Many business users rely on S/MIME certificates to encrypt and digitally sign emails. If you recently switched from Classic Outlook to the New Outlook for Windows, you may have noticed that the S/MIME options are no longer in the same places. The underlying certificate infrastructure has not changed, but the user interface and some configuration steps have been redesigned. This article explains what exactly changed with S/MIME in the New Outlook, how to enable it, and what limitations remain.
Key Takeaways: S/MIME Changes in New Outlook
- Settings > Mail > S/MIME: The new location to enable and configure S/MIME certificates in the New Outlook.
- No support for S/MIME in Outlook Web Access (OWA): The New Outlook uses the same cloud-based mail engine as OWA, so S/MIME encryption and signing only work in the desktop client.
- Certificate selection is now per-identity: Instead of a single certificate for all accounts, you must assign a certificate to each email address individually.
What S/MIME Does and Why It Changed in New Outlook
S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It uses a digital certificate issued by a trusted certificate authority to encrypt email content and attach a digital signature that proves the sender’s identity. In Classic Outlook, S/MIME was managed through the Trust Center under File > Options > Trust Center > Trust Center Settings > Email Security. The New Outlook replaces the classic Trust Center with a simplified Settings pane that syncs across devices. Because the New Outlook is built on a web-based mail engine, the S/MIME settings had to be re-implemented as a separate feature that works only when the desktop client is connected to a local certificate store.
The core certificate handling — Windows Certificate Store, certificate enrollment, and root CA trust — remains identical. The change is purely in how you access the settings and how certificates are mapped to accounts. The New Outlook also removes the ability to configure S/MIME through Group Policy or registry keys that were available in Classic Outlook. Administrators must now use the new Settings management interface or deploy certificates via Microsoft Intune.
Prerequisites for S/MIME in New Outlook
Before you can use S/MIME in the New Outlook, you need a valid S/MIME certificate installed in the Windows Certificate Store under Current User > Personal. The certificate must include the email address that matches your Outlook account. You also need the New Outlook for Windows version 1.2023.9.0 or later. The S/MIME feature is not available in the Mac version of the New Outlook or in the mobile apps.
How to Enable S/MIME in New Outlook
- Open Outlook Settings
Click the gear icon in the upper-right corner of the New Outlook window or press Ctrl + comma. - Go to Mail > S/MIME
In the Settings pane, select Mail on the left, then scroll down and click S/MIME. - Turn on S/MIME for each account
Toggle the switch for each email account you want to use with S/MIME. The toggle is labeled “Encrypt contents and attachments for outgoing messages” and “Add a digital signature to outgoing messages.” - Select the certificate
Click the dropdown under “Certificate for signing” or “Certificate for encryption” and choose the matching certificate from the list. If no certificates appear, verify that the certificate is installed in the Windows Certificate Store and that the email address on the certificate matches the account. - Apply the settings
Close the Settings pane. The changes take effect immediately. New messages will now show the Encrypt and Sign buttons in the ribbon.
To send an encrypted message, compose a new email, click the Lock icon in the ribbon, and select Encrypt. To sign a message, click the Seal icon and select Sign. You can also combine both actions. If the recipient does not have a compatible S/MIME certificate, Outlook will warn you before sending.
Limitations and Things to Avoid in New Outlook S/MIME
S/MIME does not work in OWA or the New Outlook web client
If you open the New Outlook in a browser at outlook.office.com, the Encrypt and Sign buttons are not present. S/MIME encryption and signing require the desktop client to access the local certificate store. To use S/MIME, you must always open the New Outlook desktop application.
Certificate mapping is per-account, not global
In Classic Outlook, you could assign one certificate to all accounts. In the New Outlook, you must repeat the certificate selection for each account. If you have five email addresses, you need to configure S/MIME five times. This can be time-consuming in a multi-account setup.
No support for S/MIME v3 or custom encryption algorithms
The New Outlook only supports S/MIME v4 (RFC 8551) with AES-256 encryption. Older certificates using Triple DES or RC2 are not compatible. If your organization uses legacy S/MIME certificates, you must renew them with AES-256 support before they will work in the New Outlook.
Cannot view encrypted messages in the reading pane
When you select an encrypted message in the message list, the reading pane shows a placeholder saying “This message is encrypted.” You must double-click the message to open it in a separate window, where Outlook prompts you to confirm your identity before decrypting the content. This is a security design choice that cannot be changed.
Classic Outlook S/MIME vs New Outlook S/MIME: Key Differences
| Item | Classic Outlook | New Outlook |
|---|---|---|
| Settings location | File > Options > Trust Center > Email Security | Settings > Mail > S/MIME |
| Certificate assignment | One certificate for all accounts | Per-account certificate selection |
| Supported S/MIME version | S/MIME v3 and v4 | S/MIME v4 only |
| Encryption algorithm | AES-256, Triple DES, RC2 | AES-256 only |
| Group Policy support | Full registry-based GPO | Not available in current version |
| Web client support | Not applicable | Not supported |
The table above summarizes the main differences. The most impactful change for administrators is the loss of Group Policy configuration. If your organization relies on centralized S/MIME deployment, you must switch to Intune or manual per-user configuration until Microsoft adds GPO support for the New Outlook.
You can now enable S/MIME encryption and digital signing in the New Outlook by going to Settings > Mail > S/MIME and selecting a certificate for each account. Remember that S/MIME only works in the desktop client, not in the web version. If you manage multiple users, consider deploying certificates via Intune and instructing users to complete the per-account setup once.