiCert® Trust Assistant to users and computers in your Windows domain. This document describes how you can automate the installation, update, and uninstall DigiCert® Trust Assistant using Group Policy.
Note
This feature is supported only on Windows computers that are joined to a Windows domain. For other operating systems, you may need to use another Device Management solution.
Prerequisites
Knowledge about Group Policy and how to configure them on Windows domain.
Administrator privileges to configure Group Policy.
Existing Group Policy Object (GPO) under your target Windows domain with appropriate groups, users, and computer security filter applied. You should create one GPO for testing purposes. Refer to official Microsoft documentation.
Shared network folder accessible by computers and users remotely (refer to official Microsoft documentation).
Prepare the PowerShell installer script
You must use the Group Policy PowerShell script runner because Group Policy software installation supports installers in the format of Microsoft Software Installer (.msi
) and the DigiCert® Trust Assistant installer is provided as a bundled binary (.exe
).
Note
DigiCert Software KeyStore Provider is provided as .msi
, so you can install this application through Group Policy Software installation.
Copy the following PowerShell Installer Script to the Domain Controller in your Windows domain:
# Script to install DigiCert Trust Assistant. Can be used via GPO Startup/Shutdown/Logon/Logoff scripts # Usage: DTAInstall.ps1 -i installer_path [-t install_type] # installer_path - UNC path of installer, for example: \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-Setup-1.0.0.exe # * Make sure the user or computer that runs this script has read and execute permission to this file # install_type - (optional) Specify 'user' or 'machine' to indicate type of install. Default is 'user'. # * Specifying 'machine' will require Local Administrator privilege # * Default target installation directory is: # 'user' -- %userprofile%\AppData\Local\Programs\DigiCert Trust Assistant # 'machine' -- C:\Program Files\DigiCert Trust Assistant # # Log from this script can be found in following locations: # install_type = 'user' : %userprofile%\AppData\Local\Temp # install_type = 'machine': %systemdrive%\Windows\Temp Param($i,$t='user') $logfile = "$env:TEMP\DigiCert-Trust-Assistant-installation.log" function WriteLog { Param ([string]$LogString) $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss") $LogMessage = "$Stamp $LogString" Add-content $LogFile -value $LogMessage } # Check installer_path if (-not $i) { $msg = "-i option is required. Please specify UNC Path of the installer. For example: '-i \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-Setup-1.0.0.exe'" WriteLog $msg throw $msg } if (-not (Test-Path -Path $i)) { $msg = "$i not found, check if the file exists or permission is properly applied to user or computer." WriteLog $msg throw $msg } # Check install_type if (($t -ne 'user') -and ($t -ne 'machine')) { $msg = "-t option needs to be either 'user' or 'machine'. Specified '$t'" WriteLog $msg throw $msg } # Fix below to change from default installation directory if ($t -eq 'user') { $installDir = "$env:userprofile\AppData\Local\Programs\DigiCert Trust Assistant" } else { $installDir = 'C:\Program Files\DigiCert Trust Assistant' } $install = $false if (-not (Test-Path -Path "$installDir\DigiCert Trust Assistant.exe")) { $install = $true WriteLog "DTA not installed" } else { $currentVersion = (Get-Item "$installDir\DigiCert Trust Assistant.exe").VersionInfo.FileVersion $newVersion = (Get-Item $i).VersionInfo.ProductVersion if ($currentVersion -ne $newVersion) { $install = $true WriteLog "DTA current version=$currentVersion, upgrading to $newVersion" } } if ($install) { WriteLog "Installing DTA using $i" $dArg = '/D="' + $installDir + '"' if ($t -eq 'user') { $process = start-process -FilePath $i -ArgumentList '/S',$dArg,'--force-run' -PassThru -Wait } else { $process = start-process -FilePath $i -ArgumentList '/S','/AllUsers',$dArg -PassThru -Wait } WriteLog "Process finished with exitcode=$($process.ExitCode)" }
The usage of the script is described at the top of the script.
