Does GPO-based Outlook signature configuration work with the new Outlook?

No. The new Outlook does not use the legacy %APPDATA% Signatures folder or the MailSettings registry keys. The GPO and logon script approach only applies to classic Outlook desktop.

Home / Guides / How to Configure Group Policy Outlook Signature (Step-by-Step)

How to Configure Group Policy Outlook Signature (Step-by-Step)

Learn how to configure Outlook email signatures via Group Policy using PowerShell scripts, GPP, and ADMX templates - plus the key limits of each method

Reading time: 6 min Author: Amotz Harari Updated: May 19, 2026

Short answer

How do you configure an Outlook signature using Group Policy?

Configuring an Outlook signature via Group Policy uses a PowerShell logon script deployed through a Group Policy Object (GPO) in Active Directory. The script copies HTML signature files to each user’s %APPDATA%\Microsoft\Signatures folder and sets registry keys in Outlook to assign a default signature automatically at login.

Get expert advice on Outlook signatures managment →

Outlook Signature Governance Risk

The IT cost of leaving Outlook signatures unmanaged

Without central enforcement, Outlook signatures drift. IT absorbs the fallout: tickets, manual corrections, brand inconsistency across every external email thread.

I’ve heard some version of this from IT admins on multiple occasions. One put it directly: Everyone had different fonts, different layouts, different information. It looked completely unprofessional.

At 200 employees, that inconsistency touches every external email thread your organization sends.

Group Policy Outlook Signature

What does Group Policy actually control in Outlook signatures?

Group Policy controls which signature Outlook assigns as the default — not the signature file content itself. It works through 2 mechanisms:

Setting registry keys under HKEY_CURRENT_USER\Software\Microsoft\Office\{version}\Common\MailSettings that tell Outlook which signature name to load for new messages and for replies/forwards
Deploying the actual signature files (.htm, .rtf, .txt) to %APPDATA%\Microsoft\Signatures via a logon script or Group Policy Preferences

Group Policy alone does not insert user-specific data (name, title, phone number) into signatures. That requires a PowerShell script that queries Active Directory and personalizes each file at login time.

GPO Requirements

What do you need before configuring Outlook signatures via Group Policy?

Group Policy-based Outlook signature deployment requires the following infrastructure in place before you begin:

Active Directory — on-premises or hybrid (cloud-only Microsoft Entra ID tenants without traditional domain join cannot use GPO)
Windows Server with Group Policy Management Console (GPMC) installed
Domain-joined Windows machines running classic Outlook desktop
A UNC network share accessible to all domain users, where signature template files and scripts are stored
PowerShell execution policy configured to allow remote-signed or unrestricted scripts on target machines

GPO-based Outlook signature configuration does not apply to Outlook Web App (OWA), Outlook mobile, Mac Outlook, or the new Outlook client, which removed the legacy registry-based signature mechanism entirely.

GPO Signature Configuration

How do you configure Outlook signatures via Group Policy?

Group Policy supports 3 distinct methods for Outlook signature deployment. The right choice depends on whether you need per-user personalization and how much scripting overhead you’re willing to maintain.

How to deploy a personalized Outlook signature via a PowerShell logon script in Group Policy

PowerShell logon scripts are the recommended method for most environments.

They support dynamic user data pulled from Active Directory, making it possible to deploy a signature containing each user’s name, title, and phone number without any manual input per employee.

Step 1: Create your signature template files

Create 3 versions of your signature file:

CompanySignature.htm (HTML, the primary Outlook format)
CompanySignature.rtf (Rich Text)
CompanySignature.txt (plain text fallback)

Use placeholder strings inside the .htm file for user-specific fields:

<p><strong>%%DisplayName%%</strong><br>
%%Title%%<br>
%%PhoneNumber%%<br>
%%Email%%</p>

Store all 3 files on a UNC path accessible to all domain users, for example \\FileServer\Signatures\.

Step 2: Write the PowerShell logon script

# Pull user attributes from Active Directory
$user = Get-ADUser -Identity $env:USERNAME `
  -Properties DisplayName, Title, telephoneNumber, mail

# Set the signature destination folder
$sigFolder = "$env:APPDATA\Microsoft\Signatures"
if (-not (Test-Path $sigFolder)) {
  New-Item -ItemType Directory -Path $sigFolder | Out-Null
}

# Copy template and replace placeholders with user data
$template = Get-Content "\\FileServer\Signatures\CompanySignature.htm" -Raw
$template = $template -replace '%%DisplayName%%', ($user.DisplayName ?? '')
$template = $template -replace '%%Title%%',       ($user.Title ?? '')
$template = $template -replace '%%PhoneNumber%%', ($user.telephoneNumber ?? '')
$template = $template -replace '%%Email%%',       ($user.mail ?? '')
$template | Set-Content "$sigFolder\CompanySignature.htm" -Encoding UTF8

# Repeat the copy-and-replace steps for .rtf and .txt versions

# Assign the signature in Outlook via registry
$regPath = "HKCU:\Software\Microsoft\Office\16.0\Common\MailSettings"
if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null }
Set-ItemProperty -Path $regPath -Name "NewSignature"   -Value "CompanySignature"
Set-ItemProperty -Path $regPath -Name "ReplySignature" -Value "CompanySignature"

Adjust 16.0 for your Office version: 15.0 = Office 2013, 16.0 = Office 2016/2019/2021/Microsoft 365 Apps.

