In enterprise environments, default applications are not a cosmetic preference — they are a control mechanism. Left unmanaged, Windows devices quickly drift into inconsistent states where PDFs open in random viewers, web links launch insecure browsers, and email files default to consumer apps users installed themselves.
From real-world Intune deployments, unmanaged default apps are a common source of:
- User confusion and productivity loss
- Increased helpdesk tickets (“Why did my PDF open in Chrome?”)
- Security gaps (file types opening in unapproved software)
- Compliance issues in regulated environments
Microsoft Intune provides a policy-driven, scalable, and repeatable way to standardise default apps across Windows 10 and Windows 11 devices — but only if implemented correctly.
This guide walks through how it actually works, what Microsoft doesn’t clearly explain, and how to avoid the most common mistakes.
How Windows Handles Default Apps (Important Context)
Before touching Intune, it’s critical to understand how Windows manages default apps internally.
Windows does not allow administrators to forcibly change default apps after a user has already set them — at least not without wiping or reprovisioning the device. Instead:
- Default app associations are applied:
- During first user sign-in
- During Autopilot / OOBE
- When a device is freshly enrolled and no user overrides exist
This design is intentional and user-protection driven. Intune respects this behaviour.
Real-world takeaway: Default app policies are preventative, not corrective. They work best when deployed early in the device lifecycle.
When You Should Use Intune to Configure Default Apps
Configuring default apps via Intune is ideal when:
- Deploying Autopilot devices
- Onboarding new users or refreshing devices
- Standardising environments in zero-trust or locked-down enterprises
- Enforcing approved browsers, PDF readers, or media players
- Reducing helpdesk noise caused by inconsistent file handling
It is not ideal for retroactively changing defaults on long-lived, user-customised devices.
Step 1: Prepare a Reference Device (This Step Is Critical)
The reference device defines the future experience of every device you target — mistakes here propagate everywhere.
Best Practices for the Reference Machine
From enterprise experience:
- Use Windows 10 or 11 matching your production build
- Ensure all required applications are installed
- Avoid test or beta versions of software
- Use vendor-supported installers (MSI where possible)
Configure Your Desired Defaults
On the reference device:
- Open Settings
- Navigate to Apps → Default apps
- Configure defaults for:
- Web browser (e.g. Microsoft Edge)
- Email client
- PDF viewer
- Media players
- Common file types used internally
⚠️ Do not skip this: Windows only exports associations that currently exist. If the app isn’t installed, it won’t appear in the XML.
💡 Tip: Ensure the reference machine has all required applications installed before setting them as defaults.
Step 2 – Export the Default App Associations XML
To apply default apps via Intune, you first need to export the configuration to an XML file.
- On the reference PC, open Command Prompt as Administrator.
- Run the following command:
Dism /Online /Export-DefaultAppAssociations:"C:\DefaultApps.xml"
- The file DefaultApps.xml will be created in
C:\.
What Most Guides Don’t Tell You
- The XML is case-sensitive
- Invalid or unsupported ProgIDs will cause the policy to silently fail
- You should review and clean the XML before deployment
💡 Expert tip: Remove unnecessary file types to reduce policy size and complexity. Less is more.
Step 3 – Create a Device Configuration Profile in Intune
- Log in to the Microsoft Intune admin center.
- Go to Devices → Configuration profiles.
- Click + Create profile.
- Select:
- Platform: Windows 10 and later
- Profile type: Templates → Custom
- Click Create.
Step 4 – Add the Custom OMA-URI Setting
- Name the profile (e.g.,
Windows Default Apps). - Under Configuration settings, click Add.
- Fill in:
- Name: Default App Associations
- OMA-URI:
./Device/Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration - Data type: String
- Value: Paste the entire XML content from your
DefaultApps.xmlfile.
Step 5 – Assign the Profile to Devices or Groups
Device vs User Assignment
From real-world deployments:
- Device-based assignment is strongly recommended
- User-based assignment can behave inconsistently with shared devices
Best Practice Assignment Targets
- Autopilot device groups
- Newly provisioned devices
- Specific hardware models or departments
Avoid assigning to “All Devices” unless you fully understand the impact.
Step 6 – Sync and Validate (Don’t Skip Validation)
On a test device:
- Go to Settings → Accounts → Access work or school
- Select the organisation account
- Click Info → Sync
How to Confirm It Worked
- Open Settings → Apps → Default apps
- Verify file associations are locked and pre-configured
- Attempt to open common file types (PDF, HTML, mailto)
If defaults did not apply:
- Check Intune Device status
- Review MDM diagnostics
- Confirm the device was not previously customised
Known Limitations (That Catch Teams Off Guard)
User Overrides Still Apply
If a user has already chosen a default, Intune will not override it.
Browser Defaults Are Special
Modern Windows versions heavily protect browser defaults. Some prompts are unavoidable.
OS Version Compatibility
- Supported on Windows 10 1709+
- Fully supported on Windows 11
- Behaviour may vary between feature updates
Troubleshooting Common Issues
| Issue | Likely Cause |
|---|---|
| Policy shows “Succeeded” but nothing changes | User already set defaults |
| XML applies on some devices but not others | OS version mismatch |
| App not listed in defaults | App not installed at export time |
| Policy fails silently | Invalid ProgID |
Real-World Recommendations From the Field
From managing large Intune estates:
- Pair default app policies with Autopilot
- Document your default app strategy internally
- Re-export XML after major app upgrades
- Test every Windows feature update
- Keep default app scope minimal
Default apps should support productivity — not become a control battle with users.
Final Thoughts: Treat Default Apps as Part of Device Identity
Configuring Windows default apps via Intune isn’t about control — it’s about predictability, security, and user experience.
When done properly, default app management:
- Reduces onboarding friction
- Improves security posture
- Cuts support overhead
- Creates consistent, professional environments
When done poorly, it creates frustration and mistrust.
The difference is planning, timing, and precision.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.