Client authentication EKU changes in public TLS certificate

Hi,

Can someone clarify the upcoming change to remove the client authentication EKU and the conflicting information within MS docs for Teams Direct Routing certificates?

As stated here from October 2025 there is an industry wide change to remove the client authentication EKU from issued TLS certificates:

https://knowledge.digicert.com/alerts/sunsetting-client-authentication-eku-from-digicert-public-tls-certificates

However, both server and client EKU's are required for mTLS and Microsoft states here that both server and client EKU's are required:
https://learn.microsoft.com/en-us/microsoftteams/direct-routing-whats-new#sbc-certificates-eku-extensions-test

Digicert are offering an X9 PKI that includes both server and client EKU's but it seems the signing CA is not trusted by Microsoft at this stage.

What guidance are Microsoft offering with this upcoming change to ensure that customers are not affected when renewing their certificates?