Microsoft Defender flags DigiCert certificates as malware

Microsoft Defender flagged two of the most trusted root certificates on the internet as malware last week, causing widespread disruption across enterprise Windows environments. The false positive began on April 30, when a Defender signature update introduced a detection labeled Trojan:Win32/Cerdigent.A!dha. Instead of catching malware, it incorrectly matched the cryptographic hashes of two DigiCert root certificates present on virtually every Windows machine in use today.

The affected certificates are DigiCert Assured ID Root CA, thumbprint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43, and DigiCert Trusted Root G4, thumbprint DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. Both have been in the Windows trust store for years and are used to validate SSL/TLS connections, code-signing operations, and API calls across millions of enterprise and consumer systems. When Defender quarantined them, those validation chains broke. Some administrators spent hours diagnosing service failures before identifying the cause. Others, seeing a Trojan detection appear in their security console, reinstalled their operating system entirely.

What caused it

The false positive is tied to a real incident at DigiCert. In early April, attackers used a malicious ZIP file disguised as a customer screenshot to compromise two support team endpoints at the company, exploiting a misconfigured EDR deployment on one machine that failed to catch the initial delivery. The attackers accessed DigiCert's internal support portal and obtained initialization codes for a limited number of EV code-signing certificates. DigiCert identified and revoked 60 certificates, including those tied to the Zhong Stealer malware campaign, within 24 hours.

Microsoft moved quickly to push Defender detections to protect customers from malware signed with the compromised certificates. The detection logic it deployed was too broad. It caught the legitimate DigiCert root CAs alongside the revoked code-signing certificates, triggering quarantine actions on Windows systems that had done nothing wrong. "Earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic," Microsoft told BleepingComputer. The fix shipped in Security Intelligence update 1.449.430.0. Systems that applied the update automatically had their certificates restored. Admins in environments with restricted update policies had to verify restoration manually using certutil -store AuthRoot | findstr -i "digicert".

What to do if you are still affected

Some users reported still seeing the Trojan:Win32/Cerdigent.A!dha alert on definition version 1.449.446.0, which suggests the fix did not fully propagate across all definition delivery paths. Microsoft's recommendation is to update Defender to the latest available Security Intelligence version via Settings, then Windows Security, then Virus and Threat Protection, then Protection Updates. Running Windows Update and restarting the machine should complete restoration of the quarantined certificates. DigiCert has confirmed on its blog that certificates incorrectly removed by Defender should restore automatically once the update is applied and that no broader compromise of customer certificates, accounts, or systems occurred.

This is yet another significant Microsoft update-related disruption in April and May, following the KB5083769 boot loop issue on HP and Dell machines, the force-upgrade push to Windows 11 25H2, and the same update breaking third-party backup tools from Acronis and Macrium. Notebookcheck has covered the KB5083769 situation.