check before: 2025-08-29
Product:
Exchange, Intune, Outlook
Platform:
Android, iOS, Online, World tenant
Status:
Change type:
New feature, Admin impact
Links:
Details:
Summary:
A new Intune policy allows admins to set the priority order for SMIME certificate lookup in Outlook mobile, enhancing control and security. Rolling out on August 29, 2025, it is off by default. Configuration details and examples are provided. More information is available [here](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#smime-settings).
Details:
We're introducing a new Intune policy that allows admins to define the priority order for SMIME certificate lookup in Outlook mobile. This gives organizations more control over how certificates are selected when multiple sources are available, improving flexibility and alignment with internal security practices.
[When this will happen:]
This change will begin rolling out on August 29, 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-06-28
updated:
2025-06-28
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
SMIME Certificate Lookup Order
If the new Intune policy is implemented without prior configuration, users may experience delays or failures in email encryption due to the default lookup order not aligning with organizational security practices.
- roles: IT Administrators, End Users
- references: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#smime-settings
User Experience with Outlook Mobile
Without proper preparation, users may face confusion or frustration as the default SMIME certificate lookup order may not meet their expectations, leading to potential security risks and decreased productivity.
- roles: End Users, Support Staff
- references: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#smime-settings
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you're organizing a large event, and you have several guest lists from different sources: your personal contacts, a company directory, a list on your phone, and an external database. You need to decide which list to prioritize when checking if someone is invited. This is similar to the new Intune policy for SMIME certificate lookup in Outlook mobile.
SMIME certificates are like digital IDs that ensure secure email communication. When sending an email, Outlook needs to verify the recipient's certificate. There are multiple places where these certificates can be stored, just like the different guest lists. The new Intune policy allows administrators to set the order in which Outlook checks these sources, giving them more control over the process.
By default, Outlook checks in a specific order: first your contacts, then the company directory (GAL), followed by the device's storage, and finally an external directory (LDAP). With the new policy, you can rearrange this order to better fit your organization's needs. For example, if you trust the external directory the most, you can set it to be checked first.
This change will start rolling out on August 29, 2025, and the policy is initially turned off. If you don't configure it, Outlook will continue using the default order. However, once available, you can set the order using a simple code format, similar to listing your preferred guest lists: "3, 2, 0, 1" would mean checking the external directory first, then the device, followed by personal contacts, and finally the company directory.
This update provides flexibility and enhances security by allowing organizations to align the certificate lookup process with their internal practices. For more detailed instructions on setting this up, you can refer to the official Microsoft documentation.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 weeks ago ago
