Policy and user setting to force Outlook to use the default digital certificate

Applies to: Microsoft Office Outlook 2003Microsoft Office Outlook 2007Microsoft Outlook 2010


Microsoft Office Outlook 2003 introduced the ForceDefaultProfile registry value. Outlook 2007 and Outlook 2010 also support this registry value. When you enable this setting, Outlook is forced to always use the default certificate for signing or encrypting. Additionally, you are prompted to select another digital certificate if there are any errors with the currently-selected certificate. For example, the certificate may be expired.

More Information

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
When the ForceDefaultProfile registry value is set to 1, Outlook does not automatically select another available certificate. Instead, you are presented with the following prompt:

Microsoft Outlook cannot sign or encrypt this message because your certificate is not valid.

Change Security Settings | OK
If you click Change Security Settings, you can manually select a different certificate, if one is available in the Change Security Settings dialog. 

If you set ForceDefaultProfile to 1 and do not have any valid certificates, the above prompt is displayed.

This behavior helps alert you when there is a problem with your certificate. Consider the following scenario.
  • You have digital certificates for both business and personal use.
  • The digital certificate for business use is configured as the default.
  • Outlook detects an error with the certificate that you use for business.

By default, Outlook automatically switches to use the digital certificate that you created for personal use. Without a prompt, you may inadvertently use your personal certificate for signing and encrypting email messages.

To set the ForceDefaultProfile registry value, use the following steps:
  1. Exit Outlook.
  2. Start Registry Editor.

    In Windows Vista or in Windows 7: Click Start  the Start button , type regedit in the Start Search box, and then press Enter.

    User Account Control permission If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.

    In Windows XP: Click Start, click Run, type regedit, and then click
  3. Locate and then right-click the following registry subkey:
    Note: x.0in the above registry key represents your Outlook version. Please use one of the following values.

    Outlook 2010: 14.0
    Outlook 2007: 12.0
    Outlook 2003: 11.0
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type ForceDefaultProfile, and then press Enter.
  6. Right-click ForceDefaultProfile, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Exit Registry Editor.
To deploy the setting via group policy, download the appropriate version of the Office Administrative Templates from appropriate Microsoft Download Center web site:
Office 2010 Administrative Template files (ADM, ADMX/ADML) and Office Customization Tool download

2007 Office system (SP2) Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool

Office 2003 Service Pack 3 Administrative Template (ADM), OPAs, and Explain Text Update