Defender Flags DigiCert Roots as Cerdigent.A!dha: Fix

Defender quarantined DigiCert Assured ID and Trusted Root G4 as Cerdigent.A!dha. Update to definitions 1.449.430.0 and reboot.

Microsoft Defender started flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha on April 30, 2026. The bad signature quarantines registry entries for two of the most-used roots on the internet, breaking TLS validation and code signing chains.

Quick Fix

Update Defender definitions to 1.449.430.0 or later, then reboot. Run this in an elevated PowerShell:

Set-MpPreference -SignatureFallbackOrder MicrosoftUpdateServer,MMPC
Update-MpSignature
(Get-MpComputerStatus).AntivirusSignatureVersion
Restart-Computer

After reboot, Defender restores the quarantined certificates automatically on most endpoints.

What This Does

Microsoft confirmed the false positive and shipped a corrected signature in 1.449.430.0. The new signature stops flagging the DigiCert registry entries and releases anything still in quarantine on update.

If That Did Not Work

Manually release from quarantine:

& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Restore -Name "Trojan:Win32/Cerdigent.A!dha" -All

Then verify the trust store has both roots:

Get-ChildItem Cert:\LocalMachine\Root |
  Where-Object { $_.Thumbprint -in @(
    '0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43',
    'DDFB16CD4931C973A2037D3FC83A4D7D775D05E4'
  )} | Format-List Subject, Thumbprint, NotAfter

Both thumbprints should return: DigiCert Assured ID Root CA and DigiCert Trusted Root G4. If either is missing, re-import from a clean machine using certutil -addstore Root cert.cer.

What Causes This

Security Intelligence update 1.449.424.0 shipped a heuristic that incorrectly matched the registry footprint of two DigiCert root CAs. Defender treats matched registry entries the same as malware files and removes them, which yanks the roots from the Windows trust store. The timing came right after a real DigiCert code-signing incident, which is likely why the heuristic was tuned aggressively.

Do not add a permanent exclusion for the certificate hashes. The signature is fixed upstream and exclusions become forgotten attack surface.

Need help auditing Defender or trust chains across your business? Rain City Techworks handles managed IT and security for businesses in the Seattle and Tacoma area.