Set consistent Outlook 2007 cryptography options for an organization
Updated: April 16, 2012
Applies To: Office Resource Kit
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
You can control many aspects of Microsoft Office Outlook 2007 cryptography features to help configure more secure messaging and message encryption for your organization. For example, you can configure a Group Policy setting that requires a security label on all outgoing mail or a setting that disables publishing to the Global Address List.
You can lock down the settings to customize cryptography by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.
The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.
To customize cryptographic options by using Group Policy
In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
To customize cryptographic settings, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography, double-click the policy setting you want to set. For example, double-click Do not display 'Publish to GAL' button. (Some options are included in the Signature Status dialog box folder.)
Click Enabled. When appropriate, choose an option that displays on the Setting tab.
Click OK.
The settings you can configure for cryptography are shown below.
| Cryptography option | Description |
|---|---|
Minimum encryption settings |
Set to the minimum key length for an encrypted e-mail message. |
S/MIME interoperability with external clients: |
Specify the behavior for handling S/MIME messages. |
Always use Rich Text formatting in S/MIME messages |
Always use Rich Text for S/MIME messages instead of the format specified by the user. |
S/MIME password settings |
Specify the default and maximum amount of time that an S/MIME password is valid. |
Message formats |
Choose message formats to support: S/MIME (default), Exchange, Fortezza, or a combination of formats. |
Message when Outlook cannot find the digital ID to decode a message |
Enter a message to display to users. |
Do not provide Continue option on Encryption warning dialog boxes |
Disable the Continue button on encryption settings warning dialog boxes. |
Run in FIPS compliant mode |
Put Outlook into FIPS 140-1 mode. |
Do not check e-mail address against address of certificates being using (sic) |
Do not verify user's e-mail address with address of certificates used for encryption or signing. |
Encrypt all e-mail messages |
Encrypt outgoing e-mail messages. |
Sign all e-mail messages |
Sign outgoing e-mail messages. |
Send all signed messages as clear signed messages |
Use Clear Signed for signed outgoing e-mail messages. |
Request an S/MIME receipt for all S/MIME signed messages |
Request a security-enhanced receipt for outgoing e-mail messages. |
URL for S/MIME certificates |
Provide a URL at which users can obtain an S/MIME receipt. The URL can contain three variables (%1, %2, and %3), that will be replaced by the user's name, e-mail address, and language, respectively. |
Ensure all S/MIME signed messages have a label |
Require all S/MIME-signed messages to have a security label. |
Do not display 'Publish to GAL' button |
Disable the 'Publish to GAL' button on the E-mail Security page of the Trust Center. |
Signature Warning |
Specify an option for when signature warnings display to users. |
S/MIME receipt requests |
Specify an option for how S/MIME receipt requests are handled. |
Fortezza certificate policies |
Enter a list of policies allowed in the policies extension of a certificate showing that the certificate is a Fortezza certificate. List policies separated by semi-colons. |
Require SUITEB algorithms for S/MIME operations |
Use only Suite-B algorithms for S/MIME operations. |
Enable Cryptography Icons |
Display Outlook cryptography icons in the Outlook UI. |
Retrieving CRLs (Certificate Revocation Lists) |
Specify how Outlook behaves when CRL lists are retrieved. |
Missing CRLs |
Specify the Outlook response when a CRL is missing: display error or warning (default). |
Missing root certificates |
Specify the Outlook response when a root certificate is missing: display error or warning (default). |
Promote Level 2 errors as errors, not warnings |
Specify the Outlook response for Level 2 errors: display error or warning (default). |
Attachment Secure Temporary Folder |
Specify a folder path for the Secure Temporary Files Folder. This overrides the default path and is not recommended. |
More information about setting Outlook cryptography options
The following sections provide additional information about configuration options for Outlook cryptography.
Outlook security policy settings
The following table lists the Windows registry settings you can configure for your custom installation. The Windows registry settings correspond to the Group Policy settings listed earlier. You add these value entries in the following subkey:
HKEY_CURRENT_USER\Software\\Microsoft\Office\12.0\Outlook\Security
| Value name | Value data (Data type) | Description | Corresponding UI option |
|---|---|---|---|
AlwaysEncrypt |
0, 1 (DWORD) |
Set to 1 to encrypt outgoing messages. Default is 0. |
Encrypt contents check box (E-mail Security page). |
AlwaysSign |
0, 1 (DWORD) |
Set to 1 to sign outgoing messages. Default is 0. |
Add digital signature check box (E-mail Security page). |
ClearSign |
0, 1 (DWORD) |
Set to 1 to use Clear Signed for outgoing messages. Default is 0. |
Send clear text signed message check box (E-mail Security page). |
RequestSecureReceipt |
0, 1 (DWORD) |
Set to 1 to request security-enhanced receipts for outgoing messages. Default is 0. |
Request S/MIME receipt check box (E-mail Security page). |
ForceSecurityLabel |
0, 1 (DWORD) |
Set to 1 to require a label on outgoing messages. (The registry setting does not specify which label.) Default is 0. |
None |
ForceSecurityLabelX |
ASN encoded BLOB (Binary) |
This value entry specifies whether a user-defined security label must exist on outgoing signed messages. The string can optionally include label, classification, and category. Default is no security label required. |
None |
SigStatusNoCRL |
0, 1 (DWORD) |
Set to 0 to specify that a missing CRL during signature validation is a warning. Set to 1 to specify that a missing CRL is an error. Default is 0. |
None |
SigStatusNoTrustDecision |
0, 1, 2 (DWORD) |
Set to 0 to specify that a No Trust decision is allowed. Set to 1 to specify that a No Trust decision is a warning. Set to 2 to specify that a No Trust decision is an error. Default is 2. |
None |
PromoteErrorsAsWarnings |
0, 1 (DWORD) |
Set to 0 to promote Error Level 2 errors as errors. Set to 1 to promote Error Level 2 errors as warnings. Default is 1. |
None |
PublishtoGalDisabled |
0, 1 (DWORD) |
Set to 1 to disable the Publish to GAL button. Default is 0. |
Publish to GAL button (E-mail Security page) |
FIPSMode |
0, 1 (DWORD) |
Set to 1 to put Outlook into FIPS 140-1 mode. Default is 0. |
None |
WarnAboutInvalid |
0, 1, 2 (DWORD) |
Set to 0 to display the Show and Ask check box (Secure E-mail Problem dialog box). Set to 1 to always show the dialog box. Set to 2 to never show the dialog box. Default is 0. |
Secure E-mail Problem dialog box. |
DisableContinueEncryption |
0, 1 (DWORD) |
Set to 0 to show the Continue Encrypting button in the final Encryption Errors dialog box. Set to 1 to hide the button. Default is 0. |
Continue Encrypting button on final Encryption Errors dialog box. This dialog box appears when a user tries to send a message to someone who cannot receive encrypted messages. This setting disables the button that allows users to send the message regardless. (The recipient cannot open encrypted mail messages sent by overriding the error.) |
RespondtoReceiptRequest |
0, 1, 2, 3 (DWORD) |
Set to 0 to always send a receipt response and prompt for a password, if needed. Set to 1 to prompt for a password when sending a receipt response. Set to 2 to never send a receipt response. Set to 3 to enforce sending a receipt response. Default is 0. |
None |
NeedEncryptionString |
String |
Displays the specified string when the user tries unsuccessfully to open an encrypted message. Can provide information about where to enroll in security. Default string is used, unless the value is set to another string. |
Default string |
Options |
0, 1 (DWORD) |
Set to 0 to show a warning dialog box when a user attempts to read a signed message with an invalid signature. Set to 1 to never show the warning. Default is 0. |
None |
MinEncKey |
40, 64, 128, 168 (DWORD) |
Set to the minimum key length for an encrypted e-mail message. |
None |
RequiredCA |
String |
Set to the name of the required certificate authority (CA). When a value is set, Outlook disallows users from signing e-mail by using a certificate from a different CA. |
None |
EnrollPageURL |
String |
URL for the default certificate authority (internal or external) from which you wish your users to obtain new digital IDs. Note: Set in HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security subkey if you do not have administrator rights on the user's computer. |
Get Digital ID button (E-mail Security page). |
When you specify a value for PromoteErrorsAsWarnings, potential Error Level 2 conditions include the following:
Unknown Signature Algorithm
No Signing Certification Found
Bad Attribute Sets
No Issuer Certificate Found
No CRL Found
Out of Date CRL
Root Trust Problem
Out of Date CTL
When you specify a value for EnrollPageURL, use the following parameters to send information about the user to the enrollment Web page.
| Parameter | Placeholder in URL string |
|---|---|
User display name |
%1 |
SMTP e-mail name |
%2 |
User interface language ID |
%3 |
For example, to send user information to the Microsoft enrollment Web page, set the EnrollPageURL entry to the following value, including the parameters:
www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3
For example, if the user's name is Jeff Smith, e-mail address is someone@example.com, and user interface language ID is 1033, the placeholders are resolved as follows:
www.microsoft.com/ie/certpage.htm?name=Jeff%20Smith&email=someone@example.com&helplcid=1033
Security policy settings for general cryptography
The following table shows additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default
| Value name | Value data (Data type) | Description | Corresponding UI option |
|---|---|---|---|
ShowWithMultiLabels |
0, 1, (DWORD) |
Set to 0 to attempt to display a message when the signature layer has different labels set in different signatures. Set to 1 to prevent display of message. Default is 0. |
None |
CertErrorWithLabel |
0, 1, 2 (DWORD) |
Set to 0 to process a message with a certificate error when the message has a label. Set to 1 to deny access to a message with a certificate error. Set to 2 to ignore the message label and grant access to the message. (The user still sees a certificate error.) Default is 0. |
None |
Security policy settings for KMS-issued certificates
The values in the following table only apply to certificates issued by Microsoft Exchange Key Management Service (KMS). The table shows additional Windows registry settings that you can use for your custom configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider
| Value name | Value data (Data type) | Description | Corresponding UI option |
|---|---|---|---|
MaxPWDTime |
0, number (DWORD) |
Set to 0 to remove the user's ability to save a password (the user is required to enter a password each time a key set is required). Set to a positive number to specify a maximum password time in minutes. Default is 999. |
None |
DefPWDTime |
Number (DWORD) |
Set to the default value for the amount of time a password is saved. |
None |
Download this book
This topic is included in the following downloadable books for easier reading and printing:
See the full list of available books at Office Resource Kit information.