Information
This policy setting controls which message encryption formats Outlook can use. Outlook
supports three formats for encrypting and signing messages- S/MIME, Exchange, and
Fortezza.
If you enable this policy setting, you can specify whether Outlook can use S/MIME (the
default), Exchange, or Fortezza encryption, or any combination of any of these options.
Users will not be able to change this configuration.
If you disable or do not configure this policy setting, Outlook only uses S/MIME to encrypt
and sign messages. If you disable this policy setting, users will not be able to change this
configuration. The recommended state for this setting is- Enabled-S/MIME and Fortezza.
*Rationale*
E-mail typically travels over open networks and is passed from server to server. Messages
are therefore vulnerable to interception, and attackers might read or alter their contents. It
is therefore important to have a mechanism for signing messages and providing end-to-end
encryption.
Outlook 2010 supports three formats for encrypting and signing messages- S/MIME,
Exchange, and Fortezza. By default, Outlook only uses S/MIME to encrypt and sign
messages. If your organization has policies that mandate the use of specific encryption
formats, allowing users to choose freely between these formats could cause them to violate
such policies.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Enabled.
User Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography\Message Formats\Message Formats
Then set the Support the following message formats- option to S/MIME and Fortezza.
Impact-Enabling this setting and selecting 'S/MIME, Exchange, and Fortezza' from the drop-down
list adds support for Fortezza, a hardware based encryption standard created by the
National Security Agency (NSA), a division of the United States Department of Defense. If
your organization uses Fortezza, you will have to use this setting to add support for
Fortezza to Outlook. The recommended SSLF configuration does not eliminate support for
S/MIME, so implementing this recommendation should not affect users who need access to
the S/MIME encryption and signing functionality in Outlook 2010.