Why does Outlook still prompt for an old Exchange certificate after migration?

Outlook may still be using cached or legacy Autodiscover methods that point to the previous on-prem Exchange endpoint.

Is this issue caused by Microsoft 365 itself?

Usually no. The prompt is commonly caused by legacy discovery paths or old DNS/cached profile behavior, not by Exchange Online certificates.

What is the quickest way to confirm the fix worked?

Restart Outlook and verify no certificate warning appears, then test profile autodiscover and mail send/receive for the affected user.

Security Alert When Opening Outlook After Moving to Microsoft 365

Summary: Fix Outlook certificate warnings caused by old on-prem Exchange Autodiscover lookups after migrating to Microsoft 365.

Issue summary

After migrating mailboxes from on-prem Exchange to Microsoft 365, some users can still get this warning when opening Outlook:

Security Alert
Certificate has expired
Server name similar to mail.fastworld.co.uk

This usually means Outlook is still trying old Autodiscover paths from the previous Exchange environment.

Why this happens

Outlook uses several Autodiscover methods to find mailbox settings.
In co-existence or post-migration scenarios, Outlook may continue using cached or legacy discovery methods and contact an old on-prem endpoint.

If that old endpoint uses an expired certificate, users see a security prompt at startup.

Fix (per-user registry keys)

Apply the following keys for the signed-in user:

Registry path:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover

DWORD values:

ExcludeLastKnownGoodUrl = 1
ExcludeScpLookup = 1
ExcludeExplicitO365Endpoint = 0

What these do:

ExcludeLastKnownGoodUrl=1 prevents Outlook from reusing a cached legacy endpoint.
ExcludeScpLookup=1 skips Active Directory SCP lookups to old on-prem Exchange.
ExcludeExplicitO365Endpoint=0 allows Outlook to continue using Microsoft 365 endpoint discovery.

PowerShell method (recommended for support teams)

Run in user context (or deployment tool targeting HKCU):

$regPath = "HKCU:\Software\Microsoft\Office\16.0\Outlook\Autodiscover"

if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}

New-ItemProperty -Path $regPath -Name "ExcludeLastKnownGoodUrl" -PropertyType DWord -Value 1 -Force | Out-Null
New-ItemProperty -Path $regPath -Name "ExcludeScpLookup" -PropertyType DWord -Value 1 -Force | Out-Null
New-ItemProperty -Path $regPath -Name "ExcludeExplicitO365Endpoint" -PropertyType DWord -Value 0 -Force | Out-Null

Write-Host "Autodiscover registry values applied successfully."

Manual Registry Editor method

Open regedit.
Go to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover.
Create/update these DWORD (32-bit) values:
- ExcludeLastKnownGoodUrl = 1
- ExcludeScpLookup = 1
- ExcludeExplicitO365Endpoint = 0
Close Registry Editor.
Fully close and reopen Outlook.

Validation steps

After applying the keys:

Launch Outlook and confirm the certificate warning is gone.
Hold Ctrl and right-click Outlook in system tray -> Test E-mail AutoConfiguration.
Verify Autodiscover resolves to Microsoft 365 endpoints, not old on-prem hostnames.

If needed, also clear old Outlook profiles on affected pilot devices and recreate profile against Exchange Online.

Rollout notes

This is a user-profile setting (HKCU), so apply per user.
Use Intune, Group Policy Preferences (user hive), or login script for scale.
Test with a pilot group before broad rollout.

Conclusion

When Outlook still references old Exchange Autodiscover paths after a Microsoft 365 migration, expired on-prem certificates can trigger startup security alerts.

Setting the three Autodiscover registry values above is a practical way to force Outlook toward modern Microsoft 365 discovery and stop the recurring prompt.