Windows 8: Associate a file Type or protocol with a specific app using GPO (e.g:default mail client for MailTo protocol)

For my first post I have chosen a topic  that I have seen lots of “buzz” out there but no clear information on how to implement it in win8
Its common knowledge that  You can associate a file type or protocol with a  specific program/app using the default programs < Control Panel\Programs\Default Programs>


However this is not practical  if you want to establish the same settings for several machines.

In  Pre-Win 8, apps could set the default handler for a file type/protocol by manipulating the registry, this means you could easily have a script or a group policy manipulating the registry.
For example  for Mailto protocol you just needed to change the “default” value under HKEY_CLASSES_ROOT\mailto\shell\open\command

However In Win 8, the registry changes are verified by a hash (unique per user and app)  that detects tampering by apps. In the absence of a valid hash, we ignore the default in the registry.

Microsoft  have  introduced a new GP mechanism for declaring these defaults in Win 8 to accommodate this type of scenario. The basic idea is to have an xml file that maps programs to the file type/protocol that they should be the default for.
First you create your XML file or export it from a machine using DISM (

Then you use the  new Windows 8  group policy that enables you to set the association for file types and protocols:
Computer configuration\administrative templates Windows Components\File Explorer\ Set a default associations configuration file
This policy specifies the path for the XML  file that can be either stored locally or on a network location.

Note : using DISM to import the XML  is not enough you still have to link it to the GPO.

Note2:Bear in mind that the machine needs to be domain-joined and the associations are applied at logon time!

Q:I've tried this to set the mailto protocol association to outlook. But DISM doesn't show the value in the export. Anybody know a fix for that?
A:if the Program/Extension/Protocol is not present in the XML export, then you  need to first manual enable the association  Before running DISM. 

Q:Does this process work without having to re image a machine?
A: Yes.




Comments (58)

  1. Hi Guys, I´m now back to the office and I was finally able to test it, and it works fine, just bear in mind that the machine needs to be domain joined otherwise the policy will not Work.

  2. dude -d says:

    So to script something simple like a file type program association, there is seriously no easier way than having to do this?

  3. Anonymous says:

  4. Thank you, good to know that this is a possibility via group policy!

  5. Hi guys, Sorry for not answering before but I have been AFK for the last 6 months and will only be able to do any further tests in February.

  6. Asnwering a couple of questions:
    Q:I’ve tried this to set the mailto protocol association to outlook. But DISM doesn’t show the value in the export. Anybody know a fix for that?
    A:if the Program/Extension/Protocol is not present in the XML export, then you need to first manual enable the association Before running DISM.

    Q:Does this process work without having to re image a machine?
    A: Yes.

  7. JohnTaylor says:

    Thank you very much!

  8. Frank says:

    Export dism command line does not work.

    ERROR: 87   -> Option "export-defaultappassocations" is unknown

    Any hints ?

  9. click-click says:

    I can't get this working. I ran a small test with the following xml on an online system, but later when I select a .bmp file, Win8 still wants to start the metro app instead of the desktop app. There seems to be more to it than this.

    dism /Online /Import-DefaultAppAssociations:Z:$W8i$W8-Deploytest.xml

    <?xml version="1.0" encoding="UTF-8"?>


     <Association Identifier=".bmp" ProgId="Paint.Picture" ApplicationName="Windows Photo Viewer" />


  10. click-click says:

    BTW, I  enabled the appropriate  gpo entry and placed the test.xml in c:windowssystem32

  11. Jason says:

    I have noted in several articles that this/these processes only apply when imaging machines. Does this process work without having to re image a machine? In some cases this cannot be done due to multiple machine types, so not practical. I need to be able to set these defaults for all users on EXISTING Windows 8 machines, not fresh clean images that haven't gone on a machine.

  12. David says:

    I've tried this to set the mailto protocol association to outlook. But DISM doesn't show the value in the export. Anybody know a fix for that?

  13. stefano says:

    Well isn't this SO MUCH MORE DIFFICULT!

    This is not a "new" feature, this is a headache! Where has the granular control of individual file associations gone? This is a blanket approach and has no flexibility. This is the current workaround for GPP not working anymore with Windows 8. Thanks for REMOVING functionality, MS.

  14. MattBlank says:

    Just Thank you! Thank you so much. This is a hard one until you find your informations…!

  15. MattBlank says:

    Just one thing to add: Be sure not to run the export with some "runas /user:domainadmin dism …"-type of command because that would export the file-associations for your domainadmin instead of the user you just set them. Might be logical to most of you but could also help some people like me who do it wrong the first time. (Make you user admin for the export).

