I would like to install the Balloon driver for running my Windows in KVM without user any interaction (silent installation).

I'm using powershell to extract the certificate form the driver to some temporary file and then import it to TrustedPublisher using certutil.exe:

$cert = (Get-AuthenticodeSignature "D:\Balloon\2k12R2\amd64\blnsvr.exe").SignerCertificate; [System.IO.File]::WriteAllBytes("c:\redhat.cer", $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert));

certutil.exe -f -addstore "TrustedPublisher" c:\redhat.cer

Then I can install the driver without bothering the user by confirmation:

pnputil -i -a "d:\Balloon\2k12R2\amd64\*.inf"

How can I improve this task to do it all in powershell - without extracting the certificate to temporary file and using certutil.exe to import it?

You can store cert data in variable, and add it directly to desired store. For example, using your path/target:

$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$Cert.Import((((Get-AuthenticodeSignature "D:\Balloon\2k12R2\amd64\blnsvr.exe").SignerCertificate).Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)))
$store = Get-Item "cert:\LocalMachine\TrustedPublisher"
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($Cert)
$store.Close()

I take the signature from the .cat file from all virtio drivers and import it directly to the store:

$DriverPath = Get-Item "D:\tmp\virtio-win-0.1.173\*\2k12r2\amd64"

$CertStore = Get-Item "cert:\LocalMachine\TrustedPublisher"
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

Get-ChildItem -Recurse -Path $DriverPath -Filter "*.cat" | % {
    $Cert = (Get-AuthenticodeSignature $_.FullName).SignerCertificate

    Write-Host ( "Added {0}, {1} from {2}" -f $Cert.Thumbprint,$Cert.Subject,$_.FullName )

    $CertStore.Add($Cert)
}

$CertStore.Close()