🚀 Overview
For IT administrators, the transition to the new Outlook for Windows can sometimes be hindered by existing organizational security postures and endpoint management policies. When users attempt to engage the “Try the New Outlook” toggle, they may find the application failing to launch or the toggle simply reverting to the “Off” position. In most enterprise environments, these failures are not inherent software bugs but are instead the result of restrictive Group Policy Objects (GPOs), Registry configurations, or network security layers that prevent the deployment of packaged Windows apps (MSIX). This guide provides a deep dive into identifying these blockers and implementing the necessary configurations to ensure a smooth deployment.
🛠️ Key Technical Details
🛡️ Policy and Registry Constraints
The new Outlook is distributed as an MSIX package. Consequently, any policy that restricts the installation of packaged applications will terminate the setup process. This is often governed by specific registry keys located within the following paths:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlockComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
Admins should verify the status of the following registry keys, as they are the primary drivers for installation behavior:
BlockNonAdminUserInstallAllowAllTrustedAppsAllowDevelopmentWithoutDevLicense
⚠️ Critical Note: If AllowAllTrustedApps is disabled, MSIX installations will fail. While Microsoft addressed this in the Windows October cumulative update KB5031455 (and subsequent November security updates), environments on older builds must ensure this is enabled.
⚙️ Group Policy Configuration
To ensure compatibility, navigate to the Local Group Policy Editor (gpedit.msc) and audit the following path:
Computer Configuration > Administrative Templates > Windows Components > App package Deployment
For successful deployment, the following settings should ideally be set to Not configured:
| Setting | Required Value |
|---|---|
| Prevent non-admin users from installing packaged Windows apps | Not configured |
| Allow all trusted apps to install | Not configured |
🌐 Network and Firewall Requirements
The installer requires unhindered access to the Office Content Delivery Network (CDN) for both initial installation and background updates. Ensure your proxy or firewall whitelists the following endpoints:
https://res.cdn.office.nethttps://res.cdn.office.net/nativehost/5mttl/installer/
🔒 Executable Restrictions and Security Software
The transition from classic Outlook triggers a download of the installer to the user’s temporary directory (typically %TEMP%). If your environment utilizes AppLocker, Anti-Virus, or other endpoint security tools that block execution from the C:\Users\ directory, the installation will be blocked.
Administrators must ensure that the following executable is permitted to run:
NewOutlookInstaller.exe
📅 Delivery Optimization (DO) Settings
Delivery Optimization settings can impact how the client retrieves update packages. Using deprecated values for DODownloadMode can lead to installation failure.
- Windows 11: Check
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization. IfDODownloadModeis set to 100 (bypass), it must be changed to 0. - Windows 10: Check
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimizationand ensureDODownloadModeis set to 0.
📦 Alternative Deployment Strategies
💻 Deployment via PowerShell (When Windows Store is Blocked)
If your organization restricts access to the Microsoft Store, you can provision the app for all users via the Office CDN using PowerShell 7:
- Download the
.exeinstaller. - Open PowerShell 7 as an Administrator.
- Execute the following command in the directory containing the file:
.\Setup.exe --provision true --quiet --start-*🛍️ Deployment via Windows Package Manager (Winget)
In environments where the Microsoft Store is accessible but a command-line deployment is preferred, use Winget:
winget install -i -e --id=9NRX63209R7B --source=msstore --accept-package-agreements⚠️ Impact
Failure to address these configurations results in a fragmented user experience where the “New Outlook” toggle is visible but non-functional. For administrators, this creates increased helpdesk volume and deployment delays. By proactively adjusting MSIX-related GPOs and ensuring network paths to the Office CDN are open, organizations can ensure a seamless transition to the modern Outlook interface while maintaining standard security protocols.
Official Source: Read the full article on Microsoft.com