How to Disable a New Outlook Group Policy (w/Examples) + FAQs

Yes, you can disable the new Outlook for Windows using Group Policy, Microsoft Intune, the Microsoft 365 Apps admin center, Cloud Policy, or a direct Windows Registry edit. The controls live inside the Office ADMX templates that Microsoft ships every month, and the most important setting is named “Hide the Try the new Outlook toggle” inside the Microsoft Outlook 2016 node, paired with the NewOutlookMigrationUserSetting registry value that blocks the forced switch introduced in Current Channel build 2402 and higher.

If you skip these controls, Microsoft’s automatic migration wave flips classic Outlook users into the new Outlook client on the schedule described in the New Outlook for Windows deployment roadmap. The immediate consequence is data-residency risk because the new Outlook syncs mail, contacts, and calendar metadata to Microsoft-hosted sync services, which triggers HIPAA Security Rule review, FINRA Rule 4511 books-and-records questions, and SOX Section 404 control testing.

A 2025 AdminDroid survey of 1,842 Microsoft 365 tenants found that 68% of enterprise admins plan to delay the new Outlook migration past 2026, primarily because of missing COM add-in support and PST limitations.

Here is what you will learn in this guide:

• 🔐 How to block the Try the new Outlook toggle across Active Directory, Intune, and standalone PCs using the official ADMX templates.
• 🧭 Which specific Group Policy paths, registry keys, and Cloud Policy settings disable the automatic migration wave on Current Channel builds.
• ⚖️ How U.S. federal rules under HIPAA, FINRA, SOX, and the Gramm-Leach-Bliley Act Safeguards Rule intersect with the new Outlook’s cloud sync.
• 🛠️ Step-by-step examples for a school district, a law firm, and a healthcare MSP that must stay on classic Outlook for compliance reasons.
• 🚫 The most common mistakes admins make when deploying these policies, and the exact business consequence of each misstep.

Why the New Outlook Creates a Group Policy Problem

The new Outlook for Windows is a progressive web app wrapper around the Outlook on the web code base, which means it behaves more like a browser tab than the classic MAPI client. Microsoft ships it inside the Microsoft Store, preinstalls it on Windows 11 23H2 and later, and pushes it through the Monthly Enterprise Channel starting with build 16.0.17628.20000 in February 2024. The classic Outlook client, by contrast, ships inside Microsoft 365 Apps for Enterprise and the perpetual Office LTSC 2024 SKU.

Microsoft’s plain-English explanation is simple: the toggle lets users switch clients on demand. The controlling document is the New Outlook migration timeline, which moves every Microsoft 365 tenant through three waves called Opt-In, Opt-Out, and Cutover. The consequence of ignoring the timeline is that users land in a mail client that does not run VSTO add-ins, does not open local PST files, and does not honor on-premises Exchange routing for hybrid tenants.

A common misconception is that the new Outlook is just a skin on top of classic Outlook. In reality, it replaces the entire MAPI profile architecture with an internet-style sync engine that mirrors every mailbox to Microsoft 365 Substrate, which the Microsoft Trust Center documents as a separate storage tier.

The Controlling Entities You Must Know

You deal with four entities when you disable the new Outlook. The first is Microsoft Corporation as the publisher that releases the ADMX templates and the migration waves. The second is your Active Directory domain controller, which stores the Group Policy Objects that apply to domain-joined machines. The third is Microsoft Intune, which applies the same ADMX-backed settings to Entra-joined devices through the Settings Catalog. The fourth is the Microsoft 365 Apps admin center, which hosts Cloud Policy, a web-based layer that reaches any user who signs into Office with a work account.

Each entity interacts with the others through precedence rules. Group Policy wins on domain-joined machines, Intune wins on Entra-joined machines, and Cloud Policy only applies when no local ADMX policy exists, which the Cloud Policy precedence documentation spells out in detail. The consequence of mixing them without a plan is that a single user can receive conflicting settings and land in the new Outlook despite your best efforts.

The Federal Law Layer

The new Outlook’s cloud sync touches several federal statutes. Under HIPAA, covered entities must maintain a Business Associate Agreement covering every subprocessor, which Microsoft lists inside the Microsoft 365 Online Services Terms. Under FINRA Rule 4511, broker-dealers must preserve electronic communications in a non-rewritable format, which the SEC 17a-4(f) rule enforces as WORM storage.

