Microsoft Message ID: MC1224565 - 2026-01-30 | Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption

💡 Our Technical Review in summary

#### Summary
Microsoft has announced a mandatory transition for Exchange Online certificate chains. To ensure secure and uninterrupted mail flow, organizations must ensure their systems trust the **DigiCert Global Root G2** Certificate Authority (CA) and its subordinate CAs. While Windows systems with default settings (Certificate Trust List Updater enabled) will handle this automatically, organizations using custom certificate stores, legacy environments, or third-party security appliances must manually verify trust before the deadline of **April 30, 2026**.

#### Impact
Failure to trust the DigiCert Global Root G2 certificate by the deadline will lead to TLS negotiation failures, resulting in the following service disruptions:

Mail Flow Interruption: Inbound SMTP connections from Exchange Online may be delayed or fail entirely if the receiving server cannot validate the certificate.
Outbound Failures: On-premises servers or clients enforced with strict certificate validation may refuse to send email to Exchange Online.
Security Downgrades: Systems may fall back to unencrypted SMTP if TLS negotiation fails, compromising data transit security.
Affected Environments: Impact is restricted to environments with disabled Windows CTL updates, air-gapped systems, legacy Java/JRE runtimes, custom Linux images, and third-party email security gateways (e.g., Cisco, Proofpoint, Mimecast).

#### Action Required
IT Administrators should perform the following steps to ensure compliance:

Verify Windows CTL Settings: Ensure the Windows Certificate Trust List (CTL) Updater is not disabled via Group Policy or registry settings. If it is disabled, the DigiCert Global Root G2 must be manually deployed.
Audit Third-Party Appliances: Contact vendors of email gateways, firewalls, or load balancers that perform SSL/TLS inspection to confirm they support and trust the DigiCert Global Root G2 chain.
Update Legacy Runtimes: Manually import the required root and intermediate certificates into the trust stores of legacy Java (JRE/JDK) environments, custom Linux distributions, or embedded systems.
Review Air-Gapped Systems: For systems without internet access, manually download and install the latest Certificate Trust List from Microsoft.
Validation: Use the resources provided in the Microsoft guidance (MC1224565) to test connectivity against endpoints using the new certificate chain prior to the April 2026 cutoff.

Microsoft Official Update

Service: N/A
Category: planForChange
Severity: normal

[Introduction]

Action might be required to avoid service disruption. To maintain secure and uninterrupted mail flow with Exchange Online, organizations must ensure their servers and clients trust the DigiCert Global Root G2 Certificate Authority (CA) and its subordinate CAs.

Organizations that rely on custom certificate trust stores, disabled Windows CTL updates, or older runtime environments might be impacted and may need to update their trusted certificate chains.

[When this will happen:]

Organizations must complete required certificate trust updates before April 30, 2026.

[How this affects your organization:]

Who is affected:

This change applies to all organizations (Worldwide, GCC, GCC‑High, DoD) that:

Send or receive email with Exchange Online and
Either:

Your organization has disabled the Windows CTL Updater feature that by default downloads the Certificate Trust List (CTL).
- The CTL contains trusted and untrusted root certificates. Learn more: Certificates and trust in Windows.
- This scenario may apply if your organization maintains its own set of trusted Root and Intermediate Certificates via Group Policy or via a redirected Microsoft Automatic Update URL. Learn more: Configure trusted roots and disallowed certificates in Windows.
- You can determine whether the Windows CTL Updater feature is disabled by reviewing the Who needs to take action section of this Microsoft guidance: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption.
You use older or custom application environments such as:

Legacy Java/JDK/JRE runtimes
Embedded systems and appliances
Custom or outdated Linux images
Air‑gapped systems
Third‑party email gateways or security appliances that perform certificate chain validation

This change applies to any system performing full certificate chain validation against Exchange Online, including Exchange Server, security appliances, and third-party email gateways. If you use third-party email appliances, please contact the vendor directly for support.

Windows systems with the CTL Updater enabled (default) do not require action.

What will happen:

If the DigiCert Global Root G2 certificate or required intermediates are missing or cannot be retrieved during TLS negotiation:

Outbound email clients may:

Refuse to send email when strict certificate validation is enforced
Fall back to unencrypted SMTP if allowed

Inbound SMTP connections from Exchange Online may fail or be delayed
Email flow reliability may be reduced
Systems not using up‑to‑date certificate chains may be unable to validate TLS certificates presented by Exchange Online

If your organization already maintains the current Office 365 certificate chains, no impact is expected.

[What you can do to prepare:]

Required actions:

If your environment has disabled Windows CTL updates or relies on older/custom runtimes, complete the actions outlined in the What you must do section of: Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption

Specific actions include:

Review whether Windows CTL Updater is disabled in your organization.
Confirm whether SMTP servers, security appliances, and gateways fully trust the DigiCert Global Root G2 CA and subordinate CAs.
Ensure outdated or custom runtimes (Java, Linux, embedded systems, etc.) include the required certificates.
Contact your third‑party email appliance vendor if they manage certificate chains.
Update internal documentation and inform helpdesk teams as required.

No action required if:

You are using Windows systems with CTL Updater enabled (default behavior), and
Your organization already trusts the latest Office 365 certificate chains.

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Microsoft Message ID

Microsoft Message ID: MC1224565 – 2026-01-30 | Trust DigiCert Global Root G2 certificate authority to avoid Exchange Online email disruption

💡 Our Technical Review in summary

Microsoft Official Update

(Cannot update. Database or object is read-only) error in a query against a linked SharePoint view if there are unlinked lookup fields in Access – Microsoft 365 Apps

"Cannot Copy This Folder Because It May Contain Private Items" Error – Outlook

0x80004005 General Error Unable to Open Registry Key – Microsoft 365 Apps

0x800ccc80 error when sending mail from Outlook – Outlook

A connector does not move when you move a shape in Microsoft Word – Microsoft 365 Apps

(Cannot update. Database or object is read-only) error in a query against a linked SharePoint view if there are unlinked lookup fields in Access – Microsoft 365 Apps

"Cannot Copy This Folder Because It May Contain Private Items" Error – Outlook

0x80004005 General Error Unable to Open Registry Key – Microsoft 365 Apps

0x800ccc80 error when sending mail from Outlook – Outlook

(Cannot update. Database or object is read-only) error in a query against a linked SharePoint view if there are unlinked lookup fields in Access – Microsoft 365 Apps

"Cannot Copy This Folder Because It May Contain Private Items" Error – Outlook

0x80004005 General Error Unable to Open Registry Key – Microsoft 365 Apps