Microsoft SmartScreen and OV Certificates

Mike_D · October 16, 2025, 2:30pm

I recently began code-signing with a new OV (Organization Validation) code-signing certificate as described here: Link

I’m finding that my EXE download is now triggering the Microsoft SmartScreen warning:

3 weeks ago (September 23rd) I reported the file as safe using this option:

48 hours later, microsoft emailed to confirm, saying

If the block persists 24 hours after submission, please reply to this confirmation email to let us know the issue is not remediated. Please provide any additional details that may be relevant. This will help expedite further investigation and resolution.

48 hours after that, I emailed back saying the block was still in place.

It’s now about 20 days later, and the block is still in place. I emailed back again.

I’m sure I’m losing business over this, and it sounds like I’m not alone: Link

It took a lot of $money and time to get this stupid dongle-based code-signing working, do I have any recourse other than moving to Azure signing?

Tim_Parnell · October 16, 2025, 3:53pm

You could get an EV certificate, but that’s a lot more $money

Thom_McGrath · October 16, 2025, 3:57pm

The trouble is the file is not blocked. Their response says “if the block persists 24 hours after submission” but it isn’t blocked. The certificate doesn’t have reputation, that’s the issue. Essentially, Microsoft did nothing. It wasn’t already in their blacklist, so nothing changed.

As I mentioned in the other thread, I’m pretty confident Microsoft changed the SmartScreen criteria sometime in the last 3 years. My previous certificate built up its reputation in 3 hours. My latest never reached that point. Maybe it’s a scheme to sell more EV certificates, but this change makes OV certificates effectively useless.

Unfortunately you have no remedy. Nothing was guaranteed to you about this process, so you have no recourse to get back the money spent on your OV certificate. Maybe you could convince the issuer to put those funds towards an EV certificate, but an EV certificate is pretty much the only solution in 2025.

Mike_D · October 16, 2025, 4:25pm

That’s my guess, but then again: what’s to say Microsoft won’t simply change their mind and start treating EV certificates the same as OV? Call me paranoid, but…

I’m wondering if the jump to Azure Trusted Signing is a safer bet?

Tim_Parnell · October 16, 2025, 4:28pm

At this point it is the far more cost effective bet as well. When my EV expires I will be moving to Trusted Signing if it and strawberry both still exist.

Jeff_Tullin · October 25, 2025, 6:48pm

Do we know if the trust is developed based on the name of the install EXE, the UUID of the installer, the name of the installed app, or… ?

I’ve had 3 similar reports this week, and although I have been able to ‘dial in’ and sort it for some nervous people, thats not what I want to be doing going forward.

Thom_McGrath · October 25, 2025, 7:01pm

It’s supposed to be built on the certificate.

Jeff_Tullin · October 25, 2025, 7:18pm

Makes sense. My last one was in place for 3 years.

Now I have a Yubikey and a new certificate. What a pain in the donkey

Mike_D · December 5, 2025, 5:24pm

Update: the problem is still happening: apps signed with my new OV certificate and online for over 7 weeks are still trigging the SmartScreen block.

Thom_McGrath · December 5, 2025, 5:44pm

Yep, that lines up with my findings.

Rick_Araujo · December 6, 2025, 9:33pm

So OV is the new unsigned app, but expensive.