  16. rochelle says:

    Has anyone managed to get this to work yet? I tried it and while I found that the DefaultAssociationsConfiguration registry key did get updated with the path to my XML file, it had no impact on what is showing in Default Programs on my test Windows 8.1 computer. (Oh, and the corresponding "policy mode" in the registry key did somehow get set to "2", which I understand translates to "replace".)  Was this whole process supposed to result in changes showing in Default Programs, or are the file associations from my XML file now set elsewhere in the registry, thereby overriding what shows in Default Programs?  What was supposed to have happened as a result of applying this group policy?  I put a lot of work into compiling a comprehensive XML file so that our users will have a smooth transition to Windows 8.1, and while this appears to be an efficient method of controlling file associations, personally I've found it to be a lot of work and very frustrating.

  17. Dan_IT says:

    Doesn't appear to work with 8.1 🙁  Have you noticed the same?  

  18. djcabrera says:

    This does not work with Windows 8.1 – is there anyone that may confirm it works using another method? Many thanks.

  19. Anonymous says:

    Pingback from how to programmatically reassign jpg file type? |

  20. Anonymous says:

    Pingback from how to programmatically reassign jpg file type? |

  21. Anonymous says:

    Pingback from how to programmatically reassign jpg file type? |

  22. Gert says:

    It does work with Windows 8.1 Maybe you're doing something wrong?

  23. Asbach says:

    It doesn’t work With Win 8.1 (64 Bit). Assoc.xml – File looks fine, is stored locally, but Win still annoys with ignoring any changes. Even if the users choose file types manually, this isn’t stored for the next session…

  24. Frank says:

    doesnt work here either, using windows 8.1

  25. Sebastian says:

    Just for your information – when I put the XML file in a network path it doesn’t work. Now I’ve stored it in a local path of the client and then it works as described. (We’re using it for VMware View virtual Desktops).

  26. Chris says:

    Great info, been looking for solution to apply to all users in domain environment. However, when setting .jpg file extension to open with Office 2010 picture manager in extensions .xml file that is exported it uses MS Paint when users have normal permissions. BUT, it user is included in local administrator group or domain administrator permissions it uses Office 2010 Picture Manager.

    Any idea / suggestions how I can apply these file extensions to users with standard permissions?

  27. Jason says:

    Let’s say that the machine is not joined to a domain. Could I still run the export DISM command using an admin user? Currently, when we image a computer, it automatically logs into the built in Administrator account and runs a script on first boot to setup
    various things that Sysprep destroys during the OOBE sequence. Could we simply add the export DISM command to the setup script so that new users get the defaults? I mean, the export DISM does change the default profile, right? Or does it only change the current

  28. Herman says:

    We need to enable Mailto for Outlook, instead of the Mail-client in Windows 8.1. Got it working by following these four steps:

    1. Export settings with DISM
    2. Edited the .xml to remove all other file Associations beside the on for Outlook.

    3. Set the Policy in the local GPO
    4. Imported the settings with DISM.
    Now the only problem is to figure out how to do this domain wide for all our customers. Would you people first copy the .xml file with GPO and then set the location to point to that location?

  29. Force the configuraiton says:

    The problem is, that this only applies to users first time loggin on. We use W2K12 Terminalserver and I’m looking for a way to force a special program for a user each time they logon. For example we have PDF Viewer and Acrobat . I need to set the programm
    usage depending on AD Groups.. impossible with this stupid user hash.. Any Ideas would be welcome..

  30. Paul M says: may be the answer. I am looking for an answer to this myself, the article says app defaults can be set at build time. Yet to
    try this myself as we are also having intermittent issues with MailTo from a webpage opening the Windows Mail Client and not Outlook 2013.

  31. Hypothetical says:

    Shouldn’t we get the same behavior if we deploy preferences: PoliciesUser configurationPreferencesControl PanelFolder OptionsNew Item -> Open With ? Hasn’t worked for me so far…but just a thought

  32. Anon says:

    What a PITA!

  33. Banging my head against a wall says:

    this is real crap – sorry for that. But this is a horrible process. There is no reason to work with hashes in order to avoid setting associations globally other than marketing reasons (force users to use these nice windows apps at first time).

    Sometimes things have to be more complex, sometimes not. In this case, things could be easy.

    Think about roaming profiles with 8.1: the context-menu is gone with roaminng profiles, because the WinX folder is placed under local and not under roaming – another example for the big fault naming Windows 8.1.

    My sympathies for Microsoft are fading away…

  34. Steve Wilson says:

    This whole process stinks. I want to associate .zip files to 7-Zip. Why isn’t there a simple direct way for me, the owner of this machine and the crap programming in Windows 8.1 that I paid for?

