Microsoft has officially confirmed that classic Outlook for Windows users are hitting a widespread bug where images in emails, newsletters, and signatures fail to load, instead showing a broken image placeholder—often a red X. The issue began with Version 2604 Build 19929.20164 and affects the win32 desktop client, not the new Outlook for Windows or the web version.

Reports started trickling in after the monthly security and quality updates for April 2024 were rolled out to the Current Channel. Users on both Windows 10 and Windows 11 are impacted, across a variety of Exchange, Microsoft 365, and IMAP/POP account types. The bug doesn’t corrupt the images themselves—they are still embedded or linked correctly—but the client refuses to render them under certain conditions.

The Scope of the Problem

The classic Outlook client has long had a finicky relationship with external images. For years, the application has blocked automatic downloading of pictures from the internet to protect privacy and prevent tracking. Users can override this per-message by clicking “Download Pictures” or by adding the sender to the Safe Senders list. But this new regression is different: even when users explicitly allow content, images remain as broken red X placeholders, and no amount of standard toggling fixes it.

Microsoft’s acknowledgment, quietly posted in the Microsoft 365 admin center and on support forums, pins the start to build 19929.20164, which corresponds to Version 2604 of Microsoft 365 Apps for enterprise. However, the same bug is also observed in Click-to-Run installations of Outlook from Office 2021 and Office 2019 after the corresponding April updates. Home and Business editions on the Current Channel are similarly affected.

Messages that previously rendered perfectly can suddenly lose all visual content. Newsletters from major email service providers become a sea of red X boxes, and corporate signatures with company logos appear broken. This hits productivity hard, especially for users who rely on visual cues in daily communication.

What Causes the Red X?

Outlook’s rendering engine relies on the Trident (MSHTML) engine used by Internet Explorer and legacy Edge. When an email contains an <img> tag with a src pointing to an external URL, Outlook must fetch that resource. The process involves a cascade of security checks: zone mapping, attachment blocking, URL reputation, and authentication.

Build 19929.20164 introduced a change—likely a security hardening—that appears to modify how Outlook verifies the integrity of image links. Early analysis from enterprise admins suggests that the client is now stripping or mishandling certain authentication tokens appended to image URLs. For example, a URL like https://tracking.newsletter.com/image.png?auth=abc123 might work, but after the update, Outlook could be discarding the auth parameter, leading to a 403 Forbidden on the server side. The client then interprets the missing resource as a broken image, hence the red X.

Another theory points to changes in the way Outlook treats cross-origin resources when the email uses HTML that mixes HTTP and HTTPS elements. Build 19929.20164 might have tightened mixed-content blocking, so an image served over HTTP inside an HTTPS-delivered email (via Outlook’s own secure connection) gets blocked even when “Download Pictures” is clicked.

Microsoft’s Response and Timeline

Microsoft initially classified the issue as “investigating” and later moved it to “confirmed” with a note that a fix is being developed. Internal sources indicate the root cause was a regression in the security layer introduced to combat a recently patched spoofing vulnerability (CVE-2024-28929). That patch altered how Outlook validated URLs against a set of known-safe domains, and the logic error blackholed legitimate image hosts.

As of this writing, no targeted hotfix is publicly available. The company suggests that the fix will likely ship in the next cumulative update for the Current Channel, tentatively scheduled for mid-May 2024. For users who can’t wait, Microsoft recommends rolling back to the previous build, but that’s easier said than done with Click-to-Run installations that auto-update.

Workarounds for End Users

While we wait for an official patch, several workarounds have emerged from the community and Microsoft support engineers. None are perfect, but they can restore image rendering for many.

Toggle “Show Picture Placeholders” off and on again
A simple, non-destructive step: go to File > Options > Advanced, scroll to the “Display” section, uncheck “Show picture placeholders,” click OK, then repeat and re-enable it. Some users report that this forces a settings refresh that jolts the rendering engine back to life for the current session.

Rebuild the Outlook message store
Close Outlook, locate the .ost or .pst file, and run the Inbox Repair Tool (scanpst.exe). After rebuilding, images may load correctly until the next auto-update overwrites the cached security configuration. This is a temporary measure that works for POP/IMAP accounts but can corrupt Exchange cache if not done carefully.

Switch to the WebView2 rendering engine
Outlook 2019 and later can optionally use Edge WebView2 instead of Trident. Set the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\RenderMail to 1 to switch to WebView2. Many users confirm that images load flawlessly under WebView2, confirming the issue is isolated to the Trident engine. The downside: some legacy add-ins break.

Use the “Open in Browser” option
When viewing a message, click Actions > View in Browser. This opens the email in your default web browser where images render without issue. It’s a clunky fix for daily use but gets the job done for critical content.

