I am trying to install Belgium e-ID middleware silently by using provided msi file:

and using this command:
msiexec /passive /norestart /i BeidMW_64_4.1.18.msi /qn /l*vx c:\logs\beid64bit.log

I also imported fedict_codesiging.cer certificate.

But when trying to deploy this application using SCCM I am getting error code.

I have tried to deploy it then again but this time visible instead of hidden and I see that installer pops out a window for installing smartcard and this is probably what causing the installer to give error when it is hidden.


Anybody have any tips or ideas on how I can suppress this ?

PS: I also tried to install this windows update but it does not help
Answer Summary:
0 Comments   [ + ] Show Comments


Please log in to comment

Answer Chosen by the Author

Yea, I found out that there is a new update from microsoft KB3125574 that includes the fix from KB2921916.

I have tested it out and it works on a PC where KB3125574 is installed. 

So good news :)

This is the steps I have now in a script to install eID silently:

1) install eid manually on a PC and then extract the certificate driver from the local machine Trusted Publisher Store
2) Make sure the PC includes this Microsoft Update KB3125574

Then in script:
1) add certificate to the TrustedPublisher Store
2) Add driver silently using Manage-Driver.ps1 script from rileyz post:
3) Install Belgium e-ID software using this switches
Start-Process -FilePath "msiexec.exe" -ArgumentList "/norestart /i $ScriptFolder\BeidMW_64_4.1.18.msi /qn /l*vx c:\logs\beid4.1.18.log" -Wait

Thanks everyone for the help!
Answered 07/07/2016 by: comicsserg
Orange Belt

Please log in to comment

Community Chosen Answer

When you say that imported the fedict_codesiging.cer (sic)  - where did you import it to?
Which certificate store and what commnand line did you use for this?

It sounds like the certificate is in the wrong place, or is not valid.

Also the command line you are using for the MSI has contradictory switches. 'Passive' shows the progress bar, but 'qn' means that no user interface is shown. Check the switch list here.
That shouldn't affect the issue with the cert, but something else to bear in mind.

Answered 07/06/2016 by: dunnpy
Red Belt

  • I downloaded the certificate from the same site where the msi were.

    So I belief I am using the right cert. I am importing it to the trusted publishers with a small powershell script

    I will try to import it manually and use only /passive /norestart /i for now.

    Gonna test it

  • Ok, I checked if certificate is valid so this can't be an issue.

    I am now using the right msi switches but I still get the window :/
    • OK, it might be where the certifcate is then - try and add it to the Local Machine Trusted Root Certification Authorites and re-test the installer.
Please log in to comment


Read this and copy bits of my powershell code you'll need.

Make sure you import the cert to the Local Machine account in Trusted Publisher store (kinda what Dunnpy said but in reference its the Trust Publishers store).

I would get the cert from the cert store, not from the website - this means you know you are working with the correct cert.
*ie, tick that box to trust the cert, then extract it from the store yourself.

Once you have the cert, test - you use script import to the correct store.
Then use DPInst to inject into WIndows driver store, it should run ok without prompting for the cert.

If you get the above working ok manually, then you can automate it.

Answered 07/06/2016 by: rileyz
Red Belt

  • thanks I will try it now
  • nothing works :/

    I was testing and apperantly I need to:

    1) install hotfix https://support.microsoft.com/en-us/kb/2921916
    2) reboot the PC otherwise step 3 won't work
    3) then when it booted I can use the above method to install it silently :S

    This kinda sucks when you have to deploy the software to 10K PC's :S
    • That sucks, thats a Windows issue ):

      What deployment tool are you using?
      • SCCM
      • Easy Bruv!

        One way you can do it is deploy the HF to all workstations or just your chosen collection.

        Next create a collection where the HF is detected, and apply the app install to the collection.

        You might get some failing because its still pending the reboot, but but can force the reboot in the HF install if you want? Or just let it retry. But SCCM should pick up the pending reboot for the HF and wait - if not you can use a batch for the HF and exit /b 3010 - that will let sccm know its pending a reboot.
    • If that approach works, at least you have a way forward. Delay your software roll-out by a few days and set to deploying the patch. Every machine is shutdown/rebooted at the end of the day (in theory ;-) ) so you'll have a number of machines good to go for the deployment.

      You could even create a dynamic SCCM collection to deploy e-ID to. Those that have KB2921916 in Add/Remove Programs and are a member of whichever big collection you planned to deploy to. Remember that ARP entries are collected during a hardware inventory, so if you have a weekly schedule on that inventory you may want to reduce schedule times, or force an inventory on the collection regularly.
      • This content is currently hidden from public view.
        Reason: Removed by member request
        For more information, visit our FAQ's.
      • thanks guys for helping :)

        I added a post to the software tips for the people who may have had the same issue:
      • High five, glad you got it resolved (:
        Dont forget to mark this as answered.
      • do you know how can I mark it as answered? Is it just by editing the title?
      • Looks line it's been done, so all good.
Please log in to comment
Answer this question or Comment on this question for clarity