On April 30, 2026, Microsoft Defender’s signature update inadvertently misclassified two legitimate DigiCert root certificates as a severe threat, specifically Trojan:Win32/Cerdigent.A!dha. This misclassification led to the quarantine of the DigiCert Assured ID Root CA and Trusted Root G4, disrupting SSL/TLS validation across numerous affected endpoints.
In response to the growing concerns surrounding compromised certificates from a recent DigiCert breach, Microsoft had introduced new malware detections. However, within hours, these detections erroneously flagged the registry entries of the two trusted root certificates, which are essential for validating SSL/TLS sessions and ensuring the integrity of signed installers and code-signing chains across enterprise software.
Inside the False Positive
Microsoft’s decision to add the Trojan detection was a precautionary measure aimed at customer protection. Unfortunately, this led to a cascade of false-positive alerts, as the Defender antimalware signature mistakenly identified the legitimate root certificates as high-severity threats. The company later acknowledged the error, stating that the alert logic was adjusted to suppress the erroneous notifications.
Despite the alarm raised by Defender, there was no actual compromise of the DigiCert certificates. Administrators were able to verify that the certificate hashes matched the officially published values from DigiCert. The confusion stemmed from a failure to properly constrain the new compromised-certificate detection to only the revoked end-entity signing certificates associated with a separate incident involving the Zhong Stealer malware. This oversight resulted in a misalignment between the intended targets of the detection and the actual certificates flagged.
A Recurring Defender False-Positive Pattern
This incident is not the first time Microsoft Defender has misidentified legitimate software as malicious. In 2022, the antivirus engine mistakenly flagged Microsoft Office as a virus, prompting the company to pledge tighter controls on false positives. However, the recent misfire highlights that these commitments have not fully extended to the certificate-detection pathway.
Organizations that have implemented restrictive update policies may still face challenges, as endpoints that blocked the corrective definition will continue to experience SSL/TLS validation failures. Until administrators deploy Security Intelligence version 1.449.430.0 or later, or manually restore the DigiCert roots, these systems will remain vulnerable, rejecting signed code and disrupting essential operations.
