I'm getting pop-up from User Account Control when installing Single-Sign-On agent

Question

I am following this article How to Implement Single Sign On Authentication with Active Directory and on step 8. you have an instruction how to automate this installation and use Logon script. Everything works fine except the pop-up message I have from UAC saying that the SSSophosSetup.exe is from untrusted location. 
 
 Very annoying. Is there a way to fix this without disabling UAC?

daiqingxu · Answer

I am also enconter this issue. 
 There two part of it, first you should use "%LogonServer%" instead of "\domain.local" because the second one is not a trusted location. 
 The next problem is the certificate used to sign SSSophosSetup.exe is already expired. Which means the only thing you can do is have sophos know and fix it. 
 -----edit----- 
 it's not the cause, see below reply

sachingurung · Answer

Hi Biser, 
 Disabling UAC is mandatory for the installation of the logon-script. Did you try to create a group policy for software installation rights or run the installation as an Administrator? 
 For the certificate issue, please contact Support and provide me the case#. 
 Thanks

daiqingxu · Answer

I have finally got the thing working. 
 The certificate is not the issue, it's SophosRun.exe tring to install the client using credential stored in Admin.ini. 
 I move the install part of the logon script to startup script and now it's working. 
 
 Set following startup script for the workstations 
 Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "\domain.local
etlogon\Sophos\SSSophosSetup.exe /VERYSILENT" 
 and remove lines before 
 ECHO Configuring... 
 in the logon script. 
 
 It looks i can even get rid of the scripts entirely using some custom msi package.