HomeIntelligenceBrief
BREACH BRIEF🟡 Medium Advisory

Microsoft Defender Misflags DigiCert Root Certificates as Trojan, Causing Trust Store Disruption

A Microsoft Defender signature update on April 30 2026 falsely flagged two DigiCert root certificates as malware, leading to their removal from Windows trust stores. The issue was quickly patched, but organizations must verify remediation to avoid authentication failures.

LiveThreat™ Intelligence · 📅 May 04, 2026· 📰 bleepingcomputer.com
🟡
Severity
Medium
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Microsoft Defender Misflags DigiCert Root Certificates as Trojan, Causing Trust Store Disruption

What Happened — Microsoft Defender’s April 30 2026 signature update began flagging two legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha. The false‑positive alerts led to automatic removal of the certificates from the Windows AuthRoot trust store on affected machines. Microsoft released a corrective Security Intelligence update (v1.449.430.0) that restores the certificates and stops the erroneous detections.

Why It Matters for TPRM

  • Trust‑store tampering can break authentication, code‑signing, and TLS connections for any third‑party service that relies on DigiCert roots.
  • False‑positive alerts generate unnecessary incident response effort and may cause organizations to reinstall Windows or disable security controls.
  • The issue is directly tied to a recent DigiCert breach, highlighting the downstream risk of supply‑chain compromises on security‑product behavior.

Who Is Affected — Enterprises across all sectors that run Windows 10/11 with Microsoft Defender enabled and rely on DigiCert root certificates for TLS, code‑signing, or S/MIME.

Recommended Actions

  • Verify that Windows devices are running Security Intelligence version 1.449.430.0 or later.
  • Audit the AuthRoot certificate store for missing DigiCert roots and re‑import if necessary.
  • Review any recent alerts from Microsoft Defender for “Trojan:Win32/Cerdigent.A!dha” and close false‑positive cases.
  • Monitor DigiCert breach notifications and adjust certificate‑validation policies accordingly.

Technical Notes — The false positives stem from a signature‑update mis‑rule that mistakenly matched the hash of two DigiCert root certificates (SHA‑1 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4). The affected registry path is HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\. The issue was resolved in Microsoft Defender Security Intelligence update 1.449.430.0, which also restores removed certificates. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →