Configure S/MIME for Windows

Secure/Multipurpose Internet Mail Extensions (S/MIME) provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME enables users to encrypt outgoing messages and attachments so that only intended recipients can read them. To read the messages, recipients must have a digital identification (ID), also known as a certificate.
Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.

Message encryption

Users can send encrypted message to recipients that have an encryption certificate.
Users can only read encrypted messages if the message is received on their Exchange account, and they have corresponding decryption keys.

Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipients whose encryption certificate isn't available, the app prompts you to remove these recipients before sending the email.

Digital signatures

A digitally signed message reassures the recipient that the message hasn't been tampered with, and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.

Windows edition and licensing requirements

The following table lists the Windows editions that support Email Encryption (S/MIME):

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
Yes Yes Yes Yes

Email Encryption (S/MIME) license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
Yes Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

Prerequisites

Choose S/MIME settings

On the device, perform the following steps: (add select certificate)

  1. Open the Mail app

  2. Open Settings > Email security Screenshot of the Windows Mail app, security settings.

  3. In Select an account, select the account for which you want to configure S/MIME options

  4. Make a certificate selection for digital signature and encryption

    • Select Automatically to let the app choose the certificate
    • Select Manually to specify the certificate yourself from the list of valid certificates on the device
  5. (Optional) Select Always sign with S/MIME, Always encrypt with S/MIME, or both, to automatically digitally sign or encrypt all outgoing messages

    Note

    The option to sign or encrypt can be changed for individual messages, unless EAS policies prevent it.

  6. Select the back arrow

Encrypt or sign individual messages

  1. While composing a message, select Options from the ribbon

  2. Use Sign and Encrypt icons to turn on digital signature and encryption for this message

    Screenshot of the Windows Mail app, showing the options to sign or encrypt message.

Read signed or encrypted messages

When you receive an encrypted message, the mail app checks whether there's a certificate available on your computer. If there's a certificate available, the message is decrypted when you open it. If your certificate is stored on a smartcard, you'll be prompted to insert the smartcard to read the message. Your smartcard may also require a PIN to access the certificate.

Install certificates from a received message

When you receive a signed email, the app provides a feature to install corresponding encryption certificate on your device if the certificate is available. This certificate can then be used to send encrypted email to this person.

  1. Open a signed email
  2. Select the digital signature icon in the reading pane
  3. Select Install.

Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate.