TL;DR: Silent CA migration (EOC CA 02 → AOC CA 03) around March 21-23 broke SmartScreen for all affected Trusted Signing customers. Files signed after the cutover trigger "Windows protected your PC" despite valid signatures.
Summary
Starting around March 21-23, 2026, Trusted Signing silently began issuing certificates from a new CA (Microsoft ID Verified CS AOC CA 03) instead of the previous one (Microsoft ID Verified CS EOC CA 02). This change broke SmartScreen reputation for signed files — installers signed under the new CA trigger "Windows protected your PC" warnings, while identical installers signed under the old CA do not.
TL;DR: Silent CA migration (EOC CA 02 → AOC CA 03) around March 21-23 broke SmartScreen for all affected Trusted Signing customers. Files signed after the cutover trigger "Windows protected your PC" despite valid signatures.
Summary Starting around March 21-23, 2026, Trusted Signing silently began issuing certificates from a new CA (Microsoft ID Verified CS AOC CA 03) instead of the previous one (Microsoft ID Verified CS EOC CA 02). This change broke SmartScreen reputation for signed files — installers signed under the new CA trigger "Windows protected your PC" warnings, while identical installers signed under the old CA do not.
Azure Signing - Reputation builds over time; initial warnings expected
OV certificate (from a CA such as DigiCert, Sectigo) - Same as Azure Artifact Signing — reputation builds over time.
EV certificate - Same as OV since 2024 — no longer instant bypass.