We have recently observed an increase in Microsoft SmartScreen warnings when users attempt to run their signed applications.
This blog explains why this happens, how SmartScreen reputation works (based on Microsoft’s latest guidance), and what you should expect going forward.
What is SmartScreen Reputation?
Microsoft SmartScreen is a reputation-based security system that evaluates downloaded applications before allowing them to run.
Microsoft defines SmartScreen to enable the following: :
- Publisher reputation → Trustworthiness of the code signing certificate
- File reputation (hash) → Whether the exact file has been widely downloaded and trusted (Microsoft Learn)
This means trust is not instant—even for properly signed applications.
Why Are SmartScreen Warnings Appearing?
You may see warnings like: “Windows protected your PC”
This typically occurs when:
- The application is new or recently released
- The file has low download prevalence
- A new certificate is being used
- The binary has changed (new version = new file hash)
Microsoft clearly states that each file must build its own reputation based on real-world usage (Microsoft Learn)
Even small updates reset file reputation.
Important Insight: Signing Alone Is Not Enough
A common misconception is:
If my app is signed, it should not show SmartScreen warnings.
This is not how SmartScreen works.
- Code signing ensures identity and integrity
- SmartScreen evaluates reputation over time
A valid signature ≠ immediate trust
EV vs Standard Code Signing Certificates
Historically, EV certificates helped bootstrap reputation faster. However, based on Microsoft’s current guidance:
- Both EV and standard certificates rely on reputation building
- The key factor remains real-world adoption and trust signals
Reputation is earned, not granted instantly.
How SmartScreen Reputation Builds
Reputation improves over time when:
- Users download and install the application
- No malicious behavior is detected
- The publisher consistently signs software
SmartScreen uses telemetry and signals to determine whether software is commonly downloaded and safe.
Until then, the application is treated as “unknown” and flagged cautiously.
Why This Matters Now
With ongoing security improvements in Microsoft’s ecosystem, SmartScreen is becoming increasingly strict and reputation-driven.
This means:
- New applications will almost always see initial warnings
- Updates and new versions will temporarily reset trust
- Smaller or niche applications may take longer to build reputation
What This Means for GlobalSign Customers
It is important to clarify:
-
SmartScreen warnings do NOT indicate:
- Invalid or compromised GlobalSign certificates
- Issues with your signing process
- Security flaws in your application
-
They indicate:
- The application has not yet built sufficient reputation
Best Practices to Reduce SmartScreen Warnings
To build reputation faster and minimize warnings:
- Maintain Certificate Consistency
- Use the same publisher identity across releases
- Increase Distribution
- Encourage downloads from trusted channels
- Sign All Releases
- Ensure every binary is properly signed and timestamped
- Avoid Frequent Certificate Changes
- New certificates require reputation rebuilding
- Communicate with Users
- Inform users that initial warnings are expected for new software
Final Takeaway
SmartScreen is designed to protect users from unknown software, not to validate certificates.
Even when using GlobalSign’s trusted code signing certificates:
- Reputation takes time
- Warnings are expected initially
- Trust is built through real-world usage
Understanding how Microsoft’s SmartScreen reputation model works helps set the right expectations—for both developers and end users. If you have questions about SmartScreen warnings or how reputation builds over time, contact GlobalSign Support for guidance.
