check before: 2026-03-15
Product:
Exchange, Windows
Platform:
Linux, Online, US Instances, World tenant
Status:
Change type:
Admin impact, Updated message
Links:
Details:
Summary:
To avoid Exchange Online email disruption by March 15, 2026, organizations must trust the DigiCert Global Root G2 certificate authority. This affects those with disabled Windows CTL updates or using older/custom runtimes. Systems with default Windows CTL Updater enabled require no action.
Details:
Updated February 4, 2026: We have updated the timeline. We've been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 15 (previously April 30). Thank you for your patience.
[Introduction]
Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs.
Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains.
[When this will happen:]
Organizations must complete required certificate trust updates before March 15, 2026 (previously April 30).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-30
updated:
2026-02-05
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Organizations using Exchange Online need to ensure their systems trust the new DigiCert Global Root G2 certificate by March 15, 2026, to avoid email service disruptions, especially if they have customized settings or older systems that don't automatically update certificates.
Direct effects for Operations**
Email Disruption
If the DigiCert Global Root G2 certificate is not trusted, outbound email clients may refuse to send emails, leading to communication breakdown.
- roles: Email Administrators, IT Support Staff
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Inbound Email Failures
Inbound SMTP connections from Exchange Online may fail or be delayed, impacting email reception and user experience.
- roles: Email Administrators, Network Engineers
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Reduced Email Flow Reliability
Email flow reliability may be reduced if systems cannot validate TLS certificates, leading to potential data loss or delays.
- roles: Email Administrators, IT Operations Managers
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Legacy System Compatibility Issues
Older or custom application environments may fail to validate TLS certificates, causing disruptions in email services.
- roles: Application Developers, System Administrators
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/configure-trusted-roots-disallowed-certificates, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Increased Support Tickets
Failure to prepare for the certificate trust update may lead to an increase in support tickets from users experiencing email issues.
- roles: Helpdesk Staff, IT Support Managers
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-02-05 | MC MessageTagNames | Admin impact | Updated message, Admin impact |
| 2026-02-05 | MC Summary | To avoid Exchange Online email disruption by April 30, 2026, ensure your servers and clients trust the DigiCert Global Root G2 CA. This is critical if you disable Windows CTL updates or use older/custom runtimes. Windows systems with default CTL updates enabled require no action. | To avoid Exchange Online email disruption by March 15, 2026, organizations must trust the DigiCert Global Root G2 certificate authority. This affects those with disabled Windows CTL updates or using older/custom runtimes. Systems with default Windows CTL Updater enabled require no action. |
| 2026-02-05 | MC Last Updated | 01/30/2026 01:04:47 | 2026-02-04T22:56:14Z |
| 2026-02-05 | MC Messages | [Introduction]
Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains. [When this will happen:] Organizations must complete required certificate trust updates before April 30, 2026. | Updated February 4, 2026: We have updated the timeline. We've been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 15 (previously April 30). Thank you for your patience.
[Introduction] Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains. [When this will happen:] Organizations must complete required certificate trust updates before March 15, 2026 (previously April 30). |
| 2026-02-05 | MC Action Required By | 04/29/2026 09:00:00 | 2026-03-15T08:00:00Z |
| 2026-02-05 | MC Title | Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption | (Updated) Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption |
| 2026-02-05 | MC End Time | 05/31/2026 09:00:00 | 2026-04-20T09:00:00Z |
Last updated 2 weeks ago ago
