Trusted Signing: Regression in SmartScreen reputation following transition to "Microsoft ID Verified CS EOC CA 03"

Gregory N 75 Reputation points

Issue: Since approximately April 1st, 2026, all binaries signed via Azure Trusted Signing for our company (PrestoSoft LLC) are triggering Windows SmartScreen "Unrecognized App" warnings. Previously, with the exact same workflow and account, files had established reputation and no warnings.

Technical Observation: We have identified that the regression coincided with the service shifting our signing chain to a new Intermediate CA.

Current (Failing) Intermediate CA: Microsoft ID Verified CS EOC CA 03 (SHA1: C1E16A2011AA98EAA598F759A13BDA2E742D8881)

Previous (Working) Intermediate CA: [Mention CA 01 or 02 if you have old logs, otherwise leave this line out]

Verification Status: signtool verify /pa /v returns "Successfully verified" with 0 errors and 0 warnings. The chain is valid and the timestamp is correct.

Impact: Our users are being blocked from running our software (ExamDiff Pro). This appears to be a backend synchronization issue between the new Trusted Signing Intermediate CAs and the SmartScreen reputation database.

GitHub Issue Reference: https://github.com/Azure/artifact-signing-action/issues/128

Can the product team confirm if the reputation-matching logic for the "EOC CA 03" branch is fully propagated to the SmartScreen service?

0 comments No comments
Sign in to comment

3 answers

  2. Sreetheja Adusumilli 965 Reputation points Microsoft External Staff Moderator

    Hello Gregory N,

    Thank you for the detailed information and for validating the certificate chain on your end.

    Based on our investigation, the behavior you observed was related to a Microsoft-side reputation propagation issue associated with the rollout of new Azure Trusted Signing intermediate certificate authorities on March 26, 2026 (Microsoft ID Verified CS AOC CA 03, EOC CA 03, and EOC CA 04).

    During the transition to these new intermediate CAs, SmartScreen reputation that had previously been established for signed applications was not consistently propagated to the new certificate chain. As a result, applications that were previously recognized and trusted by SmartScreen, including your ExamDiff Pro binaries, could unexpectedly display the "Microsoft Defender SmartScreen prevented an unrecognized app from starting" warning despite being properly signed and validated.

    We would like to confirm that this issue has been addressed by the Microsoft engineering teams. Reputation propagation for the new intermediate CAs has been corrected, and no changes are required to your Trusted Signing account, signing profile, or signing workflow.

    To validate the resolution, we recommend the following:

    • Re-sign and publish a current build using your existing Azure Trusted Signing profile.
    • Download the newly signed binary on a clean test machine.
    • Verify that the SmartScreen warning is no longer presented.
    • Continue signing future releases using the same Trusted Signing profile to maintain reputation continuity for your publisher identity.

    For additional context, SmartScreen reputation is evaluated on multiple signals, including file hash reputation and publisher reputation. Following recent program changes, Extended Validation (EV) certificates no longer automatically bypass SmartScreen checks. Therefore, newly released binaries may still experience a temporary reputation-building period until sufficient download and usage signals are established. This behavior is expected and is separate from the issue described above.

    If you continue to observe SmartScreen warnings after re-signing and publishing a new build, please provide the following details so we can engage the appropriate engineering teams for further analysis:

    • Signing timestamp
    • Intermediate CA assigned to the signing profile
    • SHA-256 file hash of the affected binary

    Reference Document: https://learn.microsoft.com/en-us/azure/artifact-signing/faq#what-can-i-expect-when-i-see-smartscreen-prompts-for-signed-files

    We appreciate your patience while this issue was being investigated and resolved. Please let us know the outcome of your validation testing.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments No comments
    Sign in to comment
  3. Meha-MSFT 1,880 Reputation points Microsoft Employee Moderator

    You should not see the messages anymore.

    1. Matt Nowicki 5 Reputation points

      You've made this exact post on multiple threads, with no explanation as to how to fix this error. Microsoft controls SmartScreen and Artifact Signing. Why can't the two work together? I spent the last week setting up Artifact Signing thinking it would allow me to finally get past the stupid SmartScreen nonsense, but I'm right back in the same boat. What a waste of time!

    2. Stephen traiforos 0 Reputation points

      I am getting this issue and I signed up and signed my .exe, worked until I downloaded it from the internet from my public site.

    Sign in to comment
Sign in to answer

Your answer