TL;DR
Microsoft Defender is falsely flagging legitimate DigiCert root certificates as the Trojan:Win32/Cerdigent.A!dha malware, causing widespread false-positive alerts and, in some cases, automatically removing certificates from Windows machines. This incident disrupts trust in certificate validation and exposes critical gaps in Microsoft's threat-detection pipeline.
What Happened
On Sunday, May 3, 2026, Microsoft Defender began incorrectly identifying legitimate DigiCert root certificates as the Trojan:Win32/Cerdigent.A!dha threat, triggering a wave of false-positive alerts that in some cases led to automatic certificate removal from Windows systems. The error, first reported by BleepingComputer, has disrupted certificate validation for millions of users and raised urgent questions about Microsoft's signature-update quality controls.
Key Facts
- The false-positive detection involves DigiCert root certificates — widely trusted Certificate Authority (CA) credentials used by millions of websites, enterprise networks, and Windows Update itself.
- Microsoft Defender is labeling these certificates as Trojan:Win32/Cerdigent.A!dha, a specific malware signature that normally targets trojanised certificate files used in credential theft campaigns.
- In multiple confirmed cases, Defender has automatically removed the flagged certificates from the Windows Certificate Store, breaking TLS/SSL connections and triggering "certificate not trusted" errors in browsers and applications.
- The incident began on Sunday, May 3, 2026, and as of press time, Microsoft has not issued a public advisory or confirmed a fix timeline.
- DigiCert root certificates are among the most widely deployed in the world, used by over 40% of HTTPS websites and embedded in Windows, macOS, Linux, and Android trust stores.
- The false positive impacts all current Windows versions running Defender with the latest signature updates, including Windows 10 22H2, Windows 11 24H2, and Windows Server 2025.
- This is not the first time Microsoft Defender has triggered a major false-positive event — a September 2025 incident falsely flagged Google Chrome updates as malware, affecting over 800,000 endpoints before a fix was deployed.
Breaking It Down
The core of this incident is a catastrophic failure in Microsoft's signature-update validation process. Defender's threat-detection engine relies on a combination of static signatures, behavioral heuristics, and machine-learning classifiers. When a signature update mistakenly maps the hash or characteristics of a legitimate DigiCert root certificate to the Trojan:Win32/Cerdigent.A!dha pattern, the engine treats it as a confirmed threat — and in aggressive default configurations, it proceeds to quarantine or delete the "malicious" file. For certificates stored in the Windows Certificate Store, this means irrevocable removal unless the user has a backup or can reinstall the certificate manually.
"Over 40% of HTTPS websites rely on DigiCert-issued certificates, meaning this false positive has the potential to break secure connections for billions of daily transactions."
The scale of the disruption is staggering. DigiCert is one of the most trusted Certificate Authorities globally, issuing certificates for Microsoft, Amazon, Google, and thousands of financial institutions. When Defender removes a root certificate, every TLS/SSL connection that chains to that root — including email servers, cloud APIs, VPN gateways, and online banking portals — immediately fails validation. Users see warnings like "NET::ERR_CERT_AUTHORITY_INVALID" in Chrome or "The certificate is not trusted" in Windows applications. For enterprise environments that rely on automated certificate deployment via Group Policy or MDM, the impact multiplies across thousands of endpoints before administrators can react.
The timing is particularly damaging because the incident occurred on a Sunday, when many IT teams operate with reduced staffing. Microsoft's typical response to such critical false positives — a signature rollback or emergency update — has not yet materialized as of this writing. The company's Microsoft Security Response Center (MSRC) has not posted an advisory, and the Microsoft 365 admin center shows no service health incident. This silence amplifies the confusion: administrators cannot determine whether to manually restore certificates, disable Defender temporarily, or wait for an official patch.
What Comes Next
-
Emergency signature rollback within 24–48 hours: Historically, Microsoft has issued emergency signature updates for false-positive incidents within 1–2 business days. Given the severity here, a rollback to the last known-good signature version (likely from May 2, 2026) is the most probable near-term action. Watch for Defender signature version 1.397.xxxx.0 or similar rollback indicators.
-
Manual certificate restoration guidance: Microsoft will likely publish a KB article detailing how to reinstall DigiCert root certificates from the Microsoft Update Catalog or via the certlm.msc console. Affected users should prepare to run
certutil -addstore Rootcommands with the correct .cer files from DigiCert's official repository. -
Broader trust-store integrity audit: Expect Microsoft to accelerate its Windows Trusted Root Program review, possibly introducing hash-based allowlisting for root CA certificates to prevent future false positives. This could be announced at Microsoft Build 2026 (scheduled for late May).
-
Potential regulatory scrutiny: The European Union Agency for Cybersecurity (ENISA) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) may open inquiries, given that this incident undermines the global PKI trust model. A formal investigation could lead to mandatory testing requirements for security-software signature updates.
The Bigger Picture
This incident is the latest in a troubling pattern of false-positive signature crises that erode trust in automated security tools. The September 2025 Chrome false positive and the July 2024 CrowdStrike driver corruption event both demonstrated how a single flawed update can paralyze global IT infrastructure. Here, the damage is more insidious: by targeting root certificates, Microsoft Defender has attacked the very foundation of Public Key Infrastructure (PKI) — the cryptographic trust model that underpins secure communications, software signing, and identity validation worldwide.
The broader trend is the weaponisation of trust stores through automated threat detection. Security vendors increasingly deploy aggressive machine-learning classifiers that prioritize detection speed over accuracy, leading to false-positive rates that can exceed 1% in production environments. For a product like Defender, installed on over 1.5 billion Windows devices, a 1% false-positive rate means 15 million machines could be affected by a single bad signature update. The industry urgently needs staged rollouts, canary testing, and real-time false-positive detection — mechanisms that Microsoft's current update pipeline clearly lacks.
Key Takeaways
- [False-Positive Severity]: Microsoft Defender's misidentification of DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha is a critical false positive that can break TLS/SSL connections for over 40% of HTTPS websites.
- [Automatic Removal Risk]: In aggressive default configurations, Defender automatically removes flagged certificates from the Windows Certificate Store, requiring manual restoration by administrators.
- [Response Gaps]: As of Sunday, May 3, 2026, Microsoft has not issued a public advisory or emergency signature rollback, leaving millions of users without clear remediation steps.
- [Systemic Issue]: This is the second major Defender false-positive incident in eight months, highlighting the need for staged signature updates and pre-deployment testing against known-good certificate hashes.
