Artifact Signing
A fully managed end-to-end service for digitally signing code, documents, and applications. (formerly Trusted Signing)
You should not see the messages anymore.
Artifact Signing Account with Public Trust Certificate Profile and Active Organization Identity validation has begun giving windows smart-screen error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 81%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
McKay Reed Moore
30
Reputation points
Hello, I recently setup application signing through the the azure artifact signing account. I setup the artifact signing account, created an organizational identity validation (which completed and is current), and created a public trust certificate profile.
Initially when signing my application windows recognized it as a virus, though after a couple days, this was no longer the case, and I was able to download the application without issue and without the windows smart screen error warning users to not use the application.
I ran into some issues with the certificate profile not auto-updating so I ended up re-creating it while that issue was being resolved. The certificate profile issue has since been resolved an my certificate auto update.
However since the last time I created the new certificate profile, I have begun to get windows smart screen errors.
I was under the impression that signing through an artifact signing account enable the same level of reputation that an Extended-Validation certificate had and that I wouldn't get smart screen errors. I have also seen this assertion in multiple different places, though none seem to be Microsoft itself.
Does signing through an Azure Signing Account give enough reputation such that users don't see windows smart screen? I can't seem to find it in the docs.
Also, is there a reason it would be the case that I didn't have the windows smart screen warning initially (after the brief period where windows thought it was a virus), and then begin to get smart screen errors later?
Here are those other places that assert that Azure Signing Account gives instant reputation, though again they aren't Microsoft, though presumably they heard something from Microsoft and weren't trying to spin a tale lol.
https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/
https://www.electronjs.org/docs/latest/tutorial/code-signing#:~:text=Azure%20Trusted%20Signing%20is%20Microsoft's%20modern%20cloud%2Dbased%20alternative%20to%20EV%20certificates.
Artifact Signing
Answer accepted by question author
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Meha-MSFT
1,880
Reputation points Microsoft Employee
Moderator
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 93%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
Matt Nowicki 5 Reputation points2026-05-13T12:55:01.73+00:00 You've made this exact post on multiple threads, with no explanation as to how to fix this error. Microsoft controls SmartScreen and Artifact Signing. Why can't the two work together? I spent the last week setting up Artifact Signing thinking it would allow me to finally get past the stupid SmartScreen nonsense, but I'm right back in the same boat. What a waste of time!
-
McKay Reed Moore 30 Reputation points
2026-05-13T17:52:13.7566667+00:00 Hey Matt, I agree it was a frustrating experience setting it up, especially because in some places it explicitly says setting up artifact signing gets rid of the issue, only to have it occur again.
I think initially they had a blanket policy that artifact signing got rid of smart screen errors as blog articles from third party sources indicated as much when artifact signing was coming out. They must have then changed the policy and scrubbed their documentation, updating thing such that artifact signing no longer removes smart screen, and integrated the reputation system with artifact signing. Unfortunate :(. It's kinda wild that doing signing with Apple is so much easier. You'd think that be of similar difficulty.
I believe this support engineer has access to set your reputation such that you no longer see the smart screen, and that is what they have been doing. (After my interaction with them my problem got solved)
If you haven't already I would make a post about it and then someone will come in and resolve your issue.
Sign in to comment
1 additional answer
Sort by: Most helpful
-
AI answer
2026-04-09T03:25:24.48+00:00 Artifact Signing with a Public Trust certificate profile provides publicly trusted code-signing certificates, but it does not guarantee “instant” or permanent SmartScreen reputation in all cases.
Key points from the documentation and behavior of Artifact Signing:
- Public Trust vs. SmartScreen reputation
- Public Trust certificate profiles are issued from the Microsoft Identity Verification Root Certificate Authority 2020 and are intended for:
- Win32 app code signing
- Smart App Control in Windows 11
-
/INTEGRITYCHECKforced integrity signing - VBS enclaves
- Public Trust is recommended “to sign any artifact you intend to share publicly,” and apps signed with it are designed so that “users enjoy a productive experience on Windows with modern security protection features enabled such as Smart App Control and SmartScreen.”
- However, the documentation does not state that SmartScreen warnings are never shown or that reputation is always immediate and permanent. SmartScreen reputation is based on multiple signals (including file prevalence and telemetry) and can change over time.
- Public Trust certificate profiles are issued from the Microsoft Identity Verification Root Certificate Authority 2020 and are intended for:
- Impact of recreating the certificate profile
- Artifact Signing uses short-lived certificates that are renewed daily and valid for only 72 hours. These certificates are tied to a certificate profile and an identity validation.
- Each certificate carries a Subscriber identity validation EKU that pins a durable identity value associated with the identity validation resource, not the individual certificate thumbprint.
- When a certificate profile is recreated, the following can change:
- The certificate profile resource itself (new profile, new configuration).
- The exact certificates being issued (new short-lived certs, new thumbprints, possibly different Subject DN details depending on configuration).
- SmartScreen reputation is not documented as being bound to the Artifact Signing account or identity validation alone. Changing certificate profiles and reissuing binaries can affect how SmartScreen evaluates the new binaries, especially if the new signed binaries are effectively “new” to the ecosystem.
- Why SmartScreen behavior changed over time
Based on the documented behavior of Artifact Signing and its trust model:
- Initially, SmartScreen may have flagged the file as suspicious or as malware until Microsoft’s protection systems reclassified it (for example, after further analysis or telemetry showed it was not malicious). This aligns with the note that revocation and classification can be targeted to specific certificates and days.
- After a period of normal use, reputation for that specific combination of binary + certificate chain likely improved, so SmartScreen stopped warning.
- When the certificate profile was recreated and new certificates started signing the binaries, SmartScreen may treat the resulting signed binaries as new artifacts. If the new binaries have low prevalence or other signals that differ from the earlier ones, SmartScreen can resume showing warnings even though the signer is still a validated identity under Public Trust.
- What Artifact Signing guarantees
- Public Trust certificates:
- Chain to a Microsoft root CA included in standard root programs.
- Comply with Microsoft PKI Services CPS.
- Are suitable for Smart App Control, SmartScreen, and other Windows security features.
- Identity validation ensures the Subject DN reflects a verified organization or individual.
- Short-lived certificates and the Subscriber identity validation EKU provide strong identity binding and fine-grained revocation.
- The documentation does not guarantee:
- Immediate SmartScreen reputation for every new binary.
- That SmartScreen warnings will never appear after changes to certificate profiles or binaries.
- Public Trust certificates:
- Practical implications
- Signing with a Public Trust certificate profile is the correct choice for public distribution and is designed to integrate well with SmartScreen and Smart App Control.
- SmartScreen reputation can still fluctuate when:
- Binaries change significantly.
- Certificate profiles are recreated.
- New short-lived certificates sign artifacts that have not yet accumulated sufficient reputation.
In summary, signing through an Artifact Signing account with a Public Trust certificate profile provides a trusted code-signing chain and is designed to support SmartScreen and Smart App Control, but it does not guarantee permanent or instant SmartScreen reputation. Recreating the certificate profile and issuing new certificates can cause SmartScreen to reassess your binaries, which explains why warnings disappeared initially and then reappeared after the profile change.
References:
AI-generated content may be incorrect. Read our transparency notes for more information. - Public Trust vs. SmartScreen reputation