Trust DigiCert Global Root G2 Certificate Authority to Avoid Exchange Online Email Disruption

Hello Microsoft,

Just to confirm my technical understanding of the automated process that's occurring behind the scenes with all of the moving pieces, given that CTL mechanism is enabled and syncing/working as expected, with the root CA certificate imported into the store:

• Are the needed Intermediate certificates included in the updated bundle? Based on comments conversations leading up to today, it appears that the previous single Intermediate CA certificate with a specified thumbprint is no longer what is expected; now it's a bundle of intermediate certificates that are required to be imported.
  • If this is the case, does the CTL mechanism and fallback AIA retrieval URL conduct the retrieval, import, and trusting of both the Root and Intermediate certs?
• The root CA, if CTL is disabled and/or AIA retrieval URL is altered/modified, is then never sent by Exchange Online. It must then be imported/trusted locally if under this scenario. That's what makes the root the hard dependency if the scenario applies, would this be correct? In other words, does the CTL mechanism (if enabled and the default AIA retrieval URL is being used) conduct the necessary exchange (no pun intended) with Exchange Online to automatically acquire and import the root CA cert (if detected missing)?
  
  

From what I've gathered from the conversation in summary, the CTL mechanism along with the AIA URL retrieval seems to ensure that the entire process is automated for those that fall under the typical scenario of not having CTL mechanism disabled and have not tampered with or modified the default AIA retrieval URL. Let me know if anything I've stated is incorrect, so others and myself can further clarify our own understanding of the technical process and associated mechanisms to this solution.

Thank you so much for your feedback and continued guidance!