A workaround (if required) is to write out the latest config (e.g. as a JSON result or other format, such as the cert thumbprint or cert file path) to a file as part of your (non-impersonated) task.
You then create a windows scheduled task which periodically checks for this file and if it exists it then runs whatever script you need using that config information.
It’s not as nice as having an integrated script but it does open up a range of other ways of working (such as having fine grained control over privilege escalation, or only running the update during a maintenance window etc),