Microsoft Defender Incorrectly Detects DigiCert Root Certificates as Malware

Microsoft Defender recently caused widespread concern after incorrectly flagging trusted DigiCert root certificates as malware, leading to disruptions across enterprise environments.

Around April 30, 2026, Microsoft Defender released a security intelligence update that introduced a detection labeled Trojan:Win32/Cerdigent.A!dha.

This detection mistakenly identified two legitimate DigiCert root certificates as malicious:

• DigiCert Assured ID Root CA
• DigiCert Trusted Root G4

These certificates are critical components of the global trust infrastructure and are stored in the Windows registry under:
HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates

Because of the false detection, Microsoft Defender automatically quarantined these registry entries, treating them as high-severity threats.

Impact on Enterprise Systems

The removal of these root certificates created significant operational risks. Root certificates are essential for verifying secure communications and trusted software.

Without them:

• SSL/TLS connections could fail, causing websites to appear untrusted
• Browsers might display security warnings
• Digitally signed applications could fail validation
• Enterprise services relying on HTTPS could break

Organizations using DigiCert-signed certificates or software were particularly affected, as systems could no longer verify authenticity.

Cybersecurity researcher Florian Roth was among the first to highlight the issue publicly. He shared detection queries and validation steps to help administrators assess affected systems.

text| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp desc

One method involved using Microsoft Defender Advanced Hunting logs to check registry activity. Another quick verification step was running:

certutil -store AuthRoot | findstr -i “digicert”

This command allowed administrators to confirm whether the DigiCert certificates were still present in the system’s trust store.

Reports quickly flooded Microsoft forums, with administrators confirming that the certificate thumbprints matched official DigiCert values, proving there was no actual compromise.

Microsoft acknowledged the issue and responded by releasing corrected security intelligence updates. Version 1.430 was identified as a key update that resolved the false detection.

In many environments, the fix automatically restored the quarantined certificates. This suggests Microsoft deployed a silent remediation mechanism alongside the updated signatures.

However, in restricted or manually managed environments, administrators were advised to:

• Verify certificate restoration using certutil
• Review Microsoft Defender logs for registry changes
• Ensure systems received the latest security intelligence updates

Lessons from the Incident

This incident highlights the risks associated with automated threat detection and remediation. While such systems are designed to protect against attacks such as malware tampering with certificate stores, they can also introduce disruption when errors occur.

The false positive involving DigiCert certificates underscores the importance of rigorous testing for security updates, especially when detections involve critical system components like the Windows root trust store.

It also serves as a reminder for organizations to maintain visibility into endpoint security actions and to validate unexpected changes, even when they originate from trusted security tools.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Microsoft Defender Incorrectly Detects DigiCert Root Certificates as Malware appeared first on Cyber Security News.