Services
Summary
To avoid Exchange Online email disruption by March 23, 2026, organizations must trust the updated DigiCert Global Root G2 certificate and intermediates, especially if they disable Windows CTL updates or use custom/older runtimes. Failure to update may cause mail flow issues.
Details
Updated March 16, 2026: We republished the Microsoft 365 Root Certificate Chain Bundles for Worldwide (WWMT) and GCC High / DoD (ITAR) after identifying that the previously published bundles were missing required information. If you already completed the steps in this message, you must download the updated bundle and complete the certificate trust steps again as soon as possible. Failure to trust the updated DigiCert Global Root G2 chain and its intermediates may result in mail flow disruption once providers begin distrusting the DigiCert G1 root.
We’ve been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 22 (previously March 15). Thank you for your patience.Â
Introduction
Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs.Â
Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains.
When this will happen:
Organizations must complete required certificate trust updates before March 23, 2026 (previously March 16).
How this affects your organization:
Who is affected:
This change applies to all organizations (Worldwide, GCC, GCC‑High, DoD) that:
- Send or receive email with Exchange Online and
- Either:
- Your organization has disabled the Windows CTL Updater feature that by default downloads the Certificate Trust List (CTL).
- The CTL contains trusted and untrusted root certificates. Learn more: Certificates and trust in Windows.
- This scenario may apply if your organization maintains its own set of trusted Root and Intermediate Certificates via Group Policy or via a redirected Microsoft Automatic Update URL. Learn more: Configure trusted roots and disallowed certificates in Windows.
- You can determine whether the Windows CTL Updater feature is disabled by reviewing the Who needs to take action section of this Microsoft guidance: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption.
- You use older or custom application environments such as:
- Legacy Java/JDK/JRE runtimes
- Embedded systems and appliances
- Custom or outdated Linux images
- Air‑gapped systems
- Third‑party email gateways or security appliances that perform certificate chain validation
This change applies to any system performing full certificate chain validation against Exchange Online, including Exchange Server, security appliances, and third-party email gateways. If you use third-party email appliances, please contact the vendor directly for support.
Windows systems with the CTL Updater enabled (default) do not require action.
What will happen:
If the DigiCert Global Root G2 certificate or required intermediates are missing or cannot be retrieved during TLS negotiation:
- Outbound email clients may:
- Refuse to send email when strict certificate validation is enforced
- Fall back to unencrypted SMTP if allowed
- Inbound SMTP connections from Exchange Online may fail or be delayed
- Email flow reliability may be reduced
- Systems not using up‑to‑date certificate chains may be unable to validate TLS certificates presented by Exchange Online
If your organization already maintains the current Office 365 certificate chains, no impact is expected.
What you can do to prepare:
Required actions:
If your environment has disabled Windows CTL updates or relies on older/custom runtimes, complete the actions outlined in the What you must do section of: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption
Specific actions include:
- Review whether Windows CTL Updater is disabled in your organization.
- Confirm whether SMTP servers, security appliances, and gateways fully trust the DigiCert Global Root G2 CA and subordinate CAs.
- Ensure outdated or custom runtimes (Java, Linux, embedded systems, etc.) include the required certificates.
- Contact your third‑party email appliance vendor if they manage certificate chains.
- Update internal documentation and inform helpdesk teams as required.
No action required if:
- You are using Windows systems with CTL Updater enabled (default behavior), and
- Your organization already trusts the latest Office 365 certificate chains.
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.