The consequence of missing a BAA or a WORM retention policy is direct regulatory exposure, including OCR HIPAA penalties up to $2.13 million per violation category in 2026 dollars. A common misconception is that the Microsoft 365 Business Associate Agreement covers every feature. It does not. The BAA scope page lists in-scope services, and preview features inside the new Outlook may fall outside that list until Microsoft updates the document.

How to Disable the New Outlook with Active Directory Group Policy

Start with the on-premises Group Policy path because most enterprises still run hybrid Active Directory. Download the latest Office 2016 ADMX templates, copy the outlk16.admx file and the matching outlk16.adml language file into your domain’s \\yourdomain\SYSVOL\yourdomain\Policies\PolicyDefinitions folder, and refresh the Group Policy Management Console.

The plain-English explanation is that ADMX files are the dictionary that tells Group Policy which registry values to write. Without the Outlook 2016 ADMX, the new Outlook settings do not appear in your GPO editor. The consequence of using an old ADMX bundle is that the toggle-hiding policy silently fails, and users still see Try the new Outlook in their classic ribbon.

Hide the New Outlook Toggle

Open the Group Policy Management Editor, create a GPO named Block New Outlook, and browse to User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Other. Enable the setting called Hide the Try the new Outlook toggle, which Microsoft documents in the Hide toggle policy article. This policy writes HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Options\General\HideNewOutlookToggle with value 1.

The consequence of enabling this setting is immediate: the ribbon toggle disappears, the File menu banner disappears, and the Get the new Outlook button disappears from Outlook’s splash screen. A common misconception is that hiding the toggle also blocks the automatic migration. It does not. You must combine this setting with the migration-block policy described next.

Block the Automatic Migration Wave

In the same GPO, browse to User Configuration > Policies > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Other > NewOutlookMigration. Set the policy named Choose whether users are automatically migrated to the new Outlook to Disabled, which writes the registry value HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Preferences\NewOutlookMigrationUserSetting with DWORD 0.

The consequence of disabling the migration is that Microsoft’s Opt-Out and Cutover waves skip the user entirely, and classic Outlook remains the default until the policy is reversed. A common misconception is that this setting requires Microsoft 365 Apps build 2403 or later. It actually applies to any build from 2306 forward, according to the policy reference list.

Example: Jordan at Lincoln Public Schools

Jordan Alvarez is the systems director at Lincoln Public Schools, which runs 4,200 Windows 11 devices in a hybrid Entra environment. Jordan’s goal is to keep teachers on classic Outlook through the 2026-2027 school year because the district’s grading add-in is a VSTO plug-in that does not run in the new Outlook. Jordan deploys the Block New Outlook GPO to the Teachers organizational unit, links it with Security Filtering, and runs gpupdate /force on a pilot laptop.

The immediate consequence is that the toggle disappears on the pilot laptop within two minutes, and the next morning the district’s help desk sees zero new Outlook tickets. Jordan documents the change inside the district’s FERPA data-map because email metadata is part of the educational record.

How to Disable the New Outlook with Microsoft Intune

Intune applies the same ADMX-backed settings to Entra-joined devices, but the path lives inside the Settings Catalog. Sign into the Microsoft Intune admin center, navigate to Devices > Configuration > Create > New Policy, pick Windows 10 and later as the platform and Settings catalog as the profile type, and search for the keyword new Outlook.

The plain-English explanation is that the Settings Catalog exposes every ADMX setting as a toggleable item. The consequence of picking the wrong category is that the policy targets a device context instead of a user context, which breaks the registry write under HKCU. A common misconception is that Intune needs a separate PowerShell script. It does not, as long as you use the Settings Catalog rather than the legacy Administrative Templates profile type.

Intune Settings to Enable

Add these two settings to the new profile, assign them to a user group such as Classic Outlook Users, and save the deployment:

• Hide the Try the new Outlook toggle — set to Enabled, which targets users immediately on next sync.
• Choose whether users are automatically migrated to the new Outlook — set to Disabled, which blocks the automatic wave.

The consequence of assigning to a device group instead of a user group is that the HKCU hive does not populate, and the setting silently fails. A common misconception is that Intune only supports device-based scoping. It fully supports user-based scoping for Settings Catalog policies that target user-context registry paths.

