May 4, 2026 Microsoft Defender mistakenly detected legitimate DigiCert root certificates as malware, triggering widespread false-positive alerts and, in some cases, removing them from Windows systems. The issue stemmed from a signature update released April 30, which caused trusted certificates to be flagged as Trojan:Win32/Cerdigent.A!dha and deleted from the Windows trust store.
Administrators globally reported that affected systems had certificate entries removed from the AuthRoot store, disrupting trust relationships used for secure communications and software validation. The problem led to confusion among users, with some assuming their devices were compromised and reinstalling operating systems as a precaution.
According to cybersecurity researcher Florian Roth, the detections appeared shortly after the update was deployed. Specific certificate fingerprints were flagged, and on impacted machines, entries were removed from the registry path associated with trusted root authorities, a critical component of Windows security infrastructure.
Microsoft has since addressed the issue through updated security intelligence definitions. The company said the false positives were linked to efforts to detect malicious certificates following a recent DigiCert security incident, but acknowledged the detection logic was overly broad. “Earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic,” Microsoft said, adding that affected environments have been automatically cleaned up and restored with newer updates.
The incident follows a breach disclosed by DigiCert in which attackers gained access to internal systems and obtained initialization codes tied to a limited number of code-signing certificate orders. Those codes, combined with approved requests, allowed threat actors to generate valid certificates that were later used to sign malware.
DigiCert said it revoked 60 compromised certificates, including 27 associated with the “Zhong Stealer” campaign. The malware operation used phishing emails, staged payload delivery and legitimately signed binaries to evade detection, highlighting how trusted certificate infrastructure can be exploited when compromised.
Importantly, the certificates flagged by Defender were root certificates in the Windows trust store, not the revoked code-signing certificates tied to the breach. That distinction underscores the failure mode: defensive measures targeting compromised assets inadvertently impacted foundational trust anchors used across the system.
