Recommended SMIME algorithm settings for modern Outlook builds
Published Jul 14 2022 08:27 AM 1,265 Views
Microsoft

To take advantage of the best security available when using SMIME for email, you must configure Outlook to use modern algorithm settings. This post explains how ensure you are using these modern algorithms for encryption and digital signatures. This is important, considering that Windows and Outlook still allow you to use older and less secure algorithms for encryption and digital signatures.

 

The following registry values give you a good start for configuring a security profile using stronger algorithms, thus providing higher security for digitally signed and encrypted email messages using SMIME.

 

Furthermore, these values disable less secure algorithms, preventing their use in Outlook.

 

These registry keys need to be set before you configure the security profile. If a security profile has already been set up, make a note of the settings, then delete the security profile, restart Outlook, and create a new security profile. 


To view and configure security settings, click the File menu, then click Options, Trust Center, click the Trust Center Settings button, then click Email Security, and then the Settings button.

 

To set the following higher security algorithms as the new defaults, use the registry settings below:

 

  • Encrypted email - AES 128 bit (2.16.840.1.101.3.4.1.2)
  • Digital signature - SHA 384 bit (2.16.840.1.101.3.4.2.2)

 

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security]
"UseAlternateDefaultHashAlg"=dword:00000001
"DefaultHashOID"="2.16.840.1.101.3.4.2.2"
"UseAlternateDefaultEncryptionAlg"=dword:00000001
"DefaultEncryptionAlgOID"="2.16.840.1.101.3.4.1.2"
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\3DES]
"Flags"=dword:00000001
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\RC2]
"Flags"=dword:00000001
 
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Security\CNGAlgs\SHA1]
"Flags"=dword:00000001

 

The security profile should look like this:

 

smime3.png

These registry keys are supported in the following versions:

 

2 Comments
Co-Authors
Version history
Last update:
‎Jul 14 2022 08:26 AM
Updated by: