This blog post will be about setting default app associations, or file type associations, on Windows 10 devices. Starting with Windows 10, version 1703, it’s possible to set the default app associations via Windows 10 MDM. In this post I’ll briefly go through this setting and I’ll show how to configure the setting via Microsoft Intune hybrid and Microsoft Intune standalone. I’ll end this post by showing the end-user experience.
Starting with Windows 10, version 1703, a new setting was introduced that allows an administrator to set the default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. Every sign-in. In other words, the end-user can make adjustments. However, once the end-user signs-out and signs-in again, the default associations will be applied again. This does require the PC to be Azure AD joined.
Get the required information
Let’s start by getting the required information to configure the custom OMA-URI setting. The required OMA-URI setting is available in the Policy CSP.
OMA-URI setting: ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration
The required OMA-URI value requires the following steps to get it in the correct format.
|1||On Windows 10, version 1703, navigate to Settings > Apps > Default apps and configure the required default apps;|
|2||Open Command Prompt and run DISM /Online /Export-DefaultAppAssociations:DefAppAss.xml to export a required app associations file;|
Open your favorite Base64 encoder and encode the content of DefAppAss.xml to Base64 format.
In my example I was only interested in switching to Internet Explorer as the default browser and keeping Microsoft Edge as the default for PDF reading. That allowed me to remove all the remaining content from the DefAppAss.xml. Then I used base64encode.org to easily encode the remaining content of the DefAppAss.xml to Base64 format (see screenshot).
|4||The result in Base64 format is the OMA-URI value.|
Configure the setting
After getting the required information, let’s have a closer look at the configuration of the setting. The setting can be used in Microsoft Intune hybrid and Microsoft Intune standalone, by using the configuration guidelines shown below.
Note: This post is based on the custom OMA-URI settings configuration. At some point in time this configuration can come available via the UI of Microsoft Intune standalone and/or hybrid.
Now let’s end this post by having a quick look at the end-user experience. Below on the left is the default Windows configuration and below on the right is the applied policy with the custom app associations. I know that this doesn’t provide a lot of information. However, it does show one important fact, which is that there is nothing preventing the end-user from making adjustments. The end-user can still make adjustments, but those adjustments will be reverted during the next sign-in.
For more information about the Policy CSP, please refer to this article about the Policy CSP.
67 thoughts on “Set default app associations via Windows 10 MDM”
Question on this – I am developing a Guest \ Kiosk style modern managed device – I have set this in our policy to default to Chrome. As I am using the new shared PC Guest account, which generates a new profile on each login, I am not seeing this default being set. Any thoughts?
Why not simply using the KIOSK-mode?
We need the profile to be cleared per use, and the machine to log out after 15mins (client requirements). I am using the new Guest mode with profile management enabled to clear out the local profile on log off. The machine is public use and needs to have many applications available and the machine mostly useable (full office 365 suite installed). If you have any ideas on best accomplishing this I’m all ears 🙂
So are those devices MDM-managed. If not, there are easier ways to set the default associations. See: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/export-or-import-default-application-associations
They are MDM managed – AzureAD \ InTune joined.
Did you cast the content to Base64 form? If so, can you provide some more details about your configuration?
This one works like a charm!
Thank you Peter!
Great to hear, Michel!
How do we set a default site in chrome (its in kiosk mode). We got kiosk mode to work with it adding a chrome shortcut to the desktop but need it to be a specific site.
I would either look at ingesting ADMX-files (https://www.petervanderwoude.nl/post/deep-dive-ingesting-third-party-admx-files/), or using PowerShell script.
Weird problem that I’m running into is that neither the export or if I display them with get-defaultappassociations display the real associated apps. It just returns Edge for PDF and mail for mail.
Not even after a restart?
Is there a way to not just have this applied one? Then leave it to the Users to set the Default Apps?
I would say that it depends on your configuration of the XML.
No, apparently when I used elevated PS it used the admin account’s ‘profile’ which I elevated with, which ofcourse was blank and therefor default.
After making the user, that had the right settings, local admin, it worked.
Thank you for the update, Angelo!
Hi Peter Base64 Encode asks which new line seperator to use (linux or Windows)
Does this affect the OMA URI output?
I haven’t used it recently, but the result is different. So I would think that it differs. I would go for Windows.
It worked like a charm for the Windows. You saved our organization so much headaches. 950+ devices thank you.
Great to hear, Chris!
Great work Peter….been using your solutions to setup and test intune and has helped enormously!…..
Thank you, Wayne!
In the new release it’s now possible to push the XML directly into de Intune MDM without conversion by Bash64. Maybe handy to know 😉
That’s good information, Gerard! Thank you!
This might be a dumb question, but I can’t find the information anywhere as to where this command outputs the .xml file?
I’m not completely sure anymore what the default path is. That being said, you can simply add any custom path that you want.
I am trying this out and I seem to be getting hung up on the export results. I need to make an association for .text files (not .txt files) for excel. We have an application that will only export to .text and not anything useful like .csv… I can make the change on my system, in settings, but i do not see it populate in the list when I either export or just Get-DefaultAppAssociations. Any ideas as to why I cant see this association in the output of my command? Any help would be greatly appreciated, thanks.
