https://www.reddit.com/r/exchangeserver/comments/onhchg/download_domains_cve20211730_and_microsoft/?rdt=64153 Done it back in March, no problems, virtually no downtime. Notes: I hate their weird wording in that guide, it's potentially confusing. The writer was likely not fluent in English, and nobody copy-edited it. By "certified domain name" they mean "you need an additional name within the same DNS domain on which your OWA is served, and you need to expand the Exchange certificate to include it." Had multiple people be tripped up by that odd phrasing. It doesn't need to be of the form download.mail.contoso.com ; if you want, it can be whatever .contoso.com , at the same level as autodiscover.contoso.com etc -- for example, you could use d.contoso.com to shorten the URLs. Mostly an aesthetic choice, you can absolutely use their suggested scheme, as long as it doesn't complicate your cert issuance process since it's an additional subdomain...