In a week marked by uncertainty, Microsoft found itself at the center of user speculation following an update to its Defender anti-malware tool for Windows. The recent version 1.449.425.0 update resulted in the removal of two top-level (root) digital certificates from DigiCert, raising questions about the rationale behind this decision.
False Positives and Speculations
Upon the update, Defender flagged the DigiCert certificates as “severe,” categorizing them under the ominous label of Trojan:Win32/Cerdigent.A!dha. This led to widespread alarm among users, who feared their systems had fallen victim to malware. However, further investigation revealed this was a false positive, leaving the existence of the so-called “Cerdigent” malware in question—whether it is a genuine threat or merely a name generated by automated systems remains unclear.
For those affected, the remedy is straightforward: updating Defender to version 1.449.430.0 or later reinstates the DigiCert certificates. Despite this resolution, Microsoft has yet to provide clarity on the underlying cause of the issue. Cybersecurity experts have speculated that the incident may be linked to a DigiCert employee who encountered malware disguised as a customer screenshot within a ZIP archive, potentially allowing a threat actor to compromise initialization codes.
Interesting detail: the last revoked #DigiCert code signing cert in that incident was on Apr 17. The Defender signature update that apparently started flagging/removing DigiCert AuthRoot entries came more than 10 days later. So I’m wondering what the intended mechanism was here.… https://t.co/LOEecDlxfl
— Florian Roth ⚡️ (@cyb3rops) May 3, 2026
This incident, which transpired over two weeks ago, involved codes used for 60 code-signing certificates, some of which were associated with malware like the Zhong Stealer remote access tool. Notably, the two DigiCert root certificates in question were not implicated in the malware incident.
Backup Troubles and Kernel Driver Issues
Compounding the challenges for Windows users, the recent Defender update is not the only source of frustration. Windows updates released on or after April 14 have caused certain third-party backup applications to malfunction when attempting to mount or manage disk images. Microsoft attributed these issues to the addition of vulnerable versions of the psmounterex.sys kernel driver to a blocklist.
Users and IT administrators have reported difficulties not only in mounting backup image files as virtual drives but also in experiencing timeouts when browsing or restoring from these files. Microsoft referenced a 2023 advisory regarding a vulnerability rated 9.3 out of 10 in the Macrium Reflect 8 application’s psmounterex.sys kernel driver, which security vendor Northwave warned could lead to a “complete loss of integrity of the system.”
Other software impacted by this backup dilemma includes Acronis Cyber Protect Cloud and UrBackup server. The IT operations platform NinjaOne flagged the update KB5083769 as problematic, advising caution and holding the patch for its customers.
This particular bug has been lurking since at least 2019, yet Microsoft has not clarified why it took until April 2026 to add the vulnerable kernel driver to its blocklist. Other notable update-related issues have also surfaced recently, such as the October 2025 patch that rendered the Windows 11 Recovery Environment (WinRE) unusable, and the January 2026 security patches that disrupted user sign-ins and shutdown processes, prompting Microsoft to issue an out-of-band update to address these concerns.
