In modern Windows environments (Windows 10/11 and Server 2016+), Microsoft has tightened security regarding how default applications are assigned. This article explains why standard executable tools might fail to maintain these associations and provides the verified method for forcing protocol associations (specifically HTTP/HTTPS) using Group Policy Objects (GPO).
Our internal tool, SetFileTypeAssociation.exe successfully writes the required associations for HTTP/HