Intune policy to determine SMIME cert lookup priority

A new Intune policy allows admins to set the priority order for SMIME certificate lookup in Outlook mobile, enhancing control and security. Rolling out on August 29, 2025, it is off by default. Configuration details and examples are provided. More information is available [here](https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#smime-settings).

We're introducing a new Intune policy that allows admins to define the priority order for SMIME certificate lookup in Outlook mobile. This gives organizations more control over how certificates are selected when multiple sources are available, improving flexibility and alignment with internal security practices.

[When this will happen:]

This change will begin rolling out on August 29, 2025.

[How this affects your organization:]

You're receiving this message because our reporting indicates that one or more users in your organization may be using SMIME in Outlook mobile. With this update, administrators can configure a new Intune policy to control the order in which SMIME certificates are retrieved from different sources.

This policy is off by default. If not configured, Outlook mobile will continue using the default lookup order.

[What you can do to prepare

Once the policy becomes available, you can configure it using the following key:

• Key: com.microsoft.outlook.Mail.SMIMEEnabled.CertificatesLookupOrder
• Type: String
• Accepted Values:
  • 0 (Contacts)
  • 1 (GAL)
  • 2 (Device)
  • 3 (LDAP)
  • Format: "X", "X, X", "X, X, X", or "X, X, X, X"
  • Default (if not specified): "0, 1, 2, 3"
  • Example: "3, 2, 0, 1"

To learn more about configuring SMIME settings in Outlook mobile with Intune, visit: Deploying Outlook for iOS and Android app configuration settings in Exchange Online.