By Lawrence Abrams
Publication Date: 2026-05-03 18:11:00
Update: Added Microsoft’s statement to the end of the first section of this article.
Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows.
According to cybersecurity expert Florian Roth, the issue first appeared after Microsoft added the detections to a Defender signature update on April 30th.
Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store.
According to a Reddit post about the false positives, the detected certificates are:
- 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
- DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
On impacted systems, these certificates were removed from the AuthRoot store under this Registry key:
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
These false…
