A faulty security update deployed by Microsoft caused Microsoft Defender to incorrectly flag two of the internet’s most widely trusted root certificates as high-severity malware threats, triggering widespread alerts across enterprise environments worldwide. The incident affected DigiCert Assured ID Root CA and DigiCert Trusted Root G4, both of which are foundational to SSL/TLS certificate validation and code-signing operations that underpin secure communications across the web.

The false positive detections drew immediate attention from enterprise administrators who found their environments flooded with alerts flagging legitimate certificate registry entries as malicious. In environments where automatic remediation actions were enabled, the false positives risked disrupting critical security infrastructure that legitimate software depended upon for secure operation.

## What Triggered the False Detection

The faulty update incorrectly identified registry entries belonging to two DigiCert root certificates as threats corresponding to a trojan labelled Cerdigent. This misidentification appears to have resulted from an error in the signature-based detection logic that Microsoft Defender uses to identify malicious software, rather than any actual compromise of the DigiCert infrastructure.

DigiCert itself experienced a security incident between April 14th and April 17th, 2026, during which a threat actor obtained access to certificate issuance systems. The company subsequently revoked certificates identified as potentially affected, including 27 explicitly linked to the threat actor’s actions. However, the Microsoft Defender update appears to have conflated DigiCert’s legitimate certificate infrastructure with the impact of this separate security incident.

Microsoft’s detection systems apparently marked registry entries belonging to the root certificates themselves as indicators of compromise associated with the Cerdigent trojan, even though the certificates had not themselves been compromised in a way that would warrant such classification. The error propagated through Microsoft’s signature database to enterprise clients worldwide, creating a cascade of false alerts in environments where the certificates were in active use.

## Impact on Enterprise Environments

Enterprise administrators managing environments with restrictive update policies faced particular challenges. Systems that had not automatically received the problematic update were unaffected, but the inconsistency created a patchwork situation where some endpoints required manual remediation while others remained in their pre-update state.

For organisations that rely on certificate-based authentication for internal services, SSL inspection appliances, or code-signing pipelines, the false positives threatened to disrupt legitimate business operations. Security teams were forced to quickly distinguish between genuine alerts triggered by actual Cerdigent activity and the false positives generated by the faulty update.

The broader context of DigiCert’s actual security incident added complexity to the response. Organisations that had received DigiCert’s breach notification were already on heightened alert for certificate-related anomalies, making the Defender false positives particularly alarming in environments where security teams were already investigating DigiCert-related threat indicators.

## Microsoft and DigiCert Response

Microsoft acknowledged the issue and released an updated definition file to correct the false detections. Enterprise administrators were advised to verify the presence of the legitimate DigiCert root certificates in their Trusted Root store using certutil commands and to check Microsoft Defender’s Advanced Hunting logs to confirm whether any genuine detections had occurred alongside the false positives.

DigiCert’s own incident response included the revocation of 11 certificates identified through community-provided certificate problem reports linking them to malware, along with 16 additional certificates discovered during the company’s internal investigation. The company published a detailed incident report outlining the timeline and scope of the compromise, though questions remained about how the threat actor initially gained access to the certificate issuance infrastructure.

## Lessons for Enterprise Security Programs

The incident highlights the cascading risks that can emerge when security vendors deploy faulty detection logic through automated update mechanisms. While the rapid deployment of signature updates is essential for addressing emerging threats, the scale at which these updates operate means that errors can propagate to millions of systems within hours.

Security teams should evaluate their endpoint protection configurations to understand the automated response actions that would be triggered by different alert severities. Environments where automatic quarantine or remediation is enabled for high-severity detections may benefit from additional review steps before automated actions are executed, particularly for detections involving system-level certificates.

The intersection of vendor security incidents and client-side detection systems also underscores the importance of maintaining independent visibility into certificate trust infrastructure. Organisations that rely exclusively on Microsoft Defender’s assessment of certificate validity may have missed the distinction between a vendor’s security incident and actual compromise of trusted certificate infrastructure.

For the broader security community, the incident serves as a reminder that detection logic errors can be as disruptive as the threats they are designed to address. Balancing the need for rapid threat response against the risk of false positive cascades remains one of the central challenges in enterprise security operations.