  35. Banging my head against a wall says:

    @steve: yes, that`s the question. We just quit the W8.1 project and revert to W7, there are a bunch of other reasosns, not only this problem. But this one is anoying to. W8.1 is dead.

  36. Joe says:

    @Steve Wilson: Because Microsoft knows how THEY want you to use your system, and they don’t really give a crap what you think. This is just one small example of what an abusive monopoly power results in.

  37. EnigmaV8 says:

    You guys crack me up with the Microsoft bashing… do you even understand WHY Microsoft changed how file/protocol associations are done utilizing hashes? It’s a major security issue when an app can programmatically change any file/protocol association
    to anything it wants… i.e. a program can redirect any file extension or protocol to go to whatever it wants, like malicious code.

    WAAAAH! Why do we have these stupid seat belts in our cars now! Why are the manufacturers forcing us to use our cars how they want them to be used!

  38. BW~Merlin says:

    I cannot get this to work. If I do a gpresult on the targeted machine I can see that my policy is being applied but for me PDF’s still open in Reader rather than Acrobat. I saved the xml file into c:windowssystem32 on one of our domain controllers but
    does this need to be saved onto a network location that all devices can access?

  39. Marco says:

    BM~Merlin Yes, it has to accessible by the user and the user needs to be domain joined.

  40. Jonathan B says:

    I agree, this is necessary, but this is a little bit ridiculous. Sometimes in the name of security things are made impossible.

  41. Fixed in Windows Multipoint Server says:

    Using mandatory profiles on Multipoint Server 2012 and this group policy fixed the persistent prompting for how to handle HTML files (Internet Explorer or Chrome).

    Thanks for writing it up.

  42. Doug H says:

    Still can’t get MailTo to work. I have changed a number of associations, including manually setting the mailto protocol.
    When i export the xml file, there is no mention of mail or outlook in it.
    All other associations work great, just not the mailto

  43. Carla L says:

    Windows 8.1 – Log on as domain admin, set default app for .PDF to Adobe Acrobat. Test opening a PDF and it opens in Adobe Acrobat. Run Dism /Online /Export-DefaultAppAssociations:c:iconsAppAssoc.xml
    in an elevated command prompt. Open c:iconsAppAssoc.xml and I still see reader associated:

    Any help?

  44. Sean S. says:

    This way of protecting the registry is great….for home users. In a corporate/enterprise environment where 100’s of machines are joined to a domain and I need to make a file association change (after users have their profiles built for some time) this
    is outright stupid. If the machines are joined to a domain shouldn’t there be some sort of "security bypass" since the domain should be inherently trusted? This just made my task 10 times more difficult.

  45. Bob Hyatt says:

    I cannot set Adobe Acrobat as the default PDF program. Any time Reader or Acrobat DC gets installed, it overrides the default setting, and NOTHING will unlock that unless I uninstall the program. I have gone through every permutation of control panel and
    default program setting that I can find, it it will not reverse. Acrobat shows up in control panel, but does NOT show up in the default programs dialog

  46. ukdubs says:

    This does work in windows 8.1 enterprise. I’ve just done it. However I noticed even though I set some file associations during the session and exported, not all of them actually exported and I had to dive into the xml file and add them manually. I put
    the XML file in a share accessible by users

  47. Hi all,
    In my case, I only needed to use the right click on files and chose send to / email… option

    And exporting the xml from AccountA having Win Live Mail set as default with all features etc etc,

    then importing that xml on Acccount B using dism tool simply wasn’t enough.

    It only and immediately worked for me after creating following key :

    Windows Registry Editor Version 5.00

    @="Windows Live Mail"

    hope this help.

  48. Mark H. says:

    I found the same thing as ukdubs. I manually change file associations and not of them export to the .xml. It gets better, if I set .rar to Adobe Acrobat it shows up in the .xml but if I set it to 7zip then it doesn’t show up in the .xml. Microsoft please
    listen to us, we need to be able to set file and protocol associations on a per user basis in Group Policy. Not on a Machine Policy basis that doesn’t even work correctly. Oh and by the way, the .xml file only applies to newly created profiles, existing profiles
    are SOL.

  49. Lumirel says:

    Well, I want to change just URL:mailto Protocol and I have to push all assosiations? Isn’t this quite not really working for domain/terminal session environment? I am sorry, but this is epic fail – not the solution but the fact that GPO is worthless in
    this case and there is no simple way to do it.

