Defender false – Microsoft Defender triggered widespread false-positive alerts for DigiCert root certificates, with Windows trust entries removed in some cases.
A fresh wave of security alerts is causing alarm on Windows PCs after Microsoft Defender mistakenly flagged DigiCert root certificates as malware, under a detection label that can lead to certificates being removed from the system trust store.
Misryoum reports that the issue surfaced following a Defender signature update added on April 30. when valid certificates began getting detected as Trojan:Win32/Cerdigent.A!dha.. As a result. administrators started seeing alerts across multiple environments. and in some cases Windows removed DigiCert root certificate entries from the AuthRoot trust store.
The certificates mentioned in community reports were identified by specific certificate fingerprints. and on affected systems the removals were tied to the trust store registry path used for root certificates.. For users. the most unsettling part is that these actions can look like a sign of compromise. even though the certificates involved are meant to be trusted.
Why this matters: when endpoint security tools misclassify trusted certificate infrastructure, the impact can go beyond alerts. It can create confusion, interrupt trust chains, and shake confidence in both device integrity and software distribution.
Misryoum notes that Microsoft has since corrected the detections through Security Intelligence updates.. The remediation is described as being included in a newer update version. and later reports indicate certificates that were previously removed may return on impacted devices once the updated detection components are in place.
For administrators and users who want to verify quickly, Misryoum says the updates should install automatically. Manual checking is also available through Windows Security by navigating to Virus and threat protection, then Protection updates, and selecting Check for updates.
In parallel. the timing has raised questions because the Defender false positives appeared not long after a disclosed DigiCert security incident involving code-signing certificate handling.. Misryoum emphasizes that while the chronology has led people to look for a connection. the Defender-flagged items are root certificates in the Windows trust store. which do not directly match the revoked code-signing certificates described in the DigiCert incident report.
Why this matters: even when root certificates and code-signing certificates are different building blocks. trust disruptions can still amplify risk perception.. The safest approach is to update Defender promptly. confirm certificate restoration if needed. and avoid rushing to drastic steps like reinstalling Windows based solely on a false-positive alert.
Finally, Misryoum notes that this situation highlights how tightly tied modern security ecosystems are to certificate trust and detection logic. When that logic misfires, the aftermath is largely operational: updates, verification, and calmer interpretation of what the alerts actually mean.