MC1224565 - Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption

Introduction

Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. 

Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains.

When this will happen:

Organizations must complete required certificate trust updates before April 30, 2026.

How this affects your organization:

Who is affected:

This change applies to all organizations (Worldwide, GCC, GCC‑High, DoD) that:

• Send or receive email with Exchange Online and
• Either:
• Your organization has disabled the Windows CTL Updater feature that by default downloads the Certificate Trust List (CTL).
  • The CTL contains trusted and untrusted root certificates. Learn more: Certificates and trust in Windows.
  • This scenario may apply if your organization maintains its own set of trusted Root and Intermediate Certificates via Group Policy or via a redirected Microsoft Automatic Update URL. Learn more: Configure trusted roots and disallowed certificates in Windows.
  • You can determine whether the Windows CTL Updater feature is disabled by reviewing the Who needs to take action section of this Microsoft guidance: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption.
• You use older or custom application environments such as:
• Legacy Java/JDK/JRE runtimes
• Embedded systems and appliances
• Custom or outdated Linux images
• Air‑gapped systems
• Third‑party email gateways or security appliances that perform certificate chain validation

This change applies to any system performing full certificate chain validation against Exchange Online, including Exchange Server, security appliances, and third-party email gateways. If you use third-party email appliances, please contact the vendor directly for support.

Windows systems with the CTL Updater enabled (default) do not require action.

What will happen:

If the DigiCert Global Root G2 certificate or required intermediates are missing or cannot be retrieved during TLS negotiation:

• Outbound email clients may:
• Refuse to send email when strict certificate validation is enforced
• Fall back to unencrypted SMTP if allowed
• Inbound SMTP connections from Exchange Online may fail or be delayed
• Email flow reliability may be reduced
• Systems not using up‑to‑date certificate chains may be unable to validate TLS certificates presented by Exchange Online

If your organization already maintains the current Office 365 certificate chains, no impact is expected.

What you can do to prepare:

Required actions:

If your environment has disabled Windows CTL updates or relies on older/custom runtimes, complete the actions outlined in the What you must do section of: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption

Specific actions include:

• Review whether Windows CTL Updater is disabled in your organization.
• Confirm whether SMTP servers, security appliances, and gateways fully trust the DigiCert Global Root G2 CA and subordinate CAs.
• Ensure outdated or custom runtimes (Java, Linux, embedded systems, etc.) include the required certificates.
• Contact your third‑party email appliance vendor if they manage certificate chains.
• Update internal documentation and inform helpdesk teams as required.

No action required if:

• You are using Windows systems with CTL Updater enabled (default behavior), and
• Your organization already trusts the latest Office 365 certificate chains.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.