  50. justin says:

    If i take DISM out of the equation and just create the .xml and link that to GPO will the policy go through for already imaged devices on the associated Domain? Asking so i can do that now and do the DISM part at a later date… Thanks in advance.

  51. Matt says:

    Did anyone get this working with 64bit Windows 8.1? It works perfectly with my Windows 10 machine, but the Windows 8.1 doesnt work.. even if i manually import the xml file from the command line.. (it says successful, but the associations havent changed).

  52. James Rankin says:

    This is a pain, having to set the FTAs by device now instead of by user (which you could using GPP Folder Options in Windows 7 and 2008 R2). Functionality depreciated in newer versions!

    I tried to get this working per-user and had some luck, but may be a bit hit-and-miss



  53. David says:

    Windows 2008 R2 Domain Level and Windows 8.1 64 Bit. So far we have only needed to modify the MAILTO association to from Microsoft Mail to Outlook instead. What I found is that the GPO that instructs a computer where to find the XML file exported using
    DISM appears to require an absolute path (no variables). I began with using variables in the GPO and this failed until I went basic and tested with the XML file at the root of my "C" drive. The steps:
    1. Export the XML file with the DISM command as explained in the author’s original post.
    2. Open the text file with wordpad or notepad and remove any unneeded lines (mine was stripped down to the opening/closing XML tags and one line for associated MAILTO to Outlook.
    3. Place the file in a location that all your domain computers and users have read access to already such as the NETLOGON share of one of your domain controllers where it will replicated to domain controllers in all of your sites.
    4. Use Group Policy Preferences to copy the file from %LOGONSERVER%NETLOGONAppAssoc.XML to a location such as %PUBLIC%Public DocumentsAppAssoc.xml and use the targeting options on the "Common" tab to filter who or which computers will have the file copied
    (maybe you’ll have more than one file copied in your environment so you might have to get creative – with GPP you can copy differently named files for different purposes but rename the file that applies to your target users or computers to one commonly named
    file on the target computers. This might be important in your environment because the GPO that instructs your computer where to look for the XML file only lets you name one file. This means that if you need to apply different file associations to different
    users/computers you’d need multiple GPOs).
    5. Modify the Group Policy Item, "Set a default file associations configuration file" located at, Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> File Explorer. In my example in step 4, the absolute path of %PUBLIC%Public
    DocumentsAppAssoc.xml would be C:UsersPublicPublic DocumentsAppAssoc.xml (The absolute path does appear to accept spaces – at least in my tests it does). But unlike the Group Policy Preferences settings where I used variables, the "Set a default associations
    configuration file" setting does not.

  54. clarkeb says:

    My experience goes as follows. (Win 10 Education 1511)

    I was able to get this policy to work, however it only works after a reboot. This is caused by the fact explorer is started at the time that group policy takes effect. To get the change to occur without a reboot, you need to restart explorer. This however doesn’t
    work in the University environment as the machines are Deep Frozen and a reboot will delete their profiles.

    So thanks to this "glitch" (it should apply at every logon before explorer is started so the file associations can be administered in a enterprise/work environment), I have to create a start-up script which replaces the OEMDefaultAssociations.xml file located
    in System32 which Windows uses to create default applications for each user. This doesn’t then require a restart of explorer as Windows applies these associations before explorer starts.

    Keep in mind, doing it this way, any applications must be pre-installed on the system. If you are using Virtual Applications, keep reading.

    To perform file associations with Virtual Apps (not installed), we simply just need to tell the system where the virtual application will live. We do this through the use of Application Registration. I am unsure if a UNC path will work but I have tested it
    local and this works fine.

    Just make sure you register the app under the Applications folder. Once registered, using firefox as an example, you could modify your AppAssoc to look like the following.


  55. clarkeb says:

    Thanks HTML Sanitisation

    From: ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge"
    To: ProgId="Applicationsfirefox.exe" ApplicationName="FireFox"

  56. Ian says:

    Great stuff. Worked for us on Win 8.1 and 10. Many thanks. Agree with others – thanks for fixing what wasn’t broken, MS!

  57. Ramesh says:

    Hi, Thanks for the article. If programs can’t update the ProgId/Hash under Userchoice, I’m wondering how some programs can do this successfully? For example FoxIt Reader can update the ProgID and Hash successfully.

  58. JCerna says:

    This works for us Win 8, 8.1. & 10. I don’t get why computer needs to be in a domain but for us is not a problem as they are. As for others I don’t get why this is so hard to implement for a "normal user". Anyways thanks to Brenton for your post very helpful.
    Have you tried using tskill to reset explorer after login? I am going to have the same scenario with some kiosk machines.

Skip to main content