In enterprise environments, controlling the default browser ensures consistent user experience, secure browsing standards, and compatibility with internal web applications. Instead of manually configuring systems one by one, administrators can use default browser GPO settings to enforce a browser across domain-joined computers.
This guide explains how to configure a GPO to set a default browser using Group Policy Management Console (GPMC), PowerShell, and ManageEngine ADManager Plus.
Before configuring a GPO to set the default browser using GPMC, PowerShell, or ADManager Plus, you need the following:
Note: You can skip the reference XML if you wish to set Google Chrome as your default browser. Instead, you can download the group policy templates for Google Chrome and use that XML.
A default app associations XML is an exported configuration file from Windows that contains the list of default applications in the Windows machine it's exported from. This can be imported to other machines using GPOs to apply the same default app configurations as the source machine. Configure the default browser on a reference machine, export the associations XML, and reuse that file for matching deployments.
You can create a default app associations XML by following these steps:
Dism /Online /Export-DefaultAppAssociations:C:\DefaultBrowser.xml
Use the following PowerShell script to set the default browser by pointing the GPO to a centralized XML configuration file:
Import-Module GroupPolicy
$gpoName = "Set Default Web Browser"
$targetOU = "OU=Workstations,DC=yourdomain,DC=com"
$xmlPath = "\\YourServer\Share\AppAssoc.xml"
# Create and Link GPO if it doesn't exist
if (!(Get-GPO -Name $gpoName -ErrorAction SilentlyContinue)) { New-GPO -Name $gpoName }
New-GPLink -Name $gpoName -Target $targetOU -ErrorAction SilentlyContinue
# Set the path for the default associations configuration file
Set-GPRegistryValue -Name $gpoName `
-Key "HKLM\Software\Policies\Microsoft\Windows\System" `
-ValueName "DefaultAssociationsConfiguration" `
-Type String `
-Value $xmlPath
While powerful, relying solely on PowerShell and GPMC for delegation can present several challenges:
ADManager Plus, an AD management and reporting solution, helps admins perform GPO management tasks with a script-free, easy-to-use interface.
Export XML from a properly configured reference machine: Always set the desired default browser on a clean, fully configured machine before running the DISM export command to ensure the XML captures accurate app associations.
Communicate per-logon reapplication behavior to users: The default associations policy reapplies at every logon, reverting any manual browser changes users make during their session.
Install browser ADMX templates only when needed: The built-in administrative templates are sufficient for setting the default browser. Only install Chrome or Edge ADMX templates if you need to manage browser-specific settings like homepages or managed bookmarks.
This often happens if the XML file is formatted incorrectly or if the user is not a member of the domain at the time of logon. Ensure the XML is exported using the DISM tool on a reference machine that has the desired browser set correctly.
Yes. You can create separate GPOs with different XML files and link them to specific OUs (e.g., Chrome for the dev OU and Edge for the finance OU).
For the basic Set a default associations configuration file, you only need the built-in administrative templates. However, to configure specific features like a home page or managed bookmarks, you must install the specific ADMX templates for that browser.
The Set a default associations configuration file policy is enforced at every logon. While a user might change the setting during their session, it will revert to the GPO-defined default the next time they sign in.