Share via

Artifact Signing Account with Public Trust Certificate Profile and Active Organization Identity validation has begun giving windows smart-screen error

McKay Reed Moore 10 Reputation points
2026-04-09T03:25:02.6166667+00:00

Hello, I recently setup application signing through the the azure artifact signing account. I setup the artifact signing account, created an organizational identity validation (which completed and is current), and created a public trust certificate profile.

Initially when signing my application windows recognized it as a virus, though after a couple days, this was no longer the case, and I was able to download the application without issue and without the windows smart screen error warning users to not use the application.

I ran into some issues with the certificate profile not auto-updating so I ended up re-creating it while that issue was being resolved. The certificate profile issue has since been resolved an my certificate auto update.

However since the last time I created the new certificate profile, I have begun to get windows smart screen errors.

I was under the impression that signing through an artifact signing account enable the same level of reputation that an Extended-Validation certificate had and that I wouldn't get smart screen errors. I have also seen this assertion in multiple different places, though none seem to be Microsoft itself.

Does signing through an Azure Signing Account give enough reputation such that users don't see windows smart screen? I can't seem to find it in the docs.

Also, is there a reason it would be the case that I didn't have the windows smart screen warning initially (after the brief period where windows thought it was a virus), and then begin to get smart screen errors later?

Here are those other places that assert that Azure Signing Account gives instant reputation, though again they aren't Microsoft, though presumably they heard something from Microsoft and weren't trying to spin a tale lol.
https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/
https://www.electronjs.org/docs/latest/tutorial/code-signing#:~:text=Azure%20Trusted%20Signing%20is%20Microsoft's%20modern%20cloud%2Dbased%20alternative%20to%20EV%20certificates.

Artifact Signing
Artifact Signing

A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-09T03:25:24.48+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Artifact Signing with a Public Trust certificate profile provides publicly trusted code-signing certificates, but it does not guarantee “instant” or permanent SmartScreen reputation in all cases.

    Key points from the documentation and behavior of Artifact Signing:

    1. Public Trust vs. SmartScreen reputation
      • Public Trust certificate profiles are issued from the Microsoft Identity Verification Root Certificate Authority 2020 and are intended for:
        • Win32 app code signing
        • Smart App Control in Windows 11
        • /INTEGRITYCHECK forced integrity signing
        • VBS enclaves
      • Public Trust is recommended “to sign any artifact you intend to share publicly,” and apps signed with it are designed so that “users enjoy a productive experience on Windows with modern security protection features enabled such as Smart App Control and SmartScreen.”
      • However, the documentation does not state that SmartScreen warnings are never shown or that reputation is always immediate and permanent. SmartScreen reputation is based on multiple signals (including file prevalence and telemetry) and can change over time.
    2. Impact of recreating the certificate profile
      • Artifact Signing uses short-lived certificates that are renewed daily and valid for only 72 hours. These certificates are tied to a certificate profile and an identity validation.
      • Each certificate carries a Subscriber identity validation EKU that pins a durable identity value associated with the identity validation resource, not the individual certificate thumbprint.
      • When a certificate profile is recreated, the following can change:
        • The certificate profile resource itself (new profile, new configuration).
        • The exact certificates being issued (new short-lived certs, new thumbprints, possibly different Subject DN details depending on configuration).
      • SmartScreen reputation is not documented as being bound to the Artifact Signing account or identity validation alone. Changing certificate profiles and reissuing binaries can affect how SmartScreen evaluates the new binaries, especially if the new signed binaries are effectively “new” to the ecosystem.
    3. Why SmartScreen behavior changed over time Based on the documented behavior of Artifact Signing and its trust model:
      • Initially, SmartScreen may have flagged the file as suspicious or as malware until Microsoft’s protection systems reclassified it (for example, after further analysis or telemetry showed it was not malicious). This aligns with the note that revocation and classification can be targeted to specific certificates and days.
      • After a period of normal use, reputation for that specific combination of binary + certificate chain likely improved, so SmartScreen stopped warning.
      • When the certificate profile was recreated and new certificates started signing the binaries, SmartScreen may treat the resulting signed binaries as new artifacts. If the new binaries have low prevalence or other signals that differ from the earlier ones, SmartScreen can resume showing warnings even though the signer is still a validated identity under Public Trust.
    4. What Artifact Signing guarantees
      • Public Trust certificates:
        • Chain to a Microsoft root CA included in standard root programs.
        • Comply with Microsoft PKI Services CPS.
        • Are suitable for Smart App Control, SmartScreen, and other Windows security features.
      • Identity validation ensures the Subject DN reflects a verified organization or individual.
      • Short-lived certificates and the Subscriber identity validation EKU provide strong identity binding and fine-grained revocation.
      • The documentation does not guarantee:
        • Immediate SmartScreen reputation for every new binary.
        • That SmartScreen warnings will never appear after changes to certificate profiles or binaries.
    5. Practical implications
      • Signing with a Public Trust certificate profile is the correct choice for public distribution and is designed to integrate well with SmartScreen and Smart App Control.
      • SmartScreen reputation can still fluctuate when:
        • Binaries change significantly.
        • Certificate profiles are recreated.
        • New short-lived certificates sign artifacts that have not yet accumulated sufficient reputation.

    In summary, signing through an Artifact Signing account with a Public Trust certificate profile provides a trusted code-signing chain and is designed to support SmartScreen and Smart App Control, but it does not guarantee permanent or instant SmartScreen reputation. Recreating the certificate profile and issuing new certificates can cause SmartScreen to reassess your binaries, which explains why warnings disappeared initially and then reappeared after the profile change.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.