Microsoft Defender's False Positive Detection Targets DigiCert Certificates
Microsoft Defender began flagging legitimate DigiCert root certificates as malicious software on May 3, 2026, triggering the Trojan:Win32/Cerdigent.A!dha detection signature across Windows systems worldwide. The false-positive alerts started appearing in enterprise environments and consumer systems running Windows 10 and Windows 11 with real-time protection enabled.
The detection engine incorrectly identified DigiCert's trusted root certificate authority certificates as potential threats, causing Microsoft Defender to quarantine or remove these essential cryptographic components from Windows certificate stores. DigiCert operates as one of the world's largest certificate authorities, providing SSL/TLS certificates and digital signatures for millions of websites and applications globally.
System administrators first reported the issue through Microsoft's community forums and enterprise support channels, describing scenarios where critical business applications stopped functioning after Defender removed the certificates. The false positives affected both DigiCert Global Root CA and DigiCert High Assurance EV Root CA certificates, which serve as trust anchors for validating digital certificates across the internet.
Microsoft's security intelligence team acknowledged the detection error stems from an overly aggressive signature update pushed to Defender's cloud-based protection service. The company's Security Update Guide confirmed they're working to resolve the false-positive classification and restore normal certificate validation functionality.
The incident highlights the delicate balance between proactive threat detection and maintaining system stability. Certificate authorities like DigiCert undergo rigorous auditing and compliance processes to maintain their trusted status, making false-positive detections particularly disruptive to enterprise operations and web browsing functionality.
Windows Systems Running Microsoft Defender Experience Certificate Disruption
All Windows 10 and Windows 11 systems with Microsoft Defender real-time protection enabled are potentially affected by the false-positive detections. Enterprise environments using Windows Server 2019, Windows Server 2022, and Microsoft 365 Defender are experiencing the most significant operational impact, particularly organizations relying on applications that validate certificates against DigiCert's root certificate authorities.
Web browsers including Microsoft Edge, Google Chrome, and Mozilla Firefox may display certificate validation errors when accessing websites secured with DigiCert-issued SSL certificates. Email clients like Microsoft Outlook could encounter authentication failures when connecting to mail servers using DigiCert certificates for secure communication protocols.
Corporate applications utilizing code signing certificates from DigiCert face execution blocks or security warnings, disrupting software deployment pipelines and automated update mechanisms. Virtual private network clients and remote desktop applications may fail to establish secure connections when their certificates trace back to the affected DigiCert root authorities.
The false positives particularly impact financial services, healthcare, and e-commerce organizations that rely heavily on DigiCert's extended validation certificates for customer-facing applications. System administrators managing large Windows deployments report hundreds of security alerts flooding their monitoring dashboards, creating significant noise that could mask legitimate security threats.
Immediate Steps to Restore DigiCert Certificate Functionality
System administrators should immediately check their Windows certificate stores to verify DigiCert root certificates remain present and trusted. Navigate to the Microsoft Management Console (MMC), add the Certificates snap-in, and examine the Trusted Root Certification Authorities folder for DigiCert Global Root CA and DigiCert High Assurance EV Root CA entries.
If Defender removed the certificates, administrators can restore them by downloading the official root certificates directly from DigiCert's repository and manually importing them into the Windows certificate store. Use the certmgr.msc command to access the certificate manager, right-click Trusted Root Certification Authorities, select All Tasks > Import, and follow the certificate installation wizard.
For enterprise environments, Group Policy can distribute the restored certificates across multiple systems simultaneously. Create a new Group Policy Object, navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities, and import the DigiCert root certificates for domain-wide deployment.
Microsoft recommends temporarily excluding the affected certificate files from Defender scans while the company resolves the false-positive signature. Add exclusions through Windows Security settings under Virus & threat protection > Manage settings > Add or remove exclusions, specifying the certificate store locations typically found in C:\Windows\System32\CertSrv\CertEnroll\ directories.
Organizations should monitor Microsoft's official security advisories and the CISA Known Exploited Vulnerabilities catalog for updates regarding the resolution timeline and any additional mitigation guidance as Microsoft works to correct the detection engine signatures.