Install DigiCert Trust Assistant using Group Policy
The DigiCert® Trust Assistant can be installed per machine or per user. In this section, both the methods are covered, but it is recommended to use per-machine installation when using Group Policy because the user cannot uninstall the application without local administrator privilege.
Per-machine installation
Open Group Policy Management by selecting Windows Start Menu.
Type “Group Policy Management” in the search box, and then click Group Policy Management.
Under your domain, right-click the target Group Policy Object (GPO) and select Editto open the Group Policy Management editor.
Navigate to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) and double-click Startup from the right panel to open the Startup Properties dialog.
Select the PowerShell Scripts tab. This step is crucial because the Scripts tab interface looks similar and the configuration will not work if configured from the Scripts tab.
Select Add to open the Add a Script dialog.
Select Browse and select the PowerShell Installer Script prepared in the earlier section.
In the Script Parameters field, specify the parameters for this script:
Specify
-i <Universal Naming Convention path of installer> -t machine
For example:
-i \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-1.2.0-win-x64.exe -t machine
Click OK twice to close the dialogs and apply the configuration.
Per-user installation
Open Group Policy Management by selecting Windows Start Menu.
Type “Group Policy Management” in the search box, then click Group Policy Management.
Under your domain, right-click the target Group Policy Object (GPO) and select Editto open the Group Policy Management editor.
Navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) and double-click Logon from the right panel to open the Logon Properties dialog.
Select the PowerShell Scripts tab. This step is crucial because the Scripts tab interface looks similar and the configuration will not work if configured from the Scripts tab.
Select Add to open the Add a Script dialog.
Select Browse and select the PowerShell Installer Script prepared in the earlier section.
In the Script Parameters field, specify the parameters for this script:
Specify
-i <Universal Naming Convention path of installer>
For example:
-i \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-1.2.0-win-x64.exe
Click OK twice to close the dialogs and apply the configuration.
Test the Group Policy for DigiCert Trust Assistant installation
Depending on whether the installation is per machine or per user, the timing of the application's installation differs. Perform the following and check whether DigiCert Trust Assistant is installed on the computer:
Per machine: Reboot your computer. The installation will be triggered during startup.
Per user: Sign out and sign in to your computer. The installation will be triggered during sign-in.
The installation may take a couple of minutes to finish.
Note
The installation may not start due to the latest Group Policy not being applied to the user machine. You can run the following command in the Windows command prompt to force-apply the Group Policy: > gpupdate /force
You may be asked to reboot the computer depending on the configuration.
You can also check the log output of the PowerShell Installer Script for the installation status. Check the following path for the log:
Per machine:
%systemdrive%\Windows\Temp\DigiCert-Trust-Assistant-installation.log
Per user:
%userprofile%\AppData\Local\Temp\DigiCert-Trust-Assistant-installation.log
Sample log output:
2024/09/29 00:17:57 DTA not installed 2024/09/29 00:17:57 Installing DTA using \\DOMAIN-COMPUTER-1\share\DigiCert-Trust-Assistant-1.2.0-win-x64.exe 2024/09/29 00:20:05 Process finished with exitcode=0
Update DigiCert Trust Assistant using Group Policy
Obtain and place the newer version of the installer in the shared directory. Make sure the target user, computer, and/or group has Read and execute permission to the binary.
Change the Universal Naming Convention path of the installer in the Script Parameters to the path of the new installer. Refer to step 8 of the installation steps for this parameter.
