Microsoft Defender Flaw Erased DigiCert Root Certificates and Paralyzed Windows Systems

On April 2, 2026, DigiCert, a preeminent global authority in digital signatures, fell victim to a sophisticated cyberattack. Adversaries successfully orchestrated a phishing campaign targeting the customer support cohort, culminating in the exfiltration of sixty Extended Validation (EV) code-signing certificates. Upon identifying the breach, the institution meticulously audited its security infrastructure and summarily revoked the compromised credentials. Since these certificates had been generated but not yet disseminated to clients, the immediate systemic impact on downstream software developers remained negligible.

However, the hijacked certificates were expeditiously utilized by bad actors to authenticate malicious software. Upon detecting the peril, the cybersecurity community initiated a collaborative effort to broadcast the incident. Consequently, antivirus vendors, including Microsoft, promulgated signature updates designed to identify and neutralize files bearing these specific digital signatures.

On April 30, 2026, at approximately 16:00 EDT, Microsoft released a security intelligence update for Microsoft Defender. Due to an undisclosed technical oversight, the update erroneously categorized DigiCert’s legitimate root certificates as malicious. Upon installation of the definitions, the operating system automatically purged the corresponding root certificates from the Windows 10 and 11 Trusted Root Certification Authorities store. Concurrently, Microsoft Defender triggered critical alerts, designating the detection as Trojan:Win32/Cerdigicert.A!dha.

The ramifications were profound, as DigiCert certificates underpin the security of myriad applications and web domains. Following the excision of the root certificates from the trust store, both the operating system and browsers began intercepting downstream certificates issued under that chain. Users encountered pervasive errors when navigating to secured websites via Google Chrome; conversely, Mozilla Firefox remained unaffected, as it maintains an independent certificate repository.

Misinterpreting the notifications as a definitive system compromise, some users resorted to reformatting their devices, though such measures proved futile. Microsoft subsequently issued a formal communique clarifying that the incident was a false positive and released a remedial update.

Following a deluge of reports from IT administrators, Microsoft conceded that the interception of the legitimate root certificates was indeed erroneous. The corporation subsequently released security intelligence update version 1.449.430.0 and later iterations to resolve the discrepancy. Once Microsoft Defender assimilates these latest definitions, the certificates are automatically reinstated and the blocks are rescinded.

Microsoft stated: “Upon receiving reports of compromised credentials, we expeditiously integrated malware detection capabilities into Microsoft Defender to fortify customer protection. However, we determined that certain alerts were erroneously triggered due to a flaw in our detection logic. We have since refined this logic. The nascent security intelligence update will automatically reverse these actions, requiring no manual intervention from impacted users; existing warnings will dissipate autonomously.”