Microsoft Outlook Configuration
The script automates the configuration of S/MIME (Secure/Multipurpose Internet Mail Extensions) settings for Microsoft Outlook using DigiCert-issued certificates. It is designed to streamline the process of assigning certificates for digital signing and encryption to Outlook profiles, ensuring secure email communication for end users.
The script provides the following features:
Identifies and assigns the newly issued DigiCert S/MIME certificate(s) for signing and/or encryption based on the certificate's Key Usage (KU) and Extended Key Usage (EKU) fields.
Integrates with existing Outlook S/MIME profiles, supporting multiple S/MIME profiles and creating or updating DigiCert profiles as needed.
Verifies that the email address in the certificate matches one of the user’s configured Outlook accounts to prevent misconfiguration.
Performs full X.509 trust chain validation to ensure that the issued S/MIME certificate is valid and trusted.
Allows administrators to enforce signing and/or encryption for all outgoing emails using configurable script parameters.
Note
The script is compatible only with classic Outlook and does not support new Outlook for Windows.
Supported operating system and application
Operating system | Application |
|---|---|
Windows (for specific version, refer to Prerequisites) | Microsoft Outlook 2016 (64-bit) or later |
Parameters
The script supports the following parameters:
Name | Default* | Path | Note |
|---|---|---|---|
Add digital signature to outgoing messages | Enabled | Trust Center > Email Security > Add digital signature to outgoing messages | This parameter is ignored if the certificate's Key Usage (KU) does not include |
Encrypt contents and attachments for outgoing messages | Disabled | Trust Center > Email Security > Encrypt contents and attachments for outgoing messages | This parameter is ignored if the certificate's Key Usage (KU) does not include |
* If the default setting is changed, the user must update DigiCert Trust Assistant to version 1.2.6 or later to process the new configuration. This requirement also applies to DigiCert Trust Assistant running on non-Windows operating systems. | |||
Prerequisite checks
Before proceeding with certificate configuration, the script performs several checks to ensure the environment is ready:
Confirms Microsoft Outlook 2016 (64-bit) or later is installed on the system.
Validates the X.509 trust chain of the certificate to confirm that it is issued by a trusted certificate authority (CA).
Validates that the certificate meets the following S/MIME requirements (enforced during profile creation):
The certificate Key Usage (KU) field must include
digitalSignatureand/orkeyEncipherment.The certificate Extended Key Usage (EKU) field must include
id-kp-emailProtection (1.3.6.1.5.5.7.3.4).
Extracts email addresses from the certificate using both SAN: RFC822 Name entries and SubjectDN: Email (as a fallback) and attempts to match against the user's configured Outlook accounts. The first successful match is used to create the S/MIME profile, named
DigiCert Outlook Configuration (<matched email>).
Note
Although SAN: RFC822 Name is the recommended location for S/MIME email addresses, the script still considers the Subject DN: Email field for compatibility purposes. However, Outlook may discontinue support for Subject DN: Email in future releases.
If multiple email addresses are present, the matching process proceeds in order and stops at the first successful match, regardless of whether it comes from the SAN or Subject DN field
How it works
The script executes the following steps:
Ensures that all the prerequisite checks are met.
Retrieves existing S/MIME Outlook profiles.
If a DigiCert S/MIME profile exists, it updates it with the appropriate certificate(s) for signing and/or encryption.
If not, then create a new profile and assign the required certificate(s).
Configure the updated or newly created DigiCert profile as the default profile for S/MIME in Outlook email security settings.
On successful execution, you can verify the newly created DigiCert profile by navigating to File > Options > Trust Center > Trust Center Settings > Email Security. Make sure that the DigiCert Outlook Configuration (<matched email>) is set as the default configuration under the Encrypted email section.
Troubleshooting
Refer to Common issues for more details to help you troubleshoot issues related to system post-processing scripts.
Refer to Microsoft Outlook Configuration for more details to help you troubleshoot issues related to Microsoft outlook configurations.