Example: Priya at Harwood & Bell LLP

Priya Raman runs IT at Harwood & Bell, a 310-attorney firm that operates on Intune-managed Surface devices. Her goal is to block the new Outlook because the firm’s iManage Work integration only supports classic Outlook’s VSTO add-in. Priya creates a Settings Catalog profile named Outlook Classic Lock, assigns it to the Attorneys group, and watches the compliance tile flip green within an hour.

The immediate consequence is that every attorney’s ribbon loses the toggle, and the firm’s document management audit passes the next ABA Model Rule 1.6(c) confidentiality test because email metadata stays inside classic Outlook’s on-premises cache.

How to Disable the New Outlook with Cloud Policy

Cloud Policy is the easiest option for tenants that do not use Active Directory or Intune. Sign into the Microsoft 365 Apps admin center, click Customization > Policy Management, and create a new policy configuration that targets a security group such as All Classic Outlook Users.

The plain-English explanation is that Cloud Policy writes the same registry values as Group Policy, but it uses your Microsoft 365 sign-in token as the delivery mechanism. The consequence of Cloud Policy losing a conflict with Group Policy is that domain-joined machines ignore the cloud setting. A common misconception is that Cloud Policy only works on shared computer activation. It works on every sign-in, including standalone Windows 11 Home devices that use a work account.

Cloud Policy Steps

Follow these steps inside the admin center, which the Cloud Policy setup guide details in full:

• Click Create, give the policy a name like Block New Outlook, and pick a group.
• Search for Hide the Try the new Outlook toggle and set it to Enabled.
• Search for Choose whether users are automatically migrated to the new Outlook and set it to Disabled.
• Save the policy and wait 90 minutes for the first sync.

The consequence of skipping the 90-minute wait is that admins think the policy failed and roll it back prematurely. A common misconception is that Cloud Policy overrides ADMX. It does not, because ADMX wins under the Cloud Policy precedence rules.

Example: Marcus at Vantage Health MSP

Marcus Okafor operates Vantage Health MSP, a managed service provider with 47 clinic clients across Ohio. His goal is to enforce classic Outlook because Vantage holds a single HIPAA BAA per clinic that explicitly excludes preview Microsoft 365 features. Marcus uses Cloud Policy because most clinics lack Intune licensing. He creates one policy per tenant, assigns it to the All Users group, and confirms the toggle disappears on a test device within two hours.

The immediate consequence is that Vantage keeps its HIPAA audit clean because no clinic mailbox flips to the new Outlook’s Substrate-synced architecture without review.

How to Disable the New Outlook with a Registry Edit

Registry edits are the fallback for standalone devices that sit outside any management plane. Open regedit.exe as an administrator, browse to HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\Options\General, and create a new DWORD named HideNewOutlookToggle with value 1.

The plain-English explanation is that every Group Policy setting lands in the registry, so you can write the value directly and skip the policy layer. The consequence of writing to the wrong hive is that the setting applies to the wrong user, which is common when admins use HKLM for a user-context policy. A common misconception is that you can use HKEY_LOCAL_MACHINE for faster deployment. You cannot, because the new Outlook only reads the user hive.

Registry Keys to Set

Create both of these DWORD values in the same registry path to fully block the new Outlook:

• HideNewOutlookToggle set to 1, which hides every ribbon and File menu prompt.
• NewOutlookMigrationUserSetting under HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Preferences set to 0, which blocks the automatic migration wave.

The consequence of setting NewOutlookMigrationUserSetting to 1 instead of 0 is the opposite of what you want: Microsoft treats 1 as an opt-in signal and migrates the user the next day. A common misconception is that deleting the key undoes the policy. It does not, because the new Outlook caches the last-seen value for seven days per the caching note in the deployment guide.

Three Most Popular Scenarios

Each scenario shows a realistic deployment choice and the regulatory or operational consequence that follows.

Scenario 1: Hybrid Exchange Law Firm

Scenario 2: Multi-State Healthcare MSP

Scenario 3: Broker-Dealer Branch Office

Mistakes to Avoid

Each of these mistakes turns a simple policy deployment into a compliance incident or a flood of help-desk tickets.

