TL;DR: Silent CA migration (EOC CA 02 → AOC CA 03) around March 21-23 broke SmartScreen for all affected Trusted Signing customers. Files signed after the cutover trigger "Windows protected your PC" despite valid signatures.

Summary Starting around March 21-23, 2026, Trusted Signing silently began issuing certificates from a new CA (Microsoft ID Verified CS AOC CA 03) instead of the previous one (Microsoft ID Verified CS EOC CA 02). This change broke SmartScreen reputation for signed files — installers signed under the new CA trigger "Windows protected your PC" warnings, while identical installers signed under the old CA do not.