How to avoid the "Windows Defender SmartScreen prevented an unrecognized app from starting" warning

Written by Alex Marin · January 20th, 2023 · 6min read

As a vendor, you may often receive user complaints about the “Windows Defender SmartScreen prevented an unrecognized app from starting" warning whenever they download your installer.

This is common to happen if you are hosting the download kit of your application on a website (as most vendors do) - causing recurring tickets where users complain about SmartScreen.

However, this warning doesn't prevent users from installing your software, but it could make them think it's not safe to do so.

In this article, we’ll show you how to prevent SmartScreen from appearing.

Can your software still be installed if the SmartScreen warning appears?

Yes! As mentioned above, SmartScreen does not fully block your installation, and it gives you the option to continue with the installation if you click on “More info”.

However, your users may stop running your installer when they see "Running this app might put your PC at risk".

Microsoft Defender SmartScreen Warning

Even though they got this warning message, they are still able to install your software. Here’s a quick workaround:

  1. Right-click the installer
  2. Select “Properties”
  3. Check “Unblock”
  4. Click “OK”.

With this option, the user will also be able to install the software, but it won't go as smoothly as we'd like.

Unblock MSI

ImportantHowever, keep in mind that if you are having issues within your infrastructure with these kinds of scenarios, if you unblock the executable on one device, it doesn't mean it will apply across the whole infrastructure, and there's not an option to whitelist the installation using Group Policies.
It is possible that with time and many “unblocks” by the users, SmartScreen gathers the data and considers the installer safe, but it’s unsure when or whether this will happen.

Even though users can continue to install the software successfully, we want to try and avoid this warning message.

How can you prevent SmartScreen?

As a user, there is no way to influence which apps will show up on SmartScreen. There are some steps you can take as a developer to prevent SmartScreen from appearing to your users.

The reason SmartScreen shows up is because your application does not have enough reputation with Microsoft SmartScreen yet.

To build trust and gain that reputation, start by:

  • Submitting your application to Microsoft for malware analysis
  • Purchasing an EV code signing certificate
  • Purchasing a standard code signing certificate
  • Waiting for SmartScreen to detect that your installer is does not represent a threat

Submit the application for malware analysis to Microsoft

Microsoft offers a submission of a file for malware analysis to all developers. If your installer and application have been validated successfully, then the SmartScreen warning will disappear either in a short time or instantly.

SmartScreen gets all of its information from the Cloud, so to submit a request for app review you need to have a Microsoft account.

NoteFor each release of a new version of your app, you need to request a new review from Microsoft.

Purchase an EV code signing certificate

If you don't want to go through the Microsoft validation, a safe and guaranteed method to immediately and permanently get verified with SmartScreen is to buy an EV (Extended Validation) certificate. Microsoft has a list of approved certificate authorities which you can check out.

You can also easily sign your installers with Advanced Installer. Check out our complete guide on digital signing here.

An EV certificate costs between $250 and $700 per year, but this is only issued to registered businesses. If you are an independent developer, the only way to get an EV is to have an active business license. Find more information on EV Code Signing Certificate Guidelines here.

Purchase a standard code signing certificate

If you are an independent developer and don't own an active business license, then you should go for a standard code signing certificate.

Standard code signing certificates are cheaper, costing between $100 and $500/year, and they can be used permanently on your installers.

However, when it comes to avoiding SmartScreen, this option is not instant, as it is with EV certificates; it will take some time until Microsoft takes action.

After some time, your standard code signing certificate has built up a reputation, and that's when the SmartScreen will go away.

NoteUnfortunately, Microsoft doesn't have a published, specific timeline for approval of a standard code certificate. Unofficial numbers report somewhere between two and eight weeks.

An additional issue to consider is when your current standard code signing certificate expires and you apply for a new one. In this case, the certificate reputation will NOT automatically carry over to the new certificate. The new certificate will need to build trust with SmartScreen just as the previous one did.

To "bypass" this inconvenience, you can re-sign a previously released installer already signed with a trusted certificate with the new renewed certificate.

This means your installer will have two signatures. The original signature will continue to have trust with SmartScreen and bypass it, and the new signature will help the new certificate build up trust with Microsoft.

TipMy suggestion is to start this exercise before your old certificate expires so that your new certificate becomes trusted before your old certificate expires.

ImportantIt is also important to timestamp your signed installers. This will allow the signed installer to remain valid after the certificate itself has expired.

Wait for SmartScreen to detect that your installer does not present a threat

If your installer and application are safe, you can always choose to take no further action. Eventually, your application will gain enough trust that SmartScreen will be bypassed.

However, this can take months to achieve or thousands of downloads of your application. Also, keep in mind that if you update your application, the same amount of time or number of downloads will need to take place again.

For this reason, this is probably not the best solution to take.

Use Trusted Signing

Trusted Signing is a fully managed end-to-end signing solution that simplifies the certificate signing process for developers. It's backed by a Microsoft-managed certification authority. This service supports both public and private trust signing scenarios and includes a timestamping feature. With Trusted Signing, users can enjoy a productive, performant, and delightful experience on Windows, benefiting from modern security protection features like Smart App Control and SmartScreen.

So if you don’t want to use the traditional methods of signing your package, you can always have a look at Trusted Signing. One benefit of trusted signing is that the reputation for your signing will remain intact. With EV certificates, each time you renew your certificate, this needs to go to the process of regaining reputation over and over again, which might be a pain for some developers.

Trusted Signing will also get rid of your SmartScreen prompt even if there is no EV certificate present.

Advanced Installer was the first ever 3rd party Tool that had Trusted Signing Integration which makes it much simpler for developers and IT Professionals to sign their packages using Trusted Signing. We also have some articles in regards to the Trusted Signing topic, so please have a look over them here and here.

Conclusion

As you can see, there are a few options to bypass the SmartScreen warning.

It is entirely up to you which strategy you choose, as long as you don’t leave the SmartScreen issue unsolved. This decision will have a major influence on the trust of your current and prospective users.

Written by
See author's page
Alex Marin

Application Packaging and SCCM Deployments specialist, solutions finder, Technical Writer at Advanced Installer.

Comments: