Using ThinInstaller on Isolated Networks

Lenovo's ThinInstaller utilizes 2 Certificates to verify the signatures of packages during deployment. Currently the client machine must have an active internet connection in order to access the certificate necessary for that verification. If the client machines do not have an active internet connection then the certificates need to be installed into the appropriate local certificate store of the client machines prior to running ThinInstaller.

If ThinInstaller cannot verify the signatures of certain packages, you will see errors in the logs that contain "Signature Verification Failed".

This is useful if your deployments are done on a closed network environment, lab or closed deployment subnet etc.

This document will outline how to download the certificates and deploy them to your client machines during your OSD deployments as a task sequence step using MDT and SCCM.

The certificates are available currently as a downloadable zip file here.

The zip file should contain 3 files

  • The 2 certificates
    • LenovoIntermediateCertificate.cer
    • VerisignUniversalRootCertificate.cer
  • The supplied cmd file that can be used to install the certificates
    • LenovoCertificateInstaller.cmd


In Deployment Workbench Create a new Application

In the first step of the wizard choose "Application with source files"

Give it a name that works for your needs, something like TICerts

On the next page of the application wizard browse to the folder where you unzipped the files above
Accept the default name for the directory to be created

And for the command line simply use LenovoCertificateInstaller.cmd

Click Next until you Finish the wizard.
Now in your task sequence add a step prior to the step that runs ThinInstaller. Illustrated below is one of many ways that you can insert the application into your task sequence.

Add > General > Install Application

  • Choose Install a single application

  • Browse to the application that you just created


Assuming you have downloaded and unzipped the Lenovo Cert files to a location available to your Config Mgr. Console, you will need to edit the task sequence that you use for deployment.

The method that I found worked most consistently in our environment should work in any environment as long as you have a share where you can store the 3 files mentioned above. The share only needs Read access.

 In your task sequence you need to add 2 steps
These steps should be after "Setup Windows and Configuration Manager" and above your existing step that runs ThinInstaller.

  • Go to "Add" > "General" > "Connect to Network Folder"
  • Fill in the path to the share where the 3 files are located
  • In the Drive field enter a drive letter. In my testing I used "z:"
  • In the Account field enter credentials that have at least Read access
    • Test the connectivity while in the dialog

  • Immediately after the step above, go to "Add" > "General" > "Run Command Line"
  • For the Command line field add "cmd /c z:\LenovoCertificateInstaller.cmd" if you chose a different drive letter, make sure replace the z: with the correct drive letter.

If you will be deploying Lenovo Drivers using ThinInstaller to clients that will not have an active internet connection the steps above will allow you to take advantage of the most recent build of ThinInstaller for your hardware app deployment needs.