Step 3: Deploy the script via Group Policy

Open Group Policy Management Console (GPMC)
Create or edit a GPO linked to the OU containing your target users
Navigate to: User Configuration > Windows Settings > Scripts > Logon
Add the script — either the .ps1 directly, or a .bat wrapper:

powershell.exe -ExecutionPolicy Bypass -NonInteractive -File "\\FileServer\Scripts\SetSignature.ps1"

Run gpupdate /force on a test machine to validate

The script runs at each user login. Signature updates take effect the next time each user logs on.

How to deploy an Outlook signature using Group Policy Preferences

Group Policy Preferences (GPP) handles file copying and registry changes without requiring a PowerShell script.

This method works well for organizations where all users share an identical static signature — no per-user personalization needed.

Step 1: Prepare static signature files

Create CompanySignature.htm, CompanySignature.rtf, and CompanySignature.txt with hardcoded company-wide information. No AD placeholders. Store them on a UNC share.

Step 2: Deploy the files via GPP

Open GPMC, edit your GPO
Navigate to: User Configuration > Preferences > Windows Settings > Files
Create a new File item with these settings:
- Action: Create
- Source file: \\FileServer\Signatures\CompanySignature.htm
- Destination file: %AppData%\Microsoft\Signatures\CompanySignature.htm
Repeat for .rtf and .txt versions

Step 3: Set the Outlook registry via GPP

Navigate to: User Configuration > Preferences > Windows Settings > Registry
Create a new Registry item:
- Hive: HKEY_CURRENT_USER
- Key path: Software\Microsoft\Office\16.0\Common\MailSettings
- Value name: NewSignature
- Type: REG_SZ
- Value data: CompanySignature
Repeat for ReplySignature

GPP applies at logon. Users will see the assigned signature in Outlook after their next login.

How to configure Outlook signature settings via Office ADMX administrative templates

Office Administrative Templates (ADMX) let you configure Outlook signature assignment through the standard Group Policy policy tree — no raw registry path management required.

Step 1: Download and import the Office ADMX templates

Download the Microsoft 365 Apps for Enterprise administrative template files from the Microsoft Download Center.

Extract the files, then copy the .admx files to C:\Windows\PolicyDefinitions on your domain controller (or to your Central Store if configured). Copy the .adml language files to the matching language subfolder.

Step 2: Configure the signature policy in GPMC

Edit your GPO
Navigate to: User Configuration > Policies > Administrative Templates > Microsoft Outlook [version] > Outlook Options > Mail Format > Signatures
Configure these 2 settings:
- Specify which signature to use for new messages: Enable, set value to CompanySignature
- Specify which signature to use for replies and forwards: Enable, set value accordingly

Important: ADMX assigns a signature by name only. The signature file must already exist in %AppData%\Microsoft\Signatures on each machine. Combine this method with the Group Policy Preferences tab to deploy the actual files, then use ADMX to assign them.

Group Policy Outlook Signature Limits

What are the core limits of Group Policy for Outlook signature management?

Group Policy signatures carry 6 hard constraints that compound as organizations grow past 50 employees.

Domain-joined Windows only: GPO works exclusively on domain-joined Windows machines running classic Outlook desktop. OWA, Outlook mobile, Mac Outlook, and the new Outlook client are all outside GPO’s reach
No override prevention: GPO sets the default signature at login. Users can change or delete it afterward. There’s no mechanism to enforce it or prevent edits
No instant org-wide updates: A signature change requires updating files on the network share and waiting for each user’s next login. There’s no way to push an immediate rollout
Scripting complexity for dynamic data: Pulling per-user attributes from Active Directory requires PowerShell that handles missing AD fields, special characters, and multiple Office versions across the estate
No cross-platform consistency: A user replying from OWA or Outlook on iOS sends a blank or locally-set signature — GPO has no reach to those clients
No conditional templates: GPO cannot apply different signatures to different departments without building and maintaining separate GPOs or script logic for each group

One IT admin who had managed large GPO signature deployments for years told me: Active Directory sync was critical. We didn’t want to manage user data in another system. GPO forces exactly that — maintaining signature data in scripts, separately from your identity provider, refreshed one login at a time.

GPO VS Signature Management Software

How does Group Policy compare to dedicated Outlook signature management software?

Group Policy and dedicated email signature platforms solve the same problem through very different architectures. Here is how they compare on the dimensions that matter to IT:

Factor	Group Policy (GPO)	Dedicated platform (e.g., WiseStamp)
Classic Outlook desktop	Yes	Yes
Outlook Web App (OWA)	No	Yes
Outlook mobile	No	Yes
New Outlook	No	Yes
Mac Outlook	No	Yes
Dynamic user data from AD	Requires custom scripting	Native (SCIM, Entra ID sync)
Override prevention (locked fields)	No	Yes (RBAC)
Instant org-wide updates	No (requires re-login)	Yes
Multiple department templates	Complex (separate GPOs per group)	Native
Campaign banners	No	Yes
IT maintenance overhead	High	Low
Cloud-only M365 (no domain join)	Not supported	Supported

GPO made practical sense when every employee used a domain-joined Windows PC with classic Outlook desktop. Modern environments have moved past it.

Remote workers on Intune-managed machines, mobile users, and Microsoft 365 cloud-only tenants all fall outside its coverage.

WiseStamp deploys Outlook signatures across desktop, OWA, and mobile through a combination of a client-side Outlook add-in and server-side injection via Microsoft 365.

It syncs user data automatically from Microsoft Entra ID (formerly Azure AD) via SCIM, so new hires get a correct, on-brand signature from their very first email — no logon script involved.

Admins define which signature elements are locked (logo, legal disclaimer, campaign banner) and which employees can update themselves through the Employee Hub (direct phone, profile photo).

The signature appears in real time as the user composes in Outlook, eliminating the confusion that leads to duplicate signatures stacking on top of each other.

Outlook Client Coverage: GPO vs. WiseStamp

Takeaway

What Group Policy can and can’t do for Outlook signatures

Group Policy can configure Outlook signatures on domain-joined Windows machines running classic Outlook desktop.

A PowerShell logon script is the most complete method — it copies personalized HTML files to %APPDATA%\Microsoft\Signatures and sets registry keys to assign them as the default in Outlook.

The approach works for organizations with:

An on-premises or hybrid Active Directory environment
All signature-target users on domain-joined Windows running classic Outlook desktop
A sysadmin available to maintain and update PowerShell scripts through every rebrand and org change

GPO does not reach OWA, Outlook mobile, Mac Outlook, or new Outlook. It cannot prevent users from overriding their signature, and changes require a user logoff/logon cycle to take effect.

Organizations with more than 50 employees, or with any users outside classic Outlook desktop, typically move to a dedicated email signature management platform.

WiseStamp handles the full scope: centralized deployment across all Outlook clients, automatic provisioning via Entra ID, locked templates with self-serve employee fields, and no logon script to maintain.

See how WiseStamp deploys Outlook signatures without GPO complexity →

FAQ

Yes, but it requires extra work. You need separate GPOs (or complex script logic) for each department, each linked to the appropriate AD OU or security group. A platform like WiseStamp handles department-level signature assignment natively through RBAC and group-based template rules, without separate GPOs.

It depends on the registry key. Setting NewSignature and ReplySignature via GPO assigns the default, but if the user has already selected a different signature in Outlook settings, their selection may take precedence. To reliably reassign, your logon script should overwrite both the file and the registry value on each login.

Only if the machines are domain-joined to on-premises Active Directory in a hybrid configuration. Pure cloud environments where devices are joined to Microsoft Entra ID only cannot use traditional Group Policy. Exchange Online transport rules and third-party platforms are the alternatives for those environments.

No. The new Outlook does not use the legacy %APPDATA%\Microsoft\Signatures folder or the Common\MailSettings registry keys. The GPO and logon script approach only applies to classic Outlook desktop.

Not directly. GPO sets the default signature but does not lock it. Users retain the ability to change or remove their signature in Outlook settings after login. To enforce a non-editable signature, you need a server-side solution or a dedicated email signature platform with field-locking (RBAC) capability.

Update the signature template files on the UNC share. The next time each user logs in, the PowerShell logon script runs, copies the updated files, and reassigns the signature in Outlook. There is no way to trigger an immediate update without each user logging off and back on.

No. Group Policy is a Windows and Active Directory technology. Mac machines do not participate in GPO. Mac Outlook signatures require a separate deployment method, typically a configuration profile via MDM such as Microsoft Intune, or a third-party email signature platform with Mac support.

Nothing. GPO has no effect on OWA. Signatures in OWA are stored in Exchange Online mailbox settings and are not influenced by Group Policy. To standardize OWA signatures, you need Exchange Online transport rules, PowerShell (Set-MailboxMessageConfiguration), or a dedicated signature management platform.

Running it on every login is the safer approach. It ensures that any changes to the signature template or user data in Active Directory are applied automatically without manual intervention per user. If you run it only once, signature updates will not propagate until you force a re-run.

With the logon script method, Outlook does display the signature in the compose window since the file is written to the local Signatures folder. Server-side methods (Exchange transport rules) append the signature after send, so the user never sees it while composing. A client-side Outlook add-in guarantees real-time preview on every device and client.