TruGrid Windows Connector - Machine Wide installer
Overview
The TruGrid Windows Connector ships as a single signed installer that supports both interactive and unattended installation, in either a per-user or a per-machine scope. This article covers the installer in full: what it installs, where it installs it, the supported command-line parameters, common deployment patterns, and how to verify and uninstall it.
- Filename:
TruGrid_Windows_Connector_<version>.exe - Underlying technology: Windows Installer (WIX) packaged as a signed EXE bootstrapper.
- Download: Windows Connector
- Replaces: the previous ClickOnce-based Connector. Both installers can coexist on a machine.
What this installer does
- Installs the TruGrid Windows Connector in either a per-user scope (default) or a per-machine scope (controlled by a command-line parameter).
- Optionally registers the TruGrid code-signing certificate as a Trusted Publisher under the Terminal Services policy key, which suppresses the "Unverified Publisher" RDP warning introduced by the April 2026 Windows security update.
- Configures the connector to check for new versions on launch (configurable).
- Writes uninstall information to the standard Add/Remove Programs registry path so the connector is uninstallable through Settings, Programs and Features, or a scripted command.
Supported operating systems
- Windows 11 (all currently supported builds)
- Windows Server 2016 and later
Interactive installation
Double-click TruGrid_Windows_Connector_<version>.exe.
- Without elevation, the installer installs in the per-user scope, into the running user's profile. If the Certificate Thumbprint is already there, no UAC prompt will show. If it is not, the user will be prompted for Admin rights, if they click "No", the installation will finish normally.
- If the running user is a local administrator, a UAC prompt is shown for the Trusted Publisher certificate registration step. Approving the prompt registers the certificate. Declining the prompt continues the installation without registering the certificate.
- If the running user is not a local administrator, the Trusted Publisher certificate step can be skipped.
- To install in the per-machine scope interactively, an administrator must run the installer from an elevated command prompt with
PERMACHINE=1. The installer does not provide an in-UI toggle for scope.
Install scopes
The installer supports two mutually compatible scopes. A single machine may have both installed simultaneously.
Aspect | Per-user (default) | Per-machine ( |
|---|---|---|
Install path | | |
Registry hive | | |
| | |
ARP / uninstall key | | |
Execution context required | Interactive user | Administrator or |
Applies to | The installing user only | All users on the machine |
Default behavior
With no command-line parameters, the installer behaves as follows:
Setting | Default |
|---|---|
Install scope | Per-user |
Auto-update | Enabled. The connector checks for new versions when launched. |
Trusted Publisher certificate | Registered if the user is an administrator and approves the UAC prompt; silently skipped if the user is not an administrator. |
Reboot | Not required |
Command-line parameters
Parameter | Values | Default | Description |
|---|---|---|---|
| flag | (interactive) | Performs a silent install with no UI. |
| | | |
| | | |
| | | |
| flag | n/a | Uninstalls the installation matching the current |
PERMACHINE on uninstall to the value used on install. A PERMACHINE=1 install must be uninstalled with PERMACHINE=1. A per-user install must be uninstalled without it. Mismatched scope targets the wrong installation or no installation at all.Silent installation examples
Per-user, silent
Runs in the interactive user's context. No elevation required.
TruGrid_Windows_Connector_26.5.11.0.exe /quiet
Per-machine, silent
Must run as an administrator or as SYSTEM (RMM agent, GPO startup script, Intune Win32 app in System context, scheduled task running as NT AUTHORITY\SYSTEM).
TruGrid_Windows_Connector_26.5.11.0.exe /quiet PERMACHINE=1
Per-machine, auto-update disabled
For environments where the connector version is controlled centrally and the binary must not check for updates on launch:
TruGrid_Windows_Connector_26.5.11.0.exe /quiet PERMACHINE=1 EnableAutoUpdate=0
Install without registering the Trusted Publisher certificate
Useful when the certificate trust is managed separately, for example by a centrally pushed GPO:
TruGrid_Windows_Connector_26.5.11.0.exe /quiet PERMACHINE=1 RemoveCertTrust=1
Auto-update behavior
When EnableAutoUpdate=1 (the default), the connector checks for a newer version each time it is launched. If a newer version is available, the connector prompts the user to update.
Set EnableAutoUpdate=0 to disable launch-time update checks. In this mode the connector remains at the installed version until an administrator deploys a new version.
