TL;DR: Microsoft has moved the deadline for DigiCert G2 root trust to March 15, 2026. Organizations with restricted certificate auto-updates must manually add this root to prevent mail flow failures.
Why the Deadline Moved
The transition from the DigiCert Global Root G1 to G2 is an industry-wide shift. Due to upcoming distrust of the G1 root by major browser and email providers in April 2026, Microsoft is accelerating its rotation to ensure Exchange Online remains compliant and reachable.
Are You Affected?
Most modern Windows systems with “Automatic Root Certificate Updates” enabled (the default) are already safe. You only need to take action if:
- CTL Updates are Disabled: You manage trusted roots manually via Group Policy or a custom internal URL.
- Non-Windows Environments: You use Linux-based relays, Java applications, or embedded appliances that maintain their own “keystores.”
- Third-Party Gateways: Your mail flows through an external security appliance that performs its own TLS validation.
How to Verify (The PowerShell Way)
To see if your Windows server already trusts the required root, run this command in PowerShell:
PowerShell
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "DF3C24F9BFD666761B268073FE06D1CC8D4F82A4"}- If it returns a certificate object (CN=DigiCert Global Root G2), you are ready.
- If it returns nothing, you must manually import the G2 root.
Potential Symptoms of Failure
If you miss the March 15 deadline, you may encounter:
- SMTP Errors:
450 4.4.317 Cannot establish sessionorUntrustedRootconditions. - TLS Failures: Outbound mail refusing to send when strict validation is enforced.
- Delayed Delivery: Inbound connections from Microsoft being rejected by your gateway.
MVP Recommendation
Don’t just check your Exchange Servers. Check your application servers that use “Direct Send” to mail.protection.outlook.com. Those servers establish their own TLS sessions and are often the most overlooked part of a certificate rotation.