Microsoft Defender Mistakenly Removes DigiCert Root Certificates Globally
Microsoft Defender triggered a security crisis this week after a botched signature update flagged two core DigiCert root certificates as malware, stripping them from Windows systems worldwide. The error—unleashed by a routine database update—sparked a cascade of trust issues for users and enterprises, effectively undermining the backbone of secure Windows communications. The incident, first reported on June 4, affected the “DigiCert Global Root G2” and “DigiCert Global Root G3” certificates, both critical to validating a vast swath of websites and signed software on Windows platforms, according to Notebookcheck.
These root certificates anchor trust for millions of encrypted connections and signed applications. Their sudden quarantine and removal by Defender didn’t just trigger alerts—it silently broke authentication for countless services. Reports of the issue began surfacing overnight as users and IT admins noticed failed website connections, blocked install packages, and a surge of “untrusted certificate” errors. By Wednesday morning, the scale had ballooned: organizations from North America to Europe reported widespread failures, with Windows 10 and 11 systems most affected.
The timing couldn’t be worse, with DigiCert holding a 25% market share in SSL root certificates for the world’s top 1,000,000 websites. Defender’s error essentially yanked trust from a quarter of the digital economy’s secure transactions in a single update cycle.
Security Risks and Operational Disruptions Caused by Certificate Removal
Pulling trusted root certificates out from under live Windows systems is not a minor glitch—it’s a direct hit to the architecture of digital trust. Without these certificates, browsers refuse to load HTTPS sites, encrypted email breaks, and any application relying on DigiCert’s chain of trust starts to fail. For end users, that meant a sudden wave of “connection not secure” warnings, failed software installations, and—critically—business applications refusing to run.
Large enterprises felt the shock first. Major SaaS providers, fintech platforms, and healthcare systems that rely on DigiCert for code signing and secure communications faced authentication failures. For example, internal tools and VPN clients that depend on certificate pinning immediately flagged as compromised or untrusted. Some organizations saw automated software updates grind to a halt, while others fielded helpdesk tickets from employees locked out of secure portals.
These disruptions have real-world consequences. A single missed certificate validation can interrupt online banking, delay health record access, or expose users to phishing warnings. In the past, similar certificate trust failures—like the 2020 Let’s Encrypt root expiration—led to outages for over 2.5 million websites in a single day. The Defender incident, while narrower in certificate scope, hit at the heart of Windows’ default trust store, amplifying the risk.
For security teams, the sudden loss of trusted roots also creates a false sense of threat. If Defender labels a foundational certificate as malware, it forces admins to choose between restoring trust manually (with all the attendant risk) or leaving critical business processes broken.
Microsoft’s Response and Steps to Restore System Security
Microsoft acknowledged the Defender mistake within hours, pushing a signature rollback and updated guidance to restore the removed DigiCert certificates. The company urged affected users to manually update Defender definitions and reboot impacted systems—a process that, for large organizations, meant scrambling to script mass certificate reinstallation and double-checking trust chains across thousands of endpoints.
The fix was not instantaneous. Machines quarantined from the internet or running outdated Defender versions remained in limbo until administrators intervened. Microsoft published a detailed remediation script, but with the certificates stripped, some secure channels for downloading and verifying updates were themselves broken.
Industry response was swift. DigiCert warned partners to audit their trust chains for broken links, and several infosec firms flagged the incident as a warning of the growing risks from automated security tooling. In the age of rapid signature updates fueled by machine learning, even a single misclassification can ripple through the global internet in hours.
Looking ahead, enterprises should not assume this is a one-off. Certificate trust infrastructure remains a high-value, fragile target for both attackers and accidental disruption. Security teams should audit their certificate stores, monitor for unexplained trust changes, and ensure robust rollback procedures for AV signature updates—especially as Microsoft and rivals like CrowdStrike and SentinelOne accelerate automated malware detection.
The immediate advice: verify Defender is updated to the latest definitions (1.411.222.0 or newer), check that DigiCert roots are restored, and monitor for lingering authentication errors. Expect Microsoft to harden its signature QA pipeline, but for now, zero trust means never trusting your own tools blindly.
Impact Analysis
- Microsoft Defender's error disrupted secure Windows communications for millions of users and enterprises.
- Removing DigiCert root certificates compromised authentication for websites and software, affecting a quarter of global secure transactions.
- The incident highlights the critical importance of certificate trust infrastructure and the risks posed by automated security updates.
