Information
This policy setting controls how Outlook functions when a root certificate is missing. Outlook will display either an error or warning based on the status of the root certificate.
The recommended state for this setting is: Enabled: Error.
Rationale:
When Outlook accesses a certificate, it validates that it can trust the certificate by examining the root certificate of the issuing CA. If the root certificate can be trusted, then certificates issued by the CA can also be trusted. If Outlook cannot find the root certificate, it cannot validate that any certificates issued by that CA can be trusted. An attacker may compromise a root certificate and then remove the certificate in an attempt to conceal the attack.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Error:
User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Signature Status dialog box\Missing root certificates
Default Value:
Enabled: Error (Users will see an error when a root certificate is missing.)