Trusted Publisher certificate behavior
The April 2026 Windows security update introduced a per-launch "Unverified Publisher" warning for RDP connections initiated from unsigned or untrusted RDP files. The TruGrid Windows Connector signs the RDP files it launches, but the user's machine must trust the TruGrid signing certificate as a Trusted Publisher to suppress the warning. This trust is configured via the registry policy at:
HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
The installer manages this trust automatically:
RemoveCertTrust=0(default): The installer registers the TruGrid signing certificate as a Trusted Publisher if it is not already present. Registration writes toHKLMand therefore requires elevation; the installer triggers a UAC prompt for the certificate step when the user is an administrator. If the user is not an administrator, the certificate step is skipped silently and the warning will continue to appear on RDP launch until the certificate is registered by another means.RemoveCertTrust=1: The installer does not register the certificate, and removes it from the policy if it is already present. Use this when the certificate trust is managed centrally (for example, via Group Policy) and the installer should not manage it directly.
For full background on the warning and alternative remediation methods, see How to suppress the "Unverified Publisher" Security Warnings.
Deployment patterns
Microsoft Intune
Prerequisites: The signed .exe, the Microsoft Win32 Content Prep Tool, and Intune Administrator or Application Administrator rights.
1. Package the installer
Stage the .exe alone in a clean folder (no extra files, no subfolders), then wrap it:
IntuneWinAppUtil.exe -c C:\IntunePkg\TruGrid -s TruGrid_Windows_Connector_<version>.exe -o C:\IntunePkg\Out
Upload the resulting .intunewin file when creating the app.
2. Create the Win32 app
Intune admin center > Apps > Windows > Add > Windows app (Win32).
Program tab:
Field | Value |
|---|---|
Install command | |
Uninstall command | |
Install behavior | System |
Device restart behavior | No specific action |
Requirements tab:
Field | Value |
|---|---|
OS architecture | x64 |
Minimum OS | Windows 10 1607 |
3. Detection rules
Set Rules format to Manually configure detection rules. Add both rules - Intune ANDs them.
Rule 1 - presence:
Field | Value |
|---|---|
Rule type | Registry |
Key path | |
Value name | |
Detection method | Value exists |
32-bit app on 64-bit clients | No |
Rule 2 - version (required for updates):
Field | Value |
|---|---|
Rule type | Registry |
Key path | |
Value name | |
Detection method | Version comparison |
Operator | Greater than or equal to |
Value | |
32-bit app on 64-bit clients | No |
Rule 1 confirms the app is installed. Rule 2 confirms the installed version is at least the one being deployed - without it, Intune treats an older version as "already installed" and skips the update.
4. Assignments
Assign to device groups (not user groups). Use Required for managed rollout or Available for enrolled devices for Company Portal self-service.
5. Deploying updates
When a new version ships:
- Package the new
.exeinto a new.intunewin. - Create a new Win32 app (do not edit the existing one). Update the version in the app name, install command, and Rule 2 value.
- On the new app, go to Supersedence > Add > select the previous version > set Uninstall previous version = No. The installer handles in-place upgrade itself.
- Assign to the same device groups as the previous version.
- Keep the old app in Intune until its install count reaches zero, then delete it.
Group Policy startup script
Place the installer on a network share readable by Domain Computers and configure a Computer Configuration startup script:
@echo off
set INSTALLER=\fileserver\share\TruGrid\TruGrid_Windows_Connector_26.5.11.0.exe
set MARKER=%ProgramData%\TruGrid\install_26.5.11.0.done
if exist "%MARKER%" exit /b 0
"%INSTALLER%" /quiet PERMACHINE=1
if %ERRORLEVEL% EQU 0 (
if not exist "%ProgramData%\TruGrid" mkdir "%ProgramData%\TruGrid"
echo Installed %DATE% %TIME% > "%MARKER%"
)
The marker file prevents reinstall on every boot.
RMM platforms
Any RMM that can run an .exe in SYSTEM context supports the standard per-machine command. Wrap this in a script policy targeting Windows endpoints:
TruGrid_Windows_Connector_26.5.11.0.exe /quiet PERMACHINE=1
PowerShell remoting
$installer = "C:\Temp\TruGrid_Windows_Connector_26.5.11.0.exe"
Invoke-Command -ComputerName $targets -ScriptBlock {
param($path)
Start-Process -FilePath $path -ArgumentList "/quiet","PERMACHINE=1" -Wait -NoNewWindow
} -ArgumentList $installer
Uninstall
Interactive
Use Settings, Apps and Features, or Programs and Features. Two entries are possible:
- TruGrid Windows Connector under the user's installed apps (per-user installation).
- TruGrid Windows Connector under the machine-wide installed apps (per-machine installation).
Each entry uninstalls only its own scope.
Silent, per-user
TruGrid_Windows_Connector_26.5.11.0.exe /uninstall /quiet
Silent, per-machine
TruGrid_Windows_Connector_26.5.11.0.exe /uninstall /quiet PERMACHINE=1
Updated on: 27/05/2026
Thank you!