Frequently Asked Question
Set Default Browser with Group Policy
Last Updated 21 hours ago
Set Default Browser with Group Policy
How to set a default web‑browser for domain‑joined PCs using Group Policy
Below is a step‑by‑step walkthrough that expands on the outline you posted. It includes the prerequisite tasks, the exact GPO settings, how to create the default‑associations.xml file, and tips for testing and troubleshooting.
1. Prerequisites
| Requirement | Why you need it | How to verify |
|---|---|---|
| Domain controller (or a workstation) with the Group Policy Management Console (GPMC) installed | GPMC is the only supported tool for creating and editing GPOs. | Run gpmc.msc from a Run box – the console should open. |
| Administrative rights | You must be a member of Domain Admins, Enterprise Admins, or have the Edit Settings permission on the target OU. | Check your group membership in Active Directory Users and Computers (ADUC). |
| Windows 10 1809 or later (or Windows 11) on the client PCs | The “Set a default associations configuration file” policy is only honoured on these OS versions. | Run winver on a client to confirm. |
| A default‑associations XML file that lists the browser you want as default (e.g., Microsoft Edge, Google Chrome, Firefox). | The GPO only points to a file; the file must contain the correct <FileAssociation> entries. |
Create the file first – see step 3. |
2. Create the default‑associations.xml file
- Open a text editor (Notepad, Visual Studio Code, etc.) on any machine that can write to a shared network location.
- Paste the following skeleton, then replace the values with the ProgID of the browser you wish to set as default.
<?xml version="1.0" encoding="utf-8"?>
<DefaultAssociations>
<!-- Example for Microsoft Edge -->
<Association Identifier=".html" ProgId="MSEdgeHTM" ApplicationName="Microsoft Edge" />
<Association Identifier=".htm" ProgId="MSEdgeHTM" ApplicationName="Microsoft Edge" />
<Association Identifier="http" ProgId="MSEdgeHTM" ApplicationName="Microsoft Edge" />
<Association Identifier="https" ProgId="MSEdgeHTM" ApplicationName="Microsoft Edge" />
</DefaultAssociations>
If you want Chrome instead, replace the ProgId with ChromeHTML (or the value shown by dism /online /Export-DefaultAppAssociations).
- Save the file with a .xml extension, e.g.
DefaultBrowser.xml. - Place the file in a shared folder that is reachable by every domain‑joined PC, for example:
\\FILESERVER\GPOShare\DefaultBrowser.xml
- Ensure the share permissions allow Read for Domain Computers (or Authenticated Users).
- Use a UNC path; local drive letters are not reliable for GPO processing.
3. Create or edit the GPO
| Action | Detail |
|---|---|
| Open GPMC | Click Start → Group Policy Management or run gpmc.msc. |
| Choose where the GPO lives | Typically you link it to an OU that contains the target computers (e.g., OU=Workstations,DC=contoso,DC=local). |
| Create a new GPO (if you don’t already have one) | Right‑click the OU → Create a GPO in this domain, and Link it here… → give it a descriptive name such as Set Default Browser. |
| Edit the GPO | Right‑click the new GPO → Edit. This opens the Group Policy Management Editor. |
| Navigate to the setting | Computer Configuration → Policies → Administrative Templates → Windows Components → File Explorer. |
| Configure the policy | <ul><li>Find Set a default associations configuration file.</li><li>Double‑click it, select Enabled.</li><li>In the Options box, type the UNC path to your XML file, e.g. \\FILESERVER\GPOShare\DefaultBrowser.xml.</li></ul> |
| Apply and close | Click OK, then close the editor. |
4. Force the policy to take effect
| Method | How to run |
|---|---|
| Automatic (next logon/reboot) | The configuration file is processed the first time the computer starts after the GPO is applied. |
| Manual testing | On a client, open an elevated Command Prompt and run: <br>gpupdate /force <br>shutdown /r /t 0 (or simply reboot). |
| Check the result | After reboot, open Settings → Apps → Default apps – the browser you specified should be listed as the default for HTTP, HTTPS, .html, .htm, etc. |
5. Common pitfalls & troubleshooting
- Wrong UNC path or insufficient permissions – The client will silently ignore the policy. Verify access with
dir \\FILESERVER\GPOSharefrom the client. - Incorrect ProgID – Use
dism /online /Export-DefaultAppAssociationson a correctly configured machine to see the exact ProgID values. - Policy not linked – Ensure the GPO is linked to the correct OU and that inheritance is not blocked.
- Conflicting GPOs – If another GPO also configures the same setting, the one with the higher precedence (lower link order) wins. Use the Resultant Set of Policy (RSoP) or
gpresult /h report.htmlto see which GPO is applied. - Windows version too old – The setting is ignored on Windows 7/8 or on Windows 10 versions earlier than 1809.
6. Quick checklist before you roll out
- [ ] XML file created and stored in a read‑only share.
- [ ] UNC path entered correctly in the GPO.
- [ ] GPO linked to the appropriate OU and enabled.
- [ ] No higher‑precedence GPO overrides the same setting.
- [ ] Test on at least one workstation (run
gpresult /rto confirm the GPO is applied).
TL;DR
- Create a
default‑associations.xmlfile that maps.html,.htm,http, andhttpsto the desired browser’s ProgID. - Place the file on a network share with read access for all computers.
- Open GPMC, create (or edit) a GPO, and enable Computer Configuration → Administrative Templates → Windows Components → File Explorer → Set a default associations configuration file.
- Enter the UNC path to the XML file, apply, and force a GP update or reboot the client PCs.
Following the steps above will ensure every domain‑joined computer automatically adopts the browser you specify as its default. If you run into any issues, refer to the troubleshooting table or contact your IT support team for further assistance.
