ScoutGet the App

Microsoft Defender quarantines DigiCert certs

- Microsoft Defender falsely tagged trusted DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha on May 3, 2026, and in some cases removed them from Windows trust stores. - The two affected thumbprints map to DigiCert roots in Windows ROOT and AuthRoot, and Microsoft moderators said updated Defender signatures restore trust automatically. - This matters because deleting a root CA can break HTTPS, code-signing, and enterprise auth far beyond one infected-looking endpoint.

Windows certificate trust is one of those things nobody notices until it breaks. That is basically what happened this weekend. Microsoft Defender started flagging legitimate DigiCert root certificates as malware, then quarantined them on some systems, which meant Windows could suddenly stop trusting perfectly valid certificates. Microsoft staff on the company’s own Q&A forum called it a false positive, not a real compromise, and said updated signatures plus certificate sync should put the roots back. ### What actually got flagged? Not a random app, and not a hacked website. Defender was detecting a threat named `Trojan:Win32/Cerdigent.A!dha`, but the objects tied to the alert were DigiCert root certificates already trusted by Windows. The thumbprints people kept seeing were `DDFB16CD4931C973A2037D3FC83A4D7D775D05E4` and `0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43`, and Microsoft moderators said one of them matches an officially published DigiCert root. ### Why is a root certificate such a big deal? A root certificate is the anchor of trust. When your browser, VPN client, or Windows installer checks whether a certificate is legit, it walks that chain back to a trusted root. If the root disappears from the trust store, the leaf certificate can still be perfectly fine and the system may reject it anyway. Think of it like deleting the notary from the list of accepted notaries — every signed document from that office suddenly looks suspicious. ### What did Defender do on affected machines? The ugly part is that this was not just an alert bubble. In reported cases, `msmpeng.exe` — Defender’s engine — deleted registry keys under `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates` and `...AuthRoot\Certificates`. That means the issue could move from “annoying false alarm” to “trust chain actual registry entries.” ### Which systems were hit? Reports point to Windows 11 and Windows Server machines, and the bad behavior appears tied to a Defender security intelligence update that started rolling out around May 3, 2026. One widely cited version was `1.449.424.0`. Follow-up reporting says newer intelligence versions — `1.449.430.0` or `1.449.431.0` — stopped triggering the detection. The moderator replies line up with that fix path. ### What breaks when those roots vanish? Potentially a lot. DigiCert roots sit underneath a huge amount of TLS, code-signing, email, and enterprise authentication traffic. DigiCert itself says its roots are widely trusted across browsers, operating systems, VPN clients, email clients, and devices. So the blast radius is not “one vendor’s app looks weird.” It can show up as HTTPS failures ### Is this a DigiCert breach? No. Everything public so far points the other way. Microsoft’s moderator response

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Shared from Scout - Be the smartest in the room.