MC1224565 - Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption

Message ID

MC1224565

View in Message Center

Service

Exchange Online

Last Updated

Mar 16, 2026

Published Jan 30, 2026

Tag

Major change

Updated message

Admin impact

Act by

Mar 22, 2026

Summary

To avoid Exchange Online email disruption by March 23, 2026, organizations must trust the updated DigiCert Global Root G2 certificate and intermediates, especially if they disable Windows CTL updates or use custom/older runtimes. Failure to update may cause mail flow issues.

More information

Updated March 16, 2026: We republished the Microsoft 365 Root Certificate Chain Bundles for Worldwide (WWMT) and GCC High / DoD (ITAR) after identifying that the previously published bundles were missing required information. If you already completed the steps in this message, you must download the updated bundle and complete the certificate trust steps again as soon as possible. Failure to trust the updated DigiCert Global Root G2 chain and its intermediates may result in mail flow disruption once providers begin distrusting the DigiCert G1 root.

We’ve been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 22 (previously March 15). Thank you for your patience.

Introduction

Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs.

Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains.

When this will happen:

Organizations must complete required certificate trust updates before March 23, 2026 (previously March 16).

How this affects your organization:

Who is affected:

This change applies to all organizations (Worldwide, GCC, GCC‑High, DoD) that:

Send or receive email with Exchange Online and
Either:

Your organization has disabled the Windows CTL Updater feature that by default downloads the Certificate Trust List (CTL).
- The CTL contains trusted and untrusted root certificates. Learn more: Certificates and trust in Windows.
- This scenario may apply if your organization maintains its own set of trusted Root and Intermediate Certificates via Group Policy or via a redirected Microsoft Automatic Update URL. Learn more: Configure trusted roots and disallowed certificates in Windows.
- You can determine whether the Windows CTL Updater feature is disabled by reviewing the Who needs to take action section of this Microsoft guidance: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption.
You use older or custom application environments such as:

Legacy Java/JDK/JRE runtimes
Embedded systems and appliances
Custom or outdated Linux images
Air‑gapped systems
Third‑party email gateways or security appliances that perform certificate chain validation

This change applies to any system performing full certificate chain validation against Exchange Online, including Exchange Server, security appliances, and third-party email gateways. If you use third-party email appliances, please contact the vendor directly for support.

Windows systems with the CTL Updater enabled (default) do not require action.

What will happen:

If the DigiCert Global Root G2 certificate or required intermediates are missing or cannot be retrieved during TLS negotiation:

Outbound email clients may:

Refuse to send email when strict certificate validation is enforced
Fall back to unencrypted SMTP if allowed

Inbound SMTP connections from Exchange Online may fail or be delayed
Email flow reliability may be reduced
Systems not using up‑to‑date certificate chains may be unable to validate TLS certificates presented by Exchange Online

If your organization already maintains the current Office 365 certificate chains, no impact is expected.

What you can do to prepare:

Required actions:

If your environment has disabled Windows CTL updates or relies on older/custom runtimes, complete the actions outlined in the What you must do section of: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption

Specific actions include:

Review whether Windows CTL Updater is disabled in your organization.
Confirm whether SMTP servers, security appliances, and gateways fully trust the DigiCert Global Root G2 CA and subordinate CAs.
Ensure outdated or custom runtimes (Java, Linux, embedded systems, etc.) include the required certificates.
Contact your third‑party email appliance vendor if they manage certificate chains.
Update internal documentation and inform helpdesk teams as required.

No action required if:

You are using Windows systems with CTL Updater enabled (default behavior), and
Your organization already trusts the latest Office 365 certificate chains.

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.