check before: 2026-03-22
Product:
Exchange, Windows
Platform:
Linux, Online, US Instances, World tenant
Status:
Change type:
Admin impact, Updated message
Links:
Details:
Summary:
To avoid Exchange Online email disruption by March 23, 2026, organizations must trust the updated DigiCert Global Root G2 certificate and intermediates, especially if they disable Windows CTL updates or use custom/older runtimes. Failure to update may cause mail flow issues.
Details:
Updated March 16, 2026: We republished the Microsoft 365 Root Certificate Chain Bundles for Worldwide (WWMT) and GCC High / DoD (ITAR) after identifying that the previously published bundles were missing required information. If you already completed the steps in this message, you must download the updated bundle and complete the certificate trust steps again as soon as possible. Failure to trust the updated DigiCert Global Root G2 chain and its intermediates may result in mail flow disruption once providers begin distrusting the DigiCert G1 root.
We've been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 22 (previously March 15). Thank you for your patience.
[Introduction]
Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs.
Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains.
[When this will happen:]
Organizations must complete required certificate trust updates before March 23, 2026 (previously March 16).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-01-30
updated:
2026-03-17
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Email Flow Disruption
Failure to trust the updated DigiCert Global Root G2 certificate may lead to outbound email clients refusing to send emails, resulting in significant email flow disruption.
- roles: IT Administrators, Email System Administrators
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
TLS Negotiation Failures
If the required certificates are missing, TLS negotiation may fail, causing inbound SMTP connections from Exchange Online to fail or be delayed.
- roles: Network Engineers, Email System Administrators
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Reduced Email Reliability
Not updating the certificate trust may lead to reduced reliability in email flow, affecting communication and operations.
- roles: IT Administrators, End Users
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Fallback to Unencrypted SMTP
Strict certificate validation failure may cause email clients to fall back to unencrypted SMTP, posing security risks.
- roles: IT Security Officers, Email System Administrators
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Impact on Legacy Systems
Organizations using older or custom runtimes may face issues validating TLS certificates, leading to potential service disruptions.
- roles: System Administrators, Legacy System Managers
- references: https://learn.microsoft.com/windows-server/identity/ad-cs/certificate-trust, https://techcommunity.microsoft.com/blog/exchange/trust-digicert-global-root-g2-certificate-authority-to-avoid-exchange-online-ema/4488311
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-03-17 | MC Last Updated | 02/04/2026 22:56:14 | 2026-03-16T19:08:36Z |
| 2026-03-17 | MC Messages | Updated February 4, 2026: We have updated the timeline. We've been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 15 (previously April 30). Thank you for your patience.
[Introduction] Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains. [When this will happen:] Organizations must complete required certificate trust updates before March 15, 2026 (previously April 30). | Updated March 16, 2026: We republished the Microsoft 365 Root Certificate Chain Bundles for Worldwide (WWMT) and GCC High / DoD (ITAR) after identifying that the previously published bundles were missing required information. If you already completed the steps in this message, you must download the updated bundle and complete the certificate trust steps again as soon as possible. Failure to trust the updated DigiCert Global Root G2 chain and its intermediates may result in mail flow disruption once providers begin distrusting the DigiCert G1 root.
We've been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 22 (previously March 15). Thank you for your patience. [Introduction] Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains. [When this will happen:] Organizations must complete required certificate trust updates before March 23, 2026 (previously March 16). |
| 2026-03-17 | MC Summary | To avoid Exchange Online email disruption by March 15, 2026, organizations must trust the DigiCert Global Root G2 certificate authority. This affects those with disabled Windows CTL updates or using older/custom runtimes. Systems with default Windows CTL Updater enabled require no action. | To avoid Exchange Online email disruption by March 23, 2026, organizations must trust the updated DigiCert Global Root G2 certificate and intermediates, especially if they disable Windows CTL updates or use custom/older runtimes. Failure to update may cause mail flow issues. |
| 2026-03-17 | MC Action Required By | 03/15/2026 08:00:00 | 2026-03-22T08:00:00Z |
| 2026-03-17 | MC End Time | 04/20/2026 09:00:00 | 2026-06-15T09:00:00Z |
| 2026-02-05 | MC MessageTagNames | Admin impact | Updated message, Admin impact |
| 2026-02-05 | MC Summary | To avoid Exchange Online email disruption by April 30, 2026, ensure your servers and clients trust the DigiCert Global Root G2 CA. This is critical if you disable Windows CTL updates or use older/custom runtimes. Windows systems with default CTL updates enabled require no action. | To avoid Exchange Online email disruption by March 15, 2026, organizations must trust the DigiCert Global Root G2 certificate authority. This affects those with disabled Windows CTL updates or using older/custom runtimes. Systems with default Windows CTL Updater enabled require no action. |
| 2026-02-05 | MC Last Updated | 01/30/2026 01:04:47 | 2026-02-04T22:56:14Z |
| 2026-02-05 | MC Messages | [Introduction]
Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains. [When this will happen:] Organizations must complete required certificate trust updates before April 30, 2026. | Updated February 4, 2026: We have updated the timeline. We've been notified that some email providers may distrust the DigiCert G1 root on April 15, which could result in broad ecosystem‑wide email impact. To ensure Exchange Online can rotate certificates ahead of this event, customers must trust the DigiCert Global Root G2 certificate authority by March 15 (previously April 30). Thank you for your patience.
[Introduction] Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs. Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains. [When this will happen:] Organizations must complete required certificate trust updates before March 15, 2026 (previously April 30). |
| 2026-02-05 | MC Action Required By | 04/29/2026 09:00:00 | 2026-03-15T08:00:00Z |
| 2026-02-05 | MC Title | Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption | (Updated) Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption |
| 2026-02-05 | MC End Time | 05/31/2026 09:00:00 | 2026-04-20T09:00:00Z |
Last updated 4 weeks ago ago