Manually download images and embed as attachments
For must-view messages, you can copy the image URLs from the broken placeholder, download them manually, and then reply to the email with the images attached. This defeats the purpose of remote content but works offline.

Enterprise and IT Admin Mitigations

Organizations reliant on classic Outlook for Windows have been scrambling to deploy workarounds at scale. Microsoft has published a support article (KB5035461, though it mainly addresses the patch that introduced the bug) and suggests that IT admins can temporarily disable the security feature by reverting the relevant registry key.

The undocumented registry workaround is to set HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder to a new, empty folder and then toggle the AdminSecurityMode DWORD to 0. This effectively reverts Outlook to a pre-build 19929.20164 security posture. However, it’s not recommended for long-term use as it disables other security layers.

Group Policy offers another route: enable “Display images and external content in HTML e-mail” under User Configuration > Administrative Templates > Microsoft Outlook 2016 > Outlook Options > Trust Center. Force-setting this policy can sometimes override the broken default, though results are inconsistent.

Exchange administrators can also make server-side changes. By configuring the Transport rule to convert HTML messages to plain text for external domains, images are stripped before they become an issue. This is draconian and probably unacceptable for marketing departments, but some high-security environments already do it.

The Bigger Picture: Outlook’s Fragmented Ecosystem

This bug underscores the growing fragmentation in Microsoft’s email client strategy. Classic Outlook, New Outlook, Outlook on the web, and Outlook mobile all behave differently. As Microsoft pushes users toward the web-based “One Outlook” experience, bugs like this one test the patience of the 400 million+ monthly active users who still depend on the venerable win32 client.

Many businesses are locked into classic Outlook because of COM add-ins, VBA automation, and deep integration with line-of-business applications. The New Outlook for Windows, based on the web technology stack, still lacks full feature parity and is not supported for on-premises Exchange. So a bug in classic Outlook is not just a minor annoyance; it can stall entire departments.

The timing is also unfortunate. Many organizations have just completed their monthly patch cycles and are now forced to choose between deploying a broken update or delaying critical security fixes. Microsoft’s monthly release cadence has been marred by similar regressions in the past, most notably with the January 2023 Outlook search issue and the October 2022 crash loop. Each time, IT pros call for better testing and a stable beta channel, but the pace of change rarely slows.

User Reactions and the Path Forward

On forums and social media, users vent frustration. “I can’t see any of my product images in order confirmations,” one e-commerce manager posted. “This is costing us actual sales because the tracking pixel isn’t loading.” Another user noted that the bug varies by image host: “Images from Constant Contact and Mailchimp are dead, but images embedded from SharePoint work fine.”

Microsoft’s support team has been actively replying to threads with scripted responses directing users to try the aforementioned workarounds. But many are demanding an emergency out-of-band patch rather than waiting for the next Patch Tuesday.

Independent developers have stepped in as well. A small utility called “Outlook Image Fixer 2024” emerged on GitHub that hooks into Outlook’s COM interface and rewrites image tags on the fly to force retrieval over explicit secure channels. It’s not officially sanctioned, but it has gained traction among tech-savvy users.

Looking ahead, the fix will likely arrive in KB5037763 or a similar update. Until then, users must decide whether to live with the red X or experiment with the known workarounds. Microsoft’s silence on an exact delivery date remains the most frustrating part for those tasked with supporting thousands of desktops.

How to Check Your Version

If you suspect you’re affected, verify your Outlook build: go to File > Office Account > About Outlook. The build number is listed next to “Version.” If you see 19929.20164 or higher (e.g., 19929.20178, which is the follow-up build still carrying the bug), you’re in the danger zone. Users on builds older than .20164 are safe for now, but they should postpone updates until Microsoft certifies a fix.

For organizations, pausing updates for the Current Channel is possible via Group Policy or the Microsoft 365 Apps admin center. Navigate to Servicing Profile > Monthly Updates and set a deferral period until a known good build is confirmed. This prevents auto-upgrade to the problematic build but requires testing the fixed build later.

Conclusion

The classic Outlook image rendering bug is a classic example of a security fix going awry. Build 19929.20164 promised a safer email experience but inadvertently broke one of the most basic functions: seeing pictures. While Microsoft works on a proper fix, users have a handful of workarounds to try. The most promising long-term shift may be to the WebView2 rendering engine, but that move comes with its own compatibility challenges.

For now, patience and workaround documentation will be essential. We expect Microsoft to release a hotfix out-of-band given the severity and publicity of the issue. In the meantime, this incident serves as yet another reminder that even the most mature software can stumble when security and functionality collide.