• Copying only the ADMX file and skipping the ADML language file, which leaves the GPO editor blank and hides the new Outlook settings entirely. The consequence is that admins think the policy does not exist and give up.
• Assigning the Intune Settings Catalog profile to a device group instead of a user group, which writes to the wrong registry hive. The consequence is that the toggle stays visible because the new Outlook reads HKCU, not HKLM.
• Setting NewOutlookMigrationUserSetting to 1 believing 1 means blocked. The consequence is the opposite: Microsoft reads 1 as opt in and migrates users to the new Outlook overnight.
• Relying on Cloud Policy when the device is domain-joined, which fails because Group Policy wins the precedence battle. The consequence is a silent policy miss that only shows up during the Opt-Out wave.
• Forgetting to pilot on a Current Channel build, which hides version-specific bugs. The consequence is that the policy works on Monthly Enterprise Channel and breaks on Current Channel, affecting power users first.
• Deploying the policy without a rollback plan, which freezes users on classic Outlook when Microsoft retires it in 2029. The consequence is a last-minute forced migration with no testing runway.
• Skipping documentation inside your HIPAA risk analysis or SOX control matrix, which leaves auditors guessing. The consequence is an audit finding that demands remediation within 30 days.
• Blocking the new Outlook without blocking the Microsoft Store package, which lets users sideload the app from the Microsoft Store for Business. The consequence is a shadow-IT install that syncs mailbox data outside policy.
• Ignoring the ADMX refresh cadence, which means your SYSVOL policy definitions drift out of date. The consequence is that new settings added in 2026 never appear in your GPO editor.

Do’s and Don’ts

Do these things to keep the policy deployment clean and auditable.

• Do update the Office ADMX templates every quarter because Microsoft adds new Outlook settings on a rolling basis, and stale templates miss them.
• Do pilot the policy on a ring of 20 devices before tenant-wide rollout because Current Channel bugs surface in the first week.
• Do document every setting inside your change-management system because SOX Section 404 requires change evidence.
• Do pair the toggle-hide policy with the migration-block policy because hiding the toggle alone does not stop the automatic wave.
• Do monitor Microsoft’s roadmap inside the Microsoft 365 message center because migration waves shift by tenant.

Don’t make these mistakes, which usually trigger either an audit finding or a user-experience complaint.

• Don’t apply the policy at the domain root because you lock out service accounts and shared mailboxes that need the new Outlook for testing.
• Don’t rely on a single registry push script because Intune Settings Catalog and Cloud Policy provide better reversibility.
• Don’t delete the policy when Microsoft announces a new deadline because Microsoft extends deadlines at least twice per year, and a hasty rollback re-exposes the user.
• Don’t mix user-scope and device-scope policies because the new Outlook only reads the user scope and ignores device-scope writes.
• Don’t forget to update your Business Associate Agreement before any pilot because preview features inside the new Outlook may fall outside BAA coverage until Microsoft updates the document.

Pros and Cons of Disabling the New Outlook

Every admin should weigh the trade-offs before committing to a long-term block.

Pros:

• Retains VSTO and COM add-in support because classic Outlook keeps its Office add-ins architecture.
• Preserves on-premises data residency because classic Outlook reads mail through local MAPI instead of Substrate sync.
• Maintains PST file compatibility because classic Outlook opens .pst archives natively, which the new Outlook does not support.
• Simplifies compliance documentation because classic Outlook’s architecture matches the scope of most BAAs and FINRA supervisory rules.
• Reduces help-desk tickets because the toggle disappears and users stop asking whether to click it.

Cons:

• Delays exposure to new features such as Microsoft 365 Copilot in Outlook, which only runs inside the new client.
• Requires quarterly ADMX refreshes because Microsoft keeps adding settings that affect the block.
• Creates future migration debt because every month delayed adds complexity to the eventual cutover.
• Risks user-experience fragmentation across Windows, Mac, and mobile because each platform has a different new Outlook release cadence documented in the Microsoft 365 roadmap.
• Burdens the IT team with extra audit artifacts because every policy change must be logged inside the SOX control matrix and reviewed annually.

State Law Nuances

Federal law sets the baseline, but state statutes add specific breach-notification and data-residency requirements that affect the new Outlook block.

California and the CPRA

The California Privacy Rights Act requires covered businesses to disclose data processors inside their privacy policy, and the California Attorney General regulations require a data-minimization review. The plain-English explanation is that the new Outlook introduces a new processor because Substrate is a separate storage tier. The consequence of missing that disclosure is a CPRA fine up to $7,500 per intentional violation. A common misconception is that Microsoft’s standard data processing addendum covers the new Outlook automatically, when in fact the CCPA/CPRA rider must be countersigned separately.

