Knowledge Base

Microsoft Defender SmartScreen helps protect users from downloading and running potentially unsafe applications. SmartScreen does not issue or manage code signing certificates. Instead, it uses Microsoft-controlled reputation signals to determine whether users should see a warning before running a downloaded file.

When using DigiCert code signing certificates:

• Microsoft controls SmartScreen reputation.
• EV code signing certificates no longer guarantee immediate SmartScreen reputation advantages.
• End users may see warnings until Microsoft builds enough reputation for your signed file, publisher, or signing certificate
• Reputation will be built as users download and run your signed application without signs of malicious behavior.

DigiCert cannot control when Microsoft Defender SmartScreen warnings appear or stop appearing. SmartScreen reputation is managed by Microsoft and is built through Microsoft’s reputation system.

In This Article

• Problem
• Code signing signature trust versus Microsoft Defender SmartScreen reputation
• What changed with EV code signing certificates?
• Why SmartScreen warnings appear
• Best practices
• What EV code signing certificates still provide
• Microsoft escalations
• FAQ

 

Problem

My users are seeing Microsoft Defender SmartScreen warnings after I signed my application with a DigiCert EV code signing certificate. I thought signing with an EV code signing certificate meant my application would be automatically trusted.  

 

Code signing signature trust versus Microsoft Defender SmartScreen reputation  

Code signing signatures

Code signing helps protect the integrity of your executables by showing whether they have been modified after signing. Many modern operating systems require code signing to protect their users from code that has no known origin or guarantees of authenticity.  

Microsoft Defender SmartScreen reputation

SmartScreen looks at two main things:

1. Publisher reputation
   Was the file signed? Is the publisher known to Microsoft’s reputation system?  
2. File reputation
   Has this exact file been downloaded and run by users without signs of malicious behavior?  
   
   

NOTE: Reputation is often tied to the specific file hash and publisher combination. New releases or modified binaries may require reputation to build again.

A newly signed file may still show a SmartScreen warning until Microsoft sees enough positive reputation for the file or publisher.  

Your signed files may show SmartScreen warnings when you are:

• Using a new code signing certificate
• Releasing a new application
• Distributing a file with low download volume
• Changing your publisher identity
• Modifying a file after signing it

 

What changed with EV code signing certificates?  

Microsoft Defender SmartScreen is a reputation-based security system.

In the past, Microsoft granted a positive SmartScreen reputation to Extended Validation (EV) code signing certificates by default. This meant that files signed with an EV code signing certificate were less likely to trigger SmartScreen warnings.  

EV code signing certificates may still provide trust signals, but Microsoft no longer guarantees that EV-signed applications will avoid SmartScreen warnings automatically. Today, files signed with OV or EV code signing certificates must build SmartScreen reputation.   

For more information, see Microsoft Learn: SmartScreen reputation for Windows app developers

 

Why SmartScreen warnings appear

A “Windows protected your PC” warning does not necessarily mean:

• Your code signing certificate is invalid.
• Your signature is untrusted.
• Your application is malicious.
• There is a problem with your DigiCert certificate.  

The warning usually means Microsoft SmartScreen does not yet have enough positive reputation for the signed file, the publisher, or the signing certificate.  

In many cases, the digital signature itself is still valid and trusted by Windows. SmartScreen reputation is a separate Microsoft-controlled assessment layer that evaluates download and execution reputation.  

 

Best practices for establishing and maintaining SmartScreen reputation  

SmartScreen reputation is based on Microsoft’s evaluation of your signed file, publisher, certificate, and download behavior. DigiCert validates and issues code signing certificates, but Microsoft controls SmartScreen reputation decisions.  

Use these tips to help build and maintain SmartScreen reputation.

Use a consistent publisher identity

Use the same publisher identity to sign your applications. Changing the publisher identity can affect the reputation Microsoft tracks and may require reputation to build again.  

Sign every release

Sign every released executable, installer, and software package.

Unsigned files do not benefit from the reputation associated with your signing certificate. Microsoft also notes that unsigned files must build reputation for each new version, starting from zero reputation.  

Timestamp your signatures

Timestamp your signed files.

Timestamping helps preserve the validity of the signature after the code signing certificate expires. 

Do not modify signed files

Do not change files after they are signed.

Changing a signed file can break the signature and may remove the benefit of the signature. If you need to update a file, make the change first, then sign the final version.  

Distribute software from trusted sources

Host downloads on official, trusted distribution channels. Users should only download your application from sources they recognize and trust.  

Distribute applications from:

• Official company domains
• HTTPS-protected download pages
• Consistent download URLs  

Avoid:

• File-sharing services
• Temporary hosting providers
• Frequently changing download domains  

Set expectations with end users

For new applications, new versions, or low-volume downloads, let users know they may see a SmartScreen warning.   

Encourage them to:

• Verify the publisher.
• Confirm they downloaded the file from a trusted source.
• Contact your support team if they are unsure.

 

What EV code signing certificates still provide

Even though Microsoft no longer guarantees immediate SmartScreen reputation for EV-signed files, EV code signing certificates still provide important benefits:  

• Strong publisher identity validation
• Hardware-backed private key protection requirements
• Higher assurance signing practices
• Improved publisher trust visibility
• Compliance with Microsoft and industry security expectations  

 

Microsoft escalations: Submit files to Microsoft for analysis  

If you believe your signed application is being incorrectly flagged or continuously triggering SmartScreen warnings, you can submit the file to Microsoft for analysis through the Microsoft Security Intelligence portal. To submit a file for analysis, see Submit a file for malware analysis.  

 

Frequently asked questions (FAQ)

How long does SmartScreen reputation take to build?

Microsoft does not publish exact thresholds or timelines. Reputation development depends on many factors, such as download volume, install success, user interactions, publisher history, file reputation, and Microsoft’s internal reputation signals.  

Does EV code signing still matter?

Yes. EV certificates still provide strong identity validation and security protections even though Microsoft no longer guarantees that EV-signed applications will avoid SmartScreen warnings automatically. See What EV Code Signing Certificates Still Provide in this article.

Can DigiCert remove SmartScreen warnings?

No. Microsoft independently controls SmartScreen reputation and warning decisions.  

Will reputation transfer to a renewed code signing certificate?

Publisher continuity may help preserve reputation signals, but Microsoft does not publicly document exact reputation transfer behavior.