SmartScreen warnings triggered after silent migration from EOC CA 02 to AOC CA 03 (and then to EOC CA 03)

2 min read Original article ↗

TL;DR: Silent CA migration (EOC CA 02 → AOC CA 03) around March 21-23 broke SmartScreen for all affected Trusted Signing customers. Files signed after the cutover trigger "Windows protected your PC" despite valid signatures.

Summary
Starting around March 21-23, 2026, Trusted Signing silently began issuing certificates from a new CA (Microsoft ID Verified CS AOC CA 03) instead of the previous one (Microsoft ID Verified CS EOC CA 02). This change broke SmartScreen reputation for signed files — installers signed under the new CA trigger "Windows protected your PC" warnings, while identical installers signed under the old CA do not.

Impact
Any Trusted Signing customer whose certificates were migrated to AOC CA 03 will have their signed files trigger SmartScreen warnings, defeating the primary purpose of using Trusted Signing.

Evidence

Consecutive builds of the same product, same signing configuration:
17.0.0.5 — signed March 20, 2026 — NO SmartScreen warning:

CA: Microsoft ID Verified CS EOC CA 02
CA SHA1: 8BC0201379A2A31BA36EDD20223865C194A02174

17.0.0.6 — signed April 7, 2026 — SmartScreen warning triggered:
CA: Microsoft ID Verified CS AOC CA 03
CA SHA1: 06F826F5DDBB0A47AFC6BED6549B936461FFA7D0

Both files:

Publisher: [Same company]
Signing account: same account/profile/endpoint throughout
signtool verify /pa: passes with no errors or warnings on both
Zone.Identifier ZoneId=3 confirmed on affected file (downloaded via browser)

The CA change was entirely Microsoft-initiated
Azure Activity Log for the past month shows every single "Updates Certificate Profiles Creates" operation was initiated by Microsoft.CodeSigning — not by the account owner. There was no migration notice, no separate event, no customer action. The CA silently changed within normal automated daily rotation.

Ruling out reputation as the cause
Both 17.0.0.5 and 17.0.0.6 are new file hashes with no meaningful download history. The difference cannot be explained by per-file reputation. The only variable is the CA.

Questions for the team

  1. Was the EOC → AOC CA migration intentional? If so, why were customers not notified?
  2. Is AOC CA 03 properly integrated with SmartScreen's trust infrastructure?
  3. Does the EOC → AOC change reflect a policy change in what Trusted Signing guarantees with respect to SmartScreen?
  4. What is the remediation path for affected customers?

Environment

  • Trusted Signing SDK version: 1.0.60
  • Endpoint: wus3.codesigning.azure.net
  • Subscription tier: Basic