Besides adding them to the local store at 'Trusted Publishers' and 'Trusted Root Certification Authorities', you have to edit the Group Policy, either locally or on the domain level to allow trusting.
For SCUP/WSUS updates using a code signing cert I used a GPO to "Allow signed updates from an intranet Microsoft update service location" under /Administrative Templates/Windows Components/Windows Update.
For Application installs it's going to be in a different place. Looks like it might be Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings.
Take a look at:http://technet.microsoft.com/en-us/library/cc733026.aspx