Blog Post

Outlook Global Customer Service & Support Team Blog
2 MIN READ

Recommended SMIME algorithm settings for modern Outlook builds

Thomas_Noack's avatar
Thomas_Noack
Icon for Microsoft rankMicrosoft
Jul 14, 2022

To take advantage of the best security available when using SMIME for email, you must configure Outlook to use modern algorithm settings. This post explains how ensure you are using these modern algorithms for encryption and digital signatures. This is important, considering that Windows and Outlook still allow you to use older and less secure algorithms for encryption and digital signatures.

 

The following registry values give you a good start for configuring a security profile using stronger algorithms, thus providing higher security for digitally signed and encrypted email messages using SMIME.

 

Furthermore, these values disable less secure algorithms, preventing their use in Outlook.

 

These registry keys need to be set before you configure the security profile. If a security profile has already been set up, make a note of the settings, then delete the security profile, restart Outlook, and create a new security profile. 


To view and configure security settings, click the File menu, then click Options, Trust Center, click the Trust Center Settings button, then click Email Security, and then the Settings button.

 

To set the following higher security algorithms as the new defaults, use the registry settings below:

 

  • Encrypted email - AES 128 bit (2.16.840.1.101.3.4.1.2)
  • Digital signature - SHA 384 bit (2.16.840.1.101.3.4.2.2)

 

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security]
"UseAlternateDefaultHashAlg"=dword:00000001
"DefaultHashOID"="2.16.840.1.101.3.4.2.2"
"UseAlternateDefaultEncryptionAlg"=dword:00000001
"DefaultEncryptionAlgOID"="2.16.840.1.101.3.4.1.2"
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\3DES]
"Flags"=dword:00000001
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\RC2]
"Flags"=dword:00000001
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\SHA1]
"Flags"=dword:00000001

 

The security profile should look like this:

 

These registry keys are supported in the following versions:

 

Updated Jul 14, 2022
Version 1.0
Encrypted Email
support
troubleshooting

6 Comments

Sort By
  • JonathanSH's avatar
    JonathanSH
    Copper Contributor
    Mar 25, 2025

    All well in good, except it requires the user to delete their S/MIME Profile and create a new one AND Publish to GAL still uses SHA-1 when creating the value for UserSMIMECertificate! Grrr. 

  • davidmbahm's avatar
    davidmbahm
    Brass Contributor
    Apr 30, 2024

    This article is a couple of years old but it still seems to be the best reference to the SMIME algorithm settings so I'm posting my findings here.

    There may have been a change in Outlook behavior since the publication, but setting the algorithm value does update the security profile in my testing. Also, I went and looked up the OID reference for AES-256 since I didn't want to drop the default to lower than my active SMIME certificate. Outlook is honoring the setting and I have not seen any issues.

     

    AES256-CBC: 2.16.840.1.101.3.4.1.42

  • UnhappyUser6974's avatar
    UnhappyUser6974
    Copper Contributor
    Jan 20, 2023

    I don't give a rat's **bleep** about earning any rewards or prizes.  I want an answer to my question yesterday! Don't bother giving me prizes for commenting.  I am not a child.  I do not need rewards.  I need the old outlook that does not require me to learn how to use it.  My other option is to drop my subscription from Office 365 and all other Microsoft products and go back to a competitor's product that has not made major changes requiring me to waste my valuable time learning how to use it!!!!!!!

     

  • UnhappyUser6974's avatar
    UnhappyUser6974
    Copper Contributor
    Jan 20, 2023

    I WANT MY OLD OUTLOOK BACK NOW!!!!  I don't have time to learn new version!! I am 71 years old and I have work to do while I still can!  How do I get the old version back???

     

  • Rae_Rae's avatar
    Rae_Rae
    Steel Contributor
    Jul 17, 2022

    Will "this" work across all OS, including Chrome?