UPDATE 3/16/2026: We worked with the partner team to republish the Microsoft 365 Root Certificate Chain Bundles for Worldwide (WWMT) and GCC High / DoD (ITAR) after identifying that the previously pu...
Updated Mar 18, 2026
Version 13.0
Blog Post
6 MIN READ
Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption
can you help me to identify how to check if Windows CTL is enabled or not.
Arindam_Thokder
Microsoft
MicrosoftThis is a Windows component, and me or Nino are not expert on this topic. But this article should help - Certificates and Trust Management in Windows
Thanks. so, we can ignore the other servers\clients which are not directly connecting to Exchange online to send\receive email if they are not trusted with DigiCert root certificate?
Also, what exchange online endpoints we need to check which says directly connecting to exchange online.?
- Nino_Bilic
I already answered that "Only clients / servers that connect to Exchange Online directly to send/receive SMTP email." - right? That then means that machines not in the SMTP email flow are not directly impacted by this change.
You do not need to check any Exchange Online endpoints for valid certificates. We take care of Exchange Online certificate update / trust on service side.
but what about the third party application which are using smtp.office365.com or outlook.office365.com, pop. or imap.office365.com does Microsoft trust those as well and third party application team does not need to do anything from their end?
or they need to work with vendor i.e. cisco, oracle to update the Digicert certificate.
sorry for many questions, but this article should explain the Exchange online endpoints as well because Internal application also connects to smtp.office365.com so it is unclear for Internal and external devices.
also I still did not understand clients\servers that connect to exchange online directly I mean how we will identify , I found Exchange on-premise, but that could be internal machine using any application to connect to smtp.office365.com which we could say directly connect to exchange online, right?
