P2 · PKI & Certificate Management

Code Signing Certificate Blocking Software Deployment — SmartScreen or Endpoint AV

Signed executables, scripts, or packages are blocked by Windows SmartScreen, endpoint AV, or AppLocker because the code signing certificate is expired, revoked, missing from the trusted root store, or the certificate chain is incomplete. Affects SCCM/Intune software deployment and PowerShell execution policy enforcement.

Indicators

SmartScreen: 'Windows protected your PC — unrecognized app' even for internally signed software
PowerShell: 'The file is not digitally signed. You cannot run this script on the current system' (AllSigned policy)
SCCM/Intune deployment fails: 'The software change returned error code 0x800B0101' (CERT_E_EXPIRED)
sigcheck.exe shows 'Expired' or 'Untrusted root' on signed binary
AppLocker event ID 8004: 'Signing certificate issuer is not trusted'

Likely causes

Code signing certificate expired — signature timestamp matters for previously signed binaries
Missing intermediate CA certificate in the signing chain
Certificate revoked by issuing CA (check CRL/OCSP)
Signing performed without a trusted timestamp — binary valid only during cert validity period
SmartScreen reputation not yet built for newly issued OV/EV certificate

Diagnostic steps

Check signature: sigcheck.exe -a -v <file.exe> (Sysinternals) or Get-AuthenticodeSignature <file> | Select-Object * (PowerShell) — check Status, SignerCertificate.NotAfter, TimestamperCertificate
Verify the timestamp: Get-AuthenticodeSignature <file> | Select TimestamperCertificate — a countersignature timestamp from a trusted TSA makes the signature valid even after cert expiry
Check cert chain: certutil -verify -urlfetch <signingcert.cer> — walks chain, checks revocation, downloads intermediates; look for missing or untrusted intermediate CA
If internal CA: ensure the issuing CA certificate is in the enterprise Trusted Root / Intermediate CA stores via GPO (Computer Config > Windows Settings > Security Settings > Public Key Policies)
For SmartScreen issues: EV certificates bypass SmartScreen reputation check immediately; OV certs build reputation over download count — check with virus total and submit for analysis
Re-sign if cert expired and no timestamp: obtain new code signing cert, re-sign binaries with RFC3161 timestamp: signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a <file.exe>

Resolution path

If cert expired with timestamp: binaries signed before expiry remain valid — re-sign new builds with a new certificate
If cert expired without timestamp: must re-sign ALL affected binaries with new cert + RFC3161 timestamp
Fix chain: deploy intermediate CA cert via GPO to all machines that need to trust the signer
For internal signed scripts: add cert to trusted publishers store via GPO rather than changing PowerShell execution policy
For SmartScreen: use EV code signing cert for immediate reputation; submit binary hashes to Microsoft Defender through the submission portal

Prevention

Always timestamp code signatures with a trusted RFC3161 TSA — this is free and protects against cert expiry invalidating old builds
Monitor code signing cert expiry 90 days out and plan re-signing of critical binaries
Store private key in HSM or Azure Key Vault — never on a developer workstation

Tools

Sysinternals sigcheck.exe -a -v
Get-AuthenticodeSignature (PowerShell)
certutil -verify -urlfetch
signtool.exe (Windows SDK)
Windows Event Viewer — AppLocker, Code Integrity logs

code-signingcertificatessmartscreenapplockerpowershellsccmintunepkisigntoolauthenticode