Uninstall DigiCert Trust Assistant using Group Policy
To uninstall DigiCert® Trust Assistant using Group Policy, you must use a different PowerShell script:
# Script to uninstall DigiCert Trust Assistant (both PerUser and PerMachine). # Can be used via GPO Startup/Shutdown/Logon/Logoff scripts # # Log from this script can be found in following locations: # install_type = 'user' : %userprofile%\AppData\Local\Temp # install_type = 'machine': %systemdrive%\Windows\Temp # Following is the default installation directory $installDirPerMachine = 'C:\Program Files\DigiCert Trust Assistant' $installDirPerUser = "$env:userprofile\AppData\Local\Programs\DigiCert Trust Assistant" $logfile = "$env:TEMP\DigiCert-Trust-Assistant-installation.log" function WriteLog { Param ([string]$LogString) $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss") $LogMessage = "$Stamp $LogString" Add-content $LogFile -value $LogMessage } if (Test-Path -Path "$installDirPerMachine\DigiCert Trust Assistant.exe") { WriteLog "Uninstalling DTA (PerMachine)" $process = start-process -FilePath "$installDirPerMachine\Uninstall DigiCert Trust Assistant.exe" -ArgumentList '/S' -PassThru -Wait WriteLog "Process finished with exitcode=$($process.ExitCode)" } if (Test-Path -Path "$installDirPerUser\DigiCert Trust Assistant.exe") { WriteLog "Uninstalling DTA (PerUser)" $process = start-process -FilePath "$installDirPerUser\Uninstall DigiCert Trust Assistant.exe" -ArgumentList '/S' -PassThru -Wait WriteLog "Process finished with exitcode=$($process.ExitCode)" }
Copy the above PowerShell Uninstaller Script to the Domain Controller. The configuration steps are the same as the installation, but use the different script at Step 7 and omit Step 8 because Script Parameters are not required.
The uninstall script creates a result log in the same path as the installer. Here is a sample log output for uninstallation:
2024/09/29 23:52:06 Uninstalling DTA (All users) 2024/09/29 23:52:12 Process finished with exitcode=0
Install DigiCert Software KeyStore Provider using Group Policy
For DigiCert Software KeyStore Provider, you can use the .msi
Group Policy Software installation. As this requires local administrator privilege, you can use only the Computer Configuration instead of User Configuration. Follow the steps below (refer to official Microsoft documentation for more detailed information):
In the Group Policy Management editor of your target GPO, navigate to Computer Configuration > Policies > Software Settings.
Right-click Software installation and select New > Package to open the file selection dialog.
Select the installer from the shared network folder and click Open.
On the Deploy Software dialog, select Assigned and click OK.
On the target user's computer, reboot and check if the DigiCert Software KeyStore application is installed.
Note
The installation may not start due to the latest Group Policy not being applied to the user machine. You can run the following command in the Windows command prompt to force-apply the Group Policy:
> gpupdate /force
You may be asked to reboot the computer depending on the configuration.
Update DigiCert Software KeyStore Provider using Group Policy
In the Group Policy Management editor of your target GPO, navigate to Computer Configuration > Policies > Software Settings.
Right-click Software installation and select New > Package to open file selection dialog.
Select the new installer from the shared network folder and click Open.
On the Deploy Software dialog, select Advanced and click OK to open the Properties dialog.
Select the Upgrades tab and click Add.
Under Package to upgrade, select the previous version installation and select Package can upgrade over the previous version radio button.
Click OK twice to finish the configuration.
On the target user's computer, reboot and check if the DigiCert Software KeyStore application is upgraded. Run the gpupdate /force
command if required.
Uninstall DigiCert Software KeyStore Provider using Group Policy
In the Group Policy Management editor of your target GPO, navigate to Computer Configuration > Policies > Software Settings and select Software installation.
Right-click the DigiCert Software KeyStore installation on the right pane and select All Tasks > Remove...
Select the Immediately uninstall the software from users and computers radio button and click OK.
Repeat if there are multiple installations for updates.
On the target user's computer, reboot and check that DigiCert Software KeyStore application is uninstalled. Run the gpupdate /force
command if required.
Troubleshooting:
Sometimes the .msi
file does not install and shows the following warning in the Windows Event Viewer:
The assignment of application DigiCert Software Keystore from DTA Target Machines failed. The error was: %%1274
This is usually an issue with asynchronous policy processing and can be resolved by enabling the following Group Policy, which forces the computer to wait for the network to be available before starting the installation:
Under the same GPO, navigate to Computer Configuration > Policies > Administrative Templates > System > Logon and set Always wait for the network at computer startup and logon to Enabled.