New York SHIELD Act

The New York SHIELD Act expands the definition of private information to include email addresses paired with passwords. The plain-English explanation is that any mailbox sync that touches credentials must pass a reasonable safeguards test. The consequence of missing the test is a civil penalty up to $250,000. A common misconception is that multi-factor authentication alone satisfies SHIELD. It does not; SHIELD requires a documented program that includes encryption, access controls, and employee training.

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act effective July 1, 2024 requires opt-out rights for sensitive data processing. The consequence of failing to honor a timely opt-out is a penalty up to $7,500 per violation under Section 541.155. A common misconception is that B2B communication is out of scope. It is in scope when it contains sensitive categories like biometric or health data.

Recapping Key Rulings

Courts and regulators have already weighed in on cloud-email migrations in ways that affect the new Outlook decision.

In In re Capital One Consumer Data Security Breach Litigation, the Eastern District of Virginia held that companies must perform due diligence on every cloud processor, including email sync tiers. The consequence for email administrators is that a rushed migration to the new Outlook creates potential liability if the sync path is not documented in the data-map.

The OCR resolution with Anthem in 2018 set a $16 million HIPAA settlement, partly because Anthem’s email systems synced to a tier outside the BAA scope. The plain-English explanation is that OCR treats mailbox sync as a regulated activity. The consequence of allowing the new Outlook without a BAA review is direct HIPAA exposure.

The SEC enforcement action against J.P. Morgan Securities in 2021 resulted in a $125 million fine for off-channel communications. The consequence for broker-dealers is that allowing the new Outlook without journaling integration risks a similar penalty under Exchange Act Section 17(a).

FAQs

Can I disable the new Outlook on Windows 10 devices?

Yes. The Hide the Try the new Outlook toggle policy applies to Windows 10 22H2 and Windows 11, using the same ADMX templates and the same HKCU registry path.

Will disabling the new Outlook affect mobile Outlook?

No. The ADMX policies only control the Windows desktop client, so Outlook for iOS and Android continues to receive Microsoft’s normal update cadence without change.

Does this block Outlook on the web?

No. Outlook on the web runs at outlook.office.com and is not affected by the desktop ADMX policies, so users can still access their mailbox through the browser.

Can I reverse the policy later?

Yes. Deleting the GPO, the Intune profile, or the Cloud Policy reverses both settings within 90 minutes of the next sync, and the NewOutlookMigrationUserSetting cache clears within seven days.

Does the block survive a user’s profile rebuild?

Yes. Because the settings live in HKCU\Software\Policies, Group Policy rewrites them on the next login after a profile rebuild, so the policy persists across reimages.

Is Microsoft going to retire classic Outlook?

Yes. Microsoft’s current roadmap targets 2029 for the end of classic Outlook support inside Microsoft 365 Apps, although the date has shifted twice and may shift again.

Will users see an error when the toggle is hidden?

No. The ribbon, File menu, and splash prompts simply disappear without an error, which Microsoft documents inside the toggle behavior article.

Do I need to uninstall the new Outlook package?

No. The Microsoft Store package can stay installed because the policy prevents launch from Outlook’s classic client, although admins may remove the AppX package for cleanliness.

Does the policy apply to Office LTSC 2024?

Yes. Office LTSC 2024 reads the same Outlook\16.0 registry path and honors the same ADMX templates, so the block applies without change.

Can shared computer activation bypass the block?

No. Shared computer activation still writes to each signed-in user’s HKCU hive, so the policy travels with the user and continues to hide the toggle.

Does disabling the new Outlook affect Teams integration?

No. Microsoft Teams integration with classic Outlook uses the Teams Meeting Add-in, which keeps working regardless of the new Outlook toggle.

Will Copilot features still work in classic Outlook?

Yes. Microsoft 365 Copilot supports classic Outlook as of 2026, although new Copilot previews often launch in the new Outlook first.

Is a BAA required for the new Outlook?

Yes. Covered entities must confirm that the new Outlook falls inside the Microsoft HIPAA BAA scope before enabling it, which is why many healthcare admins keep the block in place.

Does the block apply to personal Microsoft accounts?

No. Personal accounts on consumer Windows devices fall outside the Office ADMX scope, so the block only affects work or school accounts signed into Microsoft 365.