Change Office Default Save Location


Office sets OneDrive as the default location during its installation.  This default location causes trouble for users who prefer to save to their local or network directories.  Word or Excel may prompt users for multiple authentication requests before they can save locally.


Change the default save location.
  1. Open any Microsoft Office 2016 program.
  2. Click on the File menu item.
  3. Click on Options.
  4.  Click on the Save tab located on the left menu.
  5. Toggle the check box field that reads “Save to computer by default”.  Click OK.

That's it!

Outlook S/MIME Email Encryption

Takeaway:  This article provides an email encryption walk-through.  There comes a time when every organization requires secure email.  Setup email encryption organization-wide or per individual with these simple steps.

PGP:  There are a number of expensive encryption products available but organizations that use Outlook can (and should) use the built-in tools made freely available by Microsoft.  The same technology that protects web sites provides encrypted email -SSL certificates. 

To be fair, there are alternatives to SSL email encryption.  For instance, Pretty Good Privacy (PGP) is an open source encryption protocol.  PGP has a good (pun) reputation with third-party Outlook plugin support.  PGP's greatest flaw is that it is not widely accepted.  Why bother with email encryption that business partners don't support?

I suspect SSL based encryption is popular because of its native Outlook support.  It's worth mentioning that any S/MIME email client supports SSL based encryption (e.g., Firefox and Mac Mail).  In addition, SSL certificates allow for email encryption and also validates a sender's identity.

SSL:   Outlook validates certificate authenticity using a public key infrastructure (PKI).  Trusted root certificate authorities (CAs) issue X.509 (i.e, SSL) certificates to individuals and businesses.  Most web browsers and email clients trust X.509 certificates issued by the handful of public root CAs (e.g., GoDaddy).
Fig. 1.  Individuals and businesses obtain X.509 (i.e., SSL) certificates from root CAs,

Digital Signatures:  SSL certificates consist of a private key and a public key.  The private key is the basis for digital personal identity.  Private keys ensure integrity and confidentiality; and must remain a guarded secret.  Digital signatures use private keys (i.e., digital IDs) to sign outbound email messages.

When Outlook signs a message it first creates a message digest based on mathematical functions (i.e., hashing).  The message digest is a unique and summary of the original data.  Outlook then uses the private key to encrypt the message digest.  The encrypted message digest is the digital signature.

N.B., the message digest is not the same thing as the message. The message digest is encrypted in the digital signature but the message contents remain unencrypted (huh?).  Keep in mind that the private key encrypts the message digest.  The receiving side uses the public key to decrypt the message digest.  Recall, the private key is a well kept secret -only the sender can sign messages with it.  This process establishes the sender's identity and validates the authenticity.  We can be reasonably sure the sender is, who they claim to be, when they include a digital signature.

Content Encryption:  Why does the private key encrypt the message digest but not the message contents?  The answer is because SSL certificates use asynchronous (i.e., one-way) encryption.  Private-keys decrypt public-key encryption, and public-keys decrypt private-key encryption.   It's pointless to encrypt message contents with a private key when everyone has access to the public key.  Why lock a door if everyone has the key to open it?  

Outlook never encrypts message content with a sender's private or public keys.  Outlook therefore, uses the recipient's public key to encrypt messages content.  This process ensures confidentiality because only the recipient can decrypt the message with their super-secret personal key. 

Outlook Encryption Process
  1. Both parties must exchange digitally signed emails before encryption is possible.  The process stores the senders’ digital signature (i.e., public key), in the recipients’ contact list.
  2. New messages are encrypted just before the message is sent.  The new message window contains an Encrypt, and a Sign button in the Options ribbon.   The encrypt option is only available if the recipient’s digital ID (public certificate) is stored in the contact list.

Fig 2.  Outlook Encryption Process Flow

Updated on 4/6/2014 by Steven Jordan.


Outlook freezes or locks up when using a personal certificate...

Last updated  September 13th, 2013 by Steven Jordan


Outlook 2013 has a bug that prevents message delivery after a certificate is installed from the Outlook Trust Center.  After adding the personal the certificate  Outlook freezes and locks after attempting to send.
Microsoft KB 2813237 indicates applications may freeze on Windows 8 when using password protected certificates.  Applying the hotfix resolved all Outlook certificate problems.  Email delivery, message encryption, and digital signature now work as expected. 
However, there was a negative side effect from the hotfix.   Internet Explorer was unable to authenticate using personal certificates. This problem affects both IE and Google Chrome.  The issue was a problem because I was unable to logon or authenticate to StartSSL.  Short-term solution was to use Firefox which maintains certificates independent of Windows.

 Specific Errors:
"Your digital ID name cannot be found by the underlying security system"
"Your Digital Id Name Cannot Be Found By The Underlying Security"

Uninstall all personal certificates via Internet Options. 
          Control Panel > Internet Options > Content > Certificates
After personal certificates are removed proceed to import the certificate from Internet Options.  If the personal certificate is added through Internet Options (do not install via Outlook 2013) Outlook automatically works with the certificate and IE continues to authenticate with the certificate.  I normally install certificates via the certificate management MMC so the approach was new to me.