Lot's of information on the parent page, this is what I ended up using:
I did need Admin Priv to create the key, so I used a VM and exported the "pfx" file to my LAN, but I was able to import & publish via batch without Admin Priv.
Create Key:
New-SelfSignedCertificate -DnsName User@Domain.com -Type CodeSigning -NotAfter (Get-Date).AddMonths(36)
- Now open MMC, Add Cert Snap-In & Export Cert w/ Private Key
Import & Export Key on Publishing Computer:
- I found this easier to just do manually since I wouldn't be mass deploying this. I just did it via MMC and added to my Personal Store.
- I then exported the key again, but this time without the Private Key as a "file.cer"
Import Key on End Users computer without Admin:
- Note you want it to end up in "\TrustedPublishers". TrustedRoot & Personal are of no use to end-users.
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Import-Certificate -FilePath "\\Server\Path\User@Domain.com.cer" -CertStoreLocation Cert:\CurrentUser\TrustedPublisher