Microsoft Defender recently caused a stir when a faulty update flagged two legitimate DigiCert root certificates as malware. This glitch disrupted SSL/TLS validation and code-signing operations for organizations globally.
Around April 30, 2026, a Defender update incorrectly identified the registry entries for DigiCert Assured ID Root CA and DigiCert Trusted Root G4 as high-severity threats, under the label Trojan:Win32/Cerdigent.A!dha. These certificates are essential for maintaining secure connections on the internet.
When Defender flagged these certificates, it automatically quarantined them. That meant systems could struggle to validate secure connections, leading to browser warnings and potential application failures. Organizations that rely on DigiCert-signed software faced increased risks.
Cybersecurity expert Florian Roth was quick to sound the alarm on social media. He shared tips for administrators to check if the certificates had been restored on their devices. His advice included using specific command-line checks to verify the presence of the DigiCert certificates.
Reports flooded in on Microsoft’s forums, with users confirming that the flagged certificates matched official values from DigiCert. That ruled out any actual compromise.
Microsoft acted swiftly, releasing updates to correct the issue, specifically version .430, which helped restore the quarantined certificates. Observers noted that the restoration seemed to roll out automatically across managed devices, indicating a silent fix alongside the update.
However, this incident highlights a critical point: automated threat remediation can be a double-edged sword. While it protects against tampering, it can also lead to significant operational disruptions when it malfunctions.
This situation serves as a reminder of the importance of quality control in security systems, especially regarding foundational elements like root certificate stores. To maintain trust and reliability, cybersecurity solutions must ensure their updates are meticulously vetted.
For additional details on this incident, you can check out Microsoft’s official acknowledgment here.
