Microsoft Defender false positive incidents continue to raise concerns over Windows security reliability.
A critical error in Microsoft’s flagship security platform has sent shockwaves across the global cybersecurity community, after Microsoft Defender wrongly flags DigiCert certs as Trojan, triggering widespread panic among enterprises and system administrators.
The issue emerged in early May 2026, when a faulty security intelligence update caused Defender to misidentify trusted DigiCert root certificates as malware. The detection, labeled Trojan:Win32/Cerdigent.A!dha, rapidly spread across Windows systems worldwide, leading to mass alerts and automated remediation actions.
What made the incident particularly alarming was not just the false alert but the consequences. Defender, acting on its own classification, began quarantining and in some cases removing critical certificates from the Windows trust store. These certificates, including DigiCert Assured ID Root CA and DigiCert Trusted Root G4, are essential to verifying secure connections across the internet.
Without these trusted root certificates, systems risk losing the ability to validate HTTPS connections, authenticate software, and maintain encrypted communications. For enterprises, the disruption extended beyond inconvenience, raising fears of broken security chains and compromised operations.
The root cause has been traced to a flawed signature update rolled out around April 30. According to cybersecurity reports, Microsoft Defender introduced new detection logic intended to identify malicious behavior, but the algorithm mistakenly matched legitimate certificate hashes.
This misclassification led to a flood of high severity alerts across enterprise environments. In automated setups, Defender’s default response kicked in immediately removing what it believed to be malicious files without human intervention. The result was a cascading effect across networks, particularly in Windows 11 systems and enterprise servers.
For many IT teams, the alerts initially appeared indistinguishable from a real cyberattack. Security dashboards lit up with warnings, and administrators scrambled to contain what they believed was a widespread malware outbreak. Some even resorted to drastic actions, including system resets and emergency shutdowns, before realizing the issue was a false alarm.
The episode highlights the growing risks associated with automated cybersecurity systems, where speed and autonomy can amplify errors. While automation is designed to enhance protection, it also reduces the window for human verification making false positives more disruptive when they occur.
Microsoft responded swiftly, releasing updated security intelligence versions that corrected the faulty detection. Later updates stopped flagging the certificates and, in many cases, restored those that had been removed.
Still, the incident has raised broader concerns about the reliability of security updates and the trust users place in them. The definition of false positive detection in Microsoft Defender where legitimate files are mistakenly identified as threats has taken on renewed significance in light of the disruption.
Additional reporting confirmed that Microsoft Defender flags DigiCert certificates as malware due to a flawed update affecting nearly all Windows systems. The detection specifically targeted two widely used root certificates, triggering high severity alerts across networks.
At the center of the issue lies what experts describe as a Trojan Win32 Cerdigent detection issue, where Defender’s signature logic misfired against trusted cryptographic components.
While no actual malware was involved, the scale of the disruption underscores a critical vulnerability in modern cybersecurity frameworks: the reliance on automated detection systems that operate at machine speed. When these systems fail, the consequences can ripple across global infrastructure within hours.
The DigiCert incident serves as a stark reminder that even the most trusted security tools are not immune to error. For organizations, it reinforces the need for layered defenses, manual validation processes, and contingency planning.
As cybersecurity threats grow more sophisticated, so too must the systems designed to combat them. But as this episode shows, the line between protection and disruption can sometimes be dangerously thin.
