The signed MSI-package isn't liked by Windows

Question

I have prepared my MSI package using the Advanced Installer and then signed it using the SignTool:

signtool sign /debug /f "cert.pfx" /fd SHA256
/p "<pass>" /t http://timestamp.comodoca.com/authenticode "<file.msi>"

But, when other user is downloading the signed MSI via web-browser and to install it, the next message occurs:

My MSI has the next attributes:

• digital signature, which was generated with paid/commercial certificate (Comodo)
• timestamp
• there was used SHA-256 instead of SHA-1, because the last one is insecure in latest Windows

So, the main question is the next:

Why doesn't Windows recognize my signed MSI as well-known, if I have signed it with the commercial code-signing certificate?

PS

If you're interested in, which the version of Windows is used, then answer is the latest Windows 10. About last one option from list, there is an interesting link, I shall quote some text from it:

Effective January 1, 2016, Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with a SHA-1 code signing certificate for Mark-of-the-Web related scenarios (e.g. files containing a digital signature) and that has been time-stamped with a value greater than January 1, 2016. This cut-off date applies to the code-signing certificate itself.

Answer 1

SmartScreen Protection can show the above message when you try to run a newly released program or an application that has not yet established a reputation.

Reputation is established by SmartScreen® service intelligence algorithms based on how an application is used by Windows and Internet Explorer users.

For details, check the passing the smart screen on Win8 when install a signed application? thread that debates this subject.