TL;DR: Silent CA migration (EOC CA 02 → AOC CA 03) around March 21-23 broke SmartScreen for all affected Trusted Signing customers. Files signed after the cutover trigger "Windows protected your PC" despite valid signatures.

Summary Starting around March 21-23, 2026, Trusted Signing silently began issuing certificates from a new CA (Microsoft ID Verified CS AOC CA 03) instead of the previous one (Microsoft ID Verified CS EOC CA 02). This change broke SmartScreen reputation for signed files — installers signed under the new CA trigger "Windows protected your PC" warnings, while identical installers signed under the old CA do not.

Azure Signing - Reputation builds over time; initial warnings expected

OV certificate (from a CA such as DigiCert, Sectigo) - Same as Azure Artifact Signing — reputation builds over time.

EV certificate - Same as OV since 2024 — no longer instant bypass.