Cannot install WSS Agent successfully on Windows machines

When installing using the Windows installer WSS Agent GUI, users saw the following message displayed:

Windows WSS  Agent

Windows Powershell scripts executed during installation

Beginning in WSSA 7.1.1, the WSS agent is leveraging functionality within Advanced Installer to sign the inline PowerShell scripts.  The signature will be checked automatically by the operating system against the list of allowed certificates found in the Trusted Publishers certificate store.  If the machine has enabled signed PowerShell execution policy, the signature validation will fail unless you import the Broadcom Inc code signing certificate to that store.

Microsoft allows an administrator to require all PowerShell and other scripts to be signed and trusted prior to execution.  See https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies for details. This policy will cause problems for WSS Agent installation and uninstallation, due to its usage of PowerShell scripts

There are three or four instances (depending on Windows WSS Agent version) where PowerShell scripts are used within the installation to properly install and uninstall the agent.

1. we use the following PowerShell script to check if the user is installing WSS Agent on a supported platform: Installation Support Check Expand source
2. we use the following PowerShell script to prompt the user for the uninstall token if one is set and they are uninstalling from the control panel: Uninstall Token Prompt Expand source
3. in version 7.2.1 and 7.3.x, we use Powershell to cleanly shut down the notifier process (and remove the icon from the system tray):
4. in version 7.4.1 and greater, PowerShell execution no longer required to install WSS Agent. PowerShell is only required to prompt the user for an uninstall token (if one is set) when the user tries to uninstall from the Control Panel.  If PowerShell is disabled on a machine that has an uninstall token, the dialog to prompt for uninstall token will not be displayed when attempting to uninstall from the Control Panel.  To provide the uninstall token to the uninstaller, you MUST uninstall via the command line.

When troubleshooting installation issues, one can run the installer with the following parameters to generate an installation log.

c:\path\to\installer.msi /L*V \path\to\output.log

In the above failing case, the failure to import the signing certificate will result in the installer ending prematurely, and an installation log with the following entry:

--> PowerShell Script Execution log:
AuthorizationManager check failed.
    + CategoryInfo          : SecurityError: (:) , ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess
MSI (c) (6C:8C) [14:55:11:709]: PROPERTY CHANGE: Adding POWERSHELL_EXECUTION_LOG property. Its value is 'AuthorizationManager check failed.
    + CategoryInfo          : SecurityError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnauthorizedAccess'.

The key indicator for this scenario is the lack of the message "You cannot run this script on the current system".  The script is trying to run, but is not authorized because the certificate is not imported into the Trusted Publishers certificate store.