You can do that using the scheduled task workaround that I use in this worklet:

Please note that:

$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user

only works properly IF there is a user currently logged on when you execute that command above. If the computer is turned on and no user is logged on, $currentusr will be NULL (actually, that line above will fail with an error since getowner().user won’t execute).

Since you want to install a certificate, you should check if there is a user logged on in the “Evaluation” section of the worklet. If no user is logged on, return 0.

If anyone is interested, I have a solution that allows your script to run in the context of the currently logged on user, and it gets triggered only upon user logon. This behaviour is very similar to how per-user GPOs are triggered. I’m waiting for Nic to approve my posting. 🙂

Hmmm post not yet approved. Maybe he is busy. Here it is anyway:

$ShedService = New-Object –comobject "Schedule.Service"


$ShedService.Connect()





$Task = $ShedService.NewTask(0)


$Task.RegistrationInfo.Description = "UserLogonScript"


$Task.Settings.Enabled = $true


$Task.Settings.AllowDemandStart = $true





$trigger = $task.triggers.Create(9)


$trigger.Enabled = $true





$action = $Task.Actions.Create(0)


$action.Path = "cmd.exe"


$action.Arguments = "/c echo %temp% > c:\temp\out.txt"





$taskFolder = $ShedService.GetFolder("\")


$taskFolder.RegisterTaskDefinition("UserLogonScript", $Task , 6, "Users", $null, 4)

This PS code creates a scheduled task that is triggered on user logon, and it will run in the context of the user that just logged on. You can check the contents of the file c:\temp\out.txt to verify this.

Sorry about that, your worklet is now live!