Microsoft Defender Misflags DigiCert Root Certificates as Malware

Key Takeaways

• A faulty Microsoft Defender antimalware signature update released around April 30 2026 falsely flagged two DigiCert root certificates as the malware Trojan:Win32/Cerdigent.A!dha.
• The false positive caused Defender to quarantine the certificates from the Windows trust store (HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates), breaking SSL/TLS validation and code‑signing for many enterprise systems.
• Affected organizations experienced browser warnings, application failures, and disrupted HTTPS services, especially those relying on DigiCert‑signed software or endpoints.
• Security researcher Florian Roth highlighted the issue publicly, sharing an Advanced Hunting query and a simple certutil command to detect the problem.
• Microsoft swiftly issued a corrected definition update (version .430) that automatically restored the quarantined certificates on most managed endpoints.
• Administrators with restricted update policies were advised to manually verify certificate presence and review Defender logs to confirm remediation.
• The incident underscores the risks of automated remediation when signatures target core Windows components and stresses the need for rigorous quality‑control processes in security‑update pipelines.

False Positive Detection
On or around April 30 2026, Microsoft Defender’s antimalware engine received a signature update that introduced a new detection rule labeled Trojan:Win32/Cerdigent.A!dha. The rule was intended to catch malicious modifications to the Windows certificate store, but due to an error in the rule’s logic it matched legitimate registry entries belonging to two of the internet’s most trusted root certificates: DigiCert Assured ID Root CA (thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43) and DigiCert Trusted Root G4 (thumbprint DDFB16CD4931C973A2037D3FC83A4D7D775D05E4). Because these entries reside under the trusted‑root path HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates, Defender classified them as high‑severity threats and initiated its standard quarantine workflow.

Impact on the Windows Trust Store
When Defender quarantines a registry key, it effectively removes the associated value from the operating system’s view, treating it as if it never existed. In this case, the quarantine action stripped the two DigiCert root certificates from the Windows trust store. Without these roots, any attempt by Windows to build a certification chain for an SSL/TLS connection or to verify a Authenticode signature would fail, as the chain could not be traced back to a trusted anchor. Consequently, systems began to treat legitimate HTTPS sites as untrusted, and code‑signed executables were flagged as unverified or blocked by SmartScreen, AppLocker, or similar controls.

Operational Consequences for Enterprises
The downstream effects were immediate and widespread. Users reported browser security warnings (e.g., “Your connection is not private”) when accessing internal and external websites secured with DigiCert‑issued TLS certificates. Applications that relied on code‑signing for deployment—such as corporate‑wide software distribution systems, VPN clients, and critical business tools—failed to launch or were blocked by endpoint protection policies. Organizations that had standardized on DigiCert for internal PKI or for signing internal utilities were particularly vulnerable, as the loss of the root certificates broke both external internet trust and internal trust chains. Help‑desk tickets surged, and some enterprises experienced temporary service outages while administrators scrambled to diagnose the root cause.

Community Response and Early Detection
Cybersecurity researcher Florian Roth (@cyb3rops) was among the first to notice the anomaly. He posted details on X (formerly Twitter), noting that the certificate thumbprints matched the official values published by DigiCert, confirming that no actual compromise had occurred. To aid defenders, Roth shared an Advanced Hunting query for Microsoft Defender for Endpoint:

kusto
DeviceRegistryEvents
| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp desc

He also recommended a quick manual check using the built‑in certutil tool:

certutil -store AuthRoot | findstr -i "digicert"

These resources allowed administrators to verify whether the DigiCert roots had been removed and to gauge the scope of the issue across their fleets.

Microsoft’s Acknowledgment and Remediation
Within hours of the initial reports, Microsoft’s Q&A forums filled with confirmation from administrators worldwide. The company acknowledged the false positive and released a corrected definition update, cited as version .430, which contained a revised signature that no longer matched the legitimate DigiCert registry entries. The update was designed to automatically restore the quarantined certificate keys on affected machines. Observations indicated that the restoration proceeded silently on managed endpoints that received the update automatically, while systems with stricter update policies required manual intervention to confirm the presence of the roots.

Guidance for Administrators
For environments where automatic definition updates are delayed or blocked, Microsoft advised the following steps:

1. Verify Certificate Presence – Run certutil -store AuthRoot | findstr -i "digicert" on each endpoint; the output should list both DigiCert root thumbprints.
2. Check Defender Logs – In Microsoft Defender for Endpoint, examine the Quarantine or Threat history for entries matching Trojan:Win32/Cerdigent.A!dha and confirm that the action status shows “Restored” or “Removed.”
3. Force Definition Update – If possible, trigger a manual update via MPCmdRun -SignatureUpdate or through the appropriate management console (SCCM, Intune, etc.).
4. Re‑quarantine Prevention – Temporarily exclude the specific registry paths from real‑time scanning if immediate update is not feasible, monitoring closely for any legitimate threats.
5. Document and Communicate – Record the incident in change‑management logs and inform affected users that the warnings were false positives and have been resolved.

Lessons Learned and Broader Implications
This episode highlights the double‑edged sword of automated threat remediation. Defender’s ability to quarantine suspicious registry changes is a valuable defense against malware that tampers with the trust store—a technique used to intercept TLS traffic or bypass signature validation. However, when the underlying detection logic is flawed, the same mechanism can precipitate significant operational disruption. The incident underscores several best practices for security vendors and enterprises alike:

• Rigorous Signature Testing – New detections targeting core Windows components should undergo extensive testing against clean baseline systems before release.
• Staged Rollouts – Deploying signature updates to a small pilot group first can catch false positives before they affect the entire fleet.
• Clear Rollback/Restoration Procedures – Vendors must provide reliable, automated mechanisms to revert erroneous actions, as Microsoft did with the .430 update.
• Visibility and Hunting Tools – Providing administrators with ready‑to‑use queries (like Roth’s) empowers rapid detection and validation of issues.
• Communication Channels – Prompt acknowledgment and transparent guidance help maintain trust and reduce downtime during such events.

Conclusion
The Microsoft Defender false positive involving DigiCert root certificates serves as a stark reminder that even trusted security platforms can inadvertently impair the very infrastructure they aim to protect. By quarantining legitimate trust anchors, the update threatened SSL/TLS validation and code‑signing across countless enterprises. Rapid community reporting, effective hunting queries, and a swift corrective definition update mitigated the impact, but the incident also offers valuable lessons: signature updates must be vetted with special care when they intersect with foundational Windows components, and organizations should maintain robust verification and communication processes to respond swiftly when automated security tools misbehave. As threat landscapes evolve, balancing aggressive protection with operational reliability will remain a central challenge for defenders worldwide.