Microsoft has finally delivered a critical security feature to the new Outlook for Windows: users can now store S/MIME encryption certificates directly inside their Contacts. The change, confirmed as launched on July 6, 2026, via Microsoft 365 Roadmap ID 518288, means desktop users of the revamped email client no longer need workarounds to manage certificate-to-contact associations.

What actually changed

The new Outlook for Windows, the modern replacement for the classic desktop app, can now associate an S/MIME certificate with a contact record. When you open or create a contact, the app exposes a field for importing or selecting an X.509 certificate. Once stored, that certificate becomes the default encryption and signing certificate for any email addressed to that contact from your Outlook desktop client.

Previously, the new Outlook had no native contacts-based certificate store. Users who relied on S/MIME for end-to-end encrypted email had to either stick with the classic Outlook or manually export and import certificates per-message—a tedious and error-prone process. Administrators in regulated industries often sidelined the new Outlook entirely because of this gap.

There is a small nuance in the timeline. The original roadmap entry for this feature indicated general availability in May 2026, but the official launch notification from Microsoft arrived on July 6, 2026. That two-month delay suggests extra validation cycles, possibly to ensure compatibility with various certificate authorities and on-premises PKI deployments.

What it means for you

For everyday users with enterprise accounts
If your organization requires S/MIME for email security—common in government, healthcare, and legal sectors—you can now adopt the new Outlook without losing encryption capabilities. After your IT team assigns you a certificate, you can open a colleague’s contact card, add the certificate, and immediately start sending encrypted messages. The process mirrors the classic Outlook experience, though the UI has been refreshed to match the new app’s design language.

For IT administrators
This change removes a major blocker for broad deployment of the new Outlook in regulated environments. You can push certificates via Group Policy or Microsoft Intune as before, but now the client will correctly consume them when users compose encrypted mail. There is no requirement for an Exchange Online-only architecture; on-premises Exchange and hybrid deployments are supported as long as the new Outlook is connected to a Microsoft 365 account (which it must be). Audit trails for certificate usage remain in the Microsoft Purview compliance portal, unchanged from classic Outlook.

For developers and ISVs
The underlying Graph APIs for contacts already supported certificate attributes, but the new Outlook client did not expose them. Now that the UI layer is complete, third-party tools that manage certificates via Microsoft Graph (e.g., S/MIME provisioning apps) will see their data surface seamlessly in the contacts pane. If you maintain a line-of-business Outlook add-in that reads certificate metadata, test it against the latest release—the property names are consistent with the documented Outlook REST API.

How we got here

The new Outlook for Windows began rolling out as a web-powered app in early 2024. It replaced the aging Win32 client with a progressive web app wrapper, promising faster updates and feature parity over time. Microsoft initially prioritized consumer-facing features like AI-assisted writing and feedback loop integrations, leaving enterprise security capabilities behind.

S/MIME in particular became a pain point. Classic Outlook stores certificates in the user’s personal certificate store and in the contact object. The new Outlook’s simpler architecture, based on the Outlook.com service, lacked a local certificate store for contacts. Early adopters found that while they could enable S/MIME in settings, the app often failed to locate the correct certificate for a recipient, or required them to manually browse for a .cer file each time.

Admins and power users pushed back loudly in Microsoft’s feedback portal and on forums. The roadmap item first appeared in early 2025 with a tentative “Q4 2025” target, then slid to May 2026 before the final July 6 release date. The delay coincided with a broader effort by Microsoft to harden the new Outlook for government community cloud (GCC) customers, where S/MIME is a compliance mandate.

What to do now

If you are using the new Outlook on Windows, check for updates. The feature is part of the current channel build and does not require a separate download. To confirm you have it:

  1. Open the new Outlook.
  2. Go to Settings (gear icon) → AccountsS/MIME settings. Verify that the toggle for S/MIME is on.
  3. Open a contact (People module). The contact form now includes a Certificates section near the bottom. If you don’t see it, your organization may need to push a policy enabling the feature.

For administrators, the feature is controlled by the Microsoft 365 Apps admin center policy \"Allow use of S/MIME in new Outlook.\" Make sure this is enabled. Additionally, ensure your certificate lifecycle management process updates contact object certificates regularly—the new client will use the most recently added certificate that matches the recipient’s email address.

A word of caution: if you previously imported certificates manually into the local machine store as a workaround, those certificates will not automatically appear in the contacts UI. You must re-import them into each contact. For large organizations, Microsoft recommends using a script or third-party tool to bulk-provision certificate attributes via Graph.

Known limitations
- The current implementation does not support S/MIME for shared mailboxes or delegate scenarios.
- Certificate validity checks rely on the same OCSP/CRL endpoints as classic Outlook, so network firewall rules must still allow those endpoints.
- On Windows 10 devices with the new Outlook, some users report that the Certificates button in contacts is hidden until they restart the app after policy application.

Outlook

With this release, the new Outlook for Windows closes one of its most glaring feature gaps. The next logical steps for Microsoft will be expanding S/MIME support to other versions of the new Outlook (macOS, web, mobile) and adding full certificate management features like auto-detection from the Global Address List. The July 2026 launch makes the new Outlook a viable default client for security-conscious organizations, but widespread adoption will depend on how quickly admins trust the new certificate handling in production. Watch the Microsoft 365 public roadmap for upcoming improvements to cross-client S/MIME interoperability. As always, test in a pilot group before rolling out broadly.