Share via

How does Microsoft differentiate between internal distribution and real-world distribution?

dchapman 80 Reputation points
2026-06-10T02:46:02.92+00:00

When asking in another question about the value of using Public Trust Test, I suggested that it might be better to only use Public Trust to build reputation faster. The response was that signing internal builds with our Public Trust profile does not materially accelerate reputation for the public app, because reputation is tied to real-world distribution and usage of the signed artifacts.

But how does it differentiate between "real-world distribution" and if we are installing for testing purposes?

Artifact Signing
Artifact Signing

A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-10T02:46:16.37+00:00

    Microsoft treats “real-world distribution” as installs and executions that occur on end-user systems in normal deployment channels, not on controlled test or dev environments. Reputation for SmartScreen and related protections is built from:

    • How often a given signed binary (its hash and signer identity) is downloaded and run across the broader Windows ecosystem.
    • The diversity and breadth of that usage (different machines, users, geos), and whether any security telemetry flags the file as malicious.

    Internal testing typically does not materially contribute to this reputation because:

    1. Limited and homogeneous audience: Internal builds are usually installed on a small number of devices, often on the same network or tenant, and do not represent the broad, independent user base that SmartScreen and Public Trust reputation models are designed to measure.
    2. Enterprise trust boundaries: Enterprises can mark internal locations or certificates as trusted (for example, via Group Policy or Intune), or distribute unsigned/self-signed content internally. These scenarios are explicitly treated as separate from consumer/“public” reputation. SmartScreen behavior in such environments can be customized and may bypass or alter reputation checks.
    3. Test certificates vs. Public Trust: Public Trust Test profiles in Artifact Signing are explicitly not publicly trusted and are intended only for dev/test. Their usage does not feed into public reputation. Even when using a Public Trust (non-test) profile, internal-only deployment does not resemble the broad, organic download/usage pattern that SmartScreen uses as a signal for public reputation.

    As a result, signing internal builds with the same Public Trust profile does not significantly accelerate reputation for the publicly distributed app. Reputation is primarily influenced by:

    • Distribution to real users via public channels (web downloads, public installers, Store-hosted MSI/EXE, etc.).
    • The volume and cleanliness of those installs over time.

    For faster, safer public distribution with modern protections (Smart App Control, SmartScreen), the recommended approach is:

    • Use Artifact Signing Public Trust for production signing of artifacts intended for public sharing.
    • Expect initial SmartScreen prompts until enough real-world usage accumulates.
    • Use test profiles or self-signed certificates only for dev/test and internal validation, understanding they do not build public reputation.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.