Configure-AllowanceOf3rdPartyUpdates.ps1
Script Installs 3rd Party Updates Code Signing Cert into Trusted Publisher and Root Cert Stores so that 3rd party updates can install during OSD. Also Enables 3rd party updates via Reg Key and disables hardware based virtualization to prevent blue screen issues with some models after driver updates install.
The steps in this script are necessary to install drivers during OSD Using the 3rd-party updates method because group policy does not apply until after the imaging task sequence completes, so no certs pushed via group policy will be in place in time for updates steps. This can also improve the updates experience during imaging by allowing 3rd party updates provided by any 3rd-party catalogs or vendors (Patch My PC, etc.) to install as well.
Usage:
Script is meant to be included in a ConfigMgr source package. You MUST include the .cer format certificate you use to sign 3rd party updates (the same you would typically deploy via GPO - named "SCUPCert.cer), as well as the root certificate in it's chain (named "root.cer") in the source directory of the package alongside the script, then call the script from a PowerShell Script step that references the source package. The step needs to be run after the system boots into the full OS, preferably after joining the domain, but prior to any install software updates step.
############################################### # Configure-AllowanceOf3rdPartyUpdates.ps1 # Author(s): Sean Huggans $ScriptVer = "23.2.21.9" #################################### # Script Installs 3rd Party Updates Code # Signing Cert into Trusted Publisher and Root # Cert Stores so that 3rd party updates can # install during OSD. # # Also Enables 3rd party updates via Reg Key # and disables hardware based virtualization # to prevent blue screen issues with some models # after driver updates install. # # This script is necessary to install drivers # during OSD Using the 3rd-party updates method # because group policy does not apply until after # the imaging task sequence completes. ############################################### # Script Variables ###################################### $LogFile = "InitialCerts.log" $LogDir = "C:\Windows\Logs\OSD" $LogPath = "$($LogDir)\$($LogFile)" ############################################### # Script Functions ###################################### function Log-Action ($Message, $StampDateTime, $WriteHost) { ################################ # Function Version 19.5.11.4 # Function by Sean Huggans ################################ # Function will log the provided message with a timestamp in real time to the configured Log File. New-Item -ItemType directory -Path $LogDir -Confirm:$false -Force | out-null if (($StampDateTime -eq $false) -or ($StampDateTime -eq "no")) { $Message | Out-File $LogPath -Append } else { "[ $(get-date -Format 'yyyy.MM.dd HH:mm:ss') ] $($Message)" | Out-File $LogPath -Append } if ($WriteHost -eq $true) { Write-Host $Message } } ############################################### # Script Execution Logic ###################################### if (!(Test-Path -Path "C:\Windows\Logs\OSD")) { New-Item -Path "C:\Windows\Logs\OSD" -ItemType Directory -Force -ErrorAction SilentlyContinue } Log-Action -Message "Initial Certs Package v$($ScriptVer)" Try { # Set policy to allow updates from intranet locations signed by trusted publisher certs New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Force -ErrorAction SilentlyContinue | Out-Null Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "AcceptTrustedPublisherCerts" -Value 1 -ErrorAction Stop -Force | Out-Null Log-Action -Message "Success Enabling third party updates from intranet location!" Try { # Disable Hardware Based Virtualization (Causes blue-screen issues on some models after firmware/driver updates install, we don't want that from the task sequence) New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Force -ErrorAction SilentlyContinue | Out-Null Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0 -ErrorAction Stop -Force | Out-Null Log-Action -Message "Success Disabling Hardware Based Virtualization!" Try { Import-Certificate -FilePath "$($PSScriptRoot)\Root.cer" -CertStoreLocation "Cert:\LocalMachine\Root" | Out-Null Log-Action -Message "Success: Installing Root Cert to Root Store!" Try { Import-Certificate -FilePath "$($PSScriptRoot)\SCUPCert.cer" -CertStoreLocation "Cert:\LocalMachine\TrustedPublisher" | Out-Null Log-Action -Message "Success: Installing Code Signing Cert to TrustedPublisher Store!" Try { Import-Certificate -FilePath "$($PSScriptRoot)\SCUPCert.cer" -CertStoreLocation "Cert:\LocalMachine\Root" | Out-Null Log-Action -Message "Success: Installing Code Signing Cert to Root Store..." } catch { Log-Action -Message "Error: Failed Installing Code Signing Cert to Root Store!" } } catch { Log-Action -Message "Error: Failed Installing Code Signing Cert to TrustedPublisher Store!" } } catch { Log-Action -Message "Error: Failed Installing Root Cert to Root Store!" } } catch { Log-Action -Message "Error: Failed to disable hardware based virtualization!" } } catch { Log-Action -Message "Error: Failed to enable third party updates from intranet location!" }