A faulty antimalware definition update pushed by Microsoft caused Microsoft Defender to incorrectly flag two of the internet’s most widely trusted root certificates — issued by DigiCert — as dangerous malware, triggering automatic quarantine on enterprise endpoints worldwide. The incident exposed a potentially severe supply chain risk: with the root certificates removed from the Windows trust store, affected systems could fail to validate SSL/TLS connections and break code-signing verification for legitimate software.
What Went Wrong
On or around April 30, 2026, Microsoft released an antimalware signature update that introduced a new detection label: Trojan:Win32/Cerdigent.A!dha. This detection incorrectly identified registry entries belonging to two DigiCert root certificates as high-severity malware threats:
- DigiCert Assured ID Root CA (thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
- DigiCert Trusted Root G4 (thumbprint: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4)
Both certificates reside in the Windows trust store under the registry path HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates, where Windows manages trusted root and intermediate certificate authorities. On affected systems, Microsoft Defender automatically quarantined the flagged certificate entries as part of its standard remediation workflow — effectively removing them from the Windows trust store without user intervention.
Potential Impact: Broken SSL and Code Signing
The downstream consequences of removing these root certificates are serious. DigiCert is one of the largest and most widely used certificate authorities in the world, meaning a vast number of websites, enterprise applications, and digitally signed software packages rely on its trust chain. With the DigiCert roots quarantined:
- Systems could fail to validate HTTPS connections to websites using DigiCert-issued TLS certificates, causing browser security warnings and broken applications
- Code-signing verification for legitimate software signed with DigiCert certificates could fail, potentially triggering additional security warnings or blocking software execution
- Enterprise environments heavily reliant on DigiCert PKI infrastructure faced the risk of cascading service disruptions across managed endpoint fleets
Organisations using DigiCert-signed software or operating HTTPS endpoints would have been especially exposed during the window between the faulty definition release and Microsoft’s corrective update.
Discovery and Community Response
Cybersecurity researcher Florian Roth (@cyb3rops) was among the first to publicly identify and amplify the issue, posting on X and urging the security community to investigate. Roth shared an Advanced Hunting query to help administrators determine whether the DigiCert certificates had been restored on affected devices, and recommended a quick command-line check: certutil -store AuthRoot | findstr -i "digicert".
Microsoft’s own support forums quickly filled with reports from administrators confirming the false positive. Crucially, users verified that the DigiCert certificate hashes on affected systems matched the officially published values from DigiCert’s website — confirming that no actual malware compromise had occurred, and that the quarantine was purely the result of the erroneous signature update.
Microsoft’s Response
Microsoft acknowledged the issue and moved quickly to release corrective definition updates. Definition version .430 was cited as a key fix, and began automatically restoring the quarantined certificates on managed endpoint fleets. The rollout appeared to deploy silently across enterprise environments managed through Microsoft Endpoint Manager and similar tooling.
Administrators who needed to manually remediate affected systems could re-import the DigiCert root certificates from an unaffected machine or directly from DigiCert’s published certificate repository.
Lessons for Enterprise Security Teams
This incident highlights the risks inherent in automated, high-trust security tooling when erroneous updates are pushed at scale. Key takeaways for security operations teams include:
- Monitor for unexpected quarantine events: Automated endpoint protection actions on registry entries or certificate stores should trigger immediate alerts for investigation, not silent remediation.
- Maintain certificate inventory: Organisations should know which root and intermediate CAs are critical to their operations and have runbooks for restoring them rapidly if they are accidentally removed.
- Test definition updates in staged rings: Deploying antimalware definition updates to a canary group of systems before broad rollout can catch erroneous detections before they cause widespread disruption.
- Subscribe to vendor advisories: Both Microsoft Security Response Center and DigiCert publish security advisories; subscribing ensures timely awareness of issues like this one.
While Microsoft resolved this particular incident rapidly, the episode underscores that even the world’s most widely deployed endpoint security platform can introduce significant operational risk through a single faulty signature update — a sobering reminder for enterprises that trust in automated security tooling must always be paired with robust monitoring and fast remediation capability.