Can’t you just add a custom line to the XML?
Thank you so much for sharing such a valuable information.
Could you also please guide about how we can place shortcuts of specific sites in favorites and on desktop so that user can easily access those sites?
That’s not really related to this post, but there are many examples on the web. For some ideas have a look here.
I can’t use above logic to set outlook as default mail client app as you mentioned it is IE but I tried same logic for Outlook. any thoghts
I don’t see why it wouldn’t work. You just need to make sure that app is already installed on the device before trying to apply the policy.
This blog post helped me apply default apps to a fleet of laptops with minimal effort. Thanks for sharing with the community!
Question – would the raw XML output of DISM work as-is without base64 encoding, if the OMI-URI’s value datatype was set to “String (XML)” instead of just “String”?
To my knowledge it still requires the base64 encoding. That’s also still mentioned in the docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults
Really useful post, thank you.
I used this with adobe reader for PDFs. After a reboot however, I found that the app association was reset to edge. On the subsequent reboot though, it changed back to adobe and has been okay since. Is this something you have seen before?
I’ve seen Edge hijacking PDF before, but not recently anymore. What Windows 10 version are you using?
Hi All, can anyone advise where does Windows stores the location for this exported XML file?
You can also specify a complete path. If not, it’s placed with dism.
is there any way to apply the Default App Association only once?
Not by using this method. With this method you can’t control the refresh behavior, as that’s controlled by the CSP. You might want look at something like a custom script.
Thank you for the tutorial. – This one is still up to date?
Is it possible to let the user set the apps “once”?
Yes, this can still be used! What do you mean with your second question?
I applied your technique and it works well, but am noticing something strange on our machines. If users previously had a .URL shortcut on their desktop, when they open it, they get a screen asking them to select a default application, with “Internet Browser” as the primary option.
Any suggestions to prevent this screen if we are already defining the default?
Can you reproduce that behavior when you locally (re-)configured the default browser?
Really appreciate helpful article.
I have one question.
Is it possible to implement like user can change the default apps if they want?
I’d like to set chrome as default for every device, but also have flexibility for users.
That depends on the method that’s used for the configuration. See for some more suggestions: https://docs.microsoft.com/en-gb/archive/blogs/windowsinternals/windows-10-how-to-configure-file-associations-for-it-pros
My app association for .pdf was Acrobat but my pdf files were still marked as Edge, tried restarting a few times and the app association just reverted to Edge.
Any update to fix this?
This was my XML before I encoded it with Base64:
I haven’t seen that behavior recently. What version of Windows 10 are you using?
This was working fine until a few PC’s have now reverted to Chrome instead of Adobe for PDF. Strange that only say 10 out of 50 PC’s are doing this. Any ideas?
Was there an update or other install from Chrome that triggered the behavior?
Nice article for set-default-app. I do have another question on similar track.
For Example, The company laptop is provisioned using Intune (Auto pilot type set up), but the user to whom its assigned is also the local admin so he/she can add/remove softwares etc. What is the best way for Intune to stop the user wiping out the Laptop. is there any way we can implement this via intune so that user can add/remove software but not able to totally wipe the computer.
Are you referring to a wipe via the Company Portal app? If so, that can be configured via Tenant Administration > Customization.
I’m trying to Add another default App association to my existing custom configuration profile, which is for Outlook to be the default mail app, as i have done one for microsoft Edge.
When i try to Add it intune says ‘table already contains this entry’
but even though the name and string are different.
Are you saying that you are trying to add the same uri in the same policy again?
Yes lol. Its ok i worked it out, I just need to update the current one to include other default app associations instead of doing a separate one for each.
That’s great to hear Graeme!
Thanks for this post, Peter. If I’m not mistaken, this will only run one time. Is that correct? We’re finding that the default PDF reader gets switched from Adobe Reader to Chrome or Edge each time one of those apps are updated. Do you know how we could use proactive remediations to accomplish this on an hourly basis instead of just once?
Yes, that sounds like a common complaint about those apps. That suggestion could work when directly addressing the related registry keys.
I now implement the default apps and with that I have also determined that Adobe Reader DC should always open the extension .pdf but it does not do this and keeps returning it to Microsoft Edge as the default application – In the .xml file it is well marked. anyone have an idea how to solve this?
Do you always see this behavior or only after an update to Edge?
No after every reboot / resync of the policy.
I’ve seen that behavior a lot with Microsoft Edge, as it’s known for that behavior, but not after every reboot/resync. Are you sure there are not other configurations that are forcing the use of Edge?
Great post as always.
We have this working well with PDF files. But today we tried adding a second Intune Configuration Policy to add some other defaults for another program (and assigned to another group). We are finding if a device happens to have the two policies assigned, the second one fails with a policy conflict. The 2 xml inputs we are using do not have the same file extensions refenced, so I was expecting them to cumulatively add the default file extensions but seems this is not the case. Is this policy limited to one instance per device?
We don’t really want to combine the 2 policies as they target different device groups.
To my knowledge this setting doesn’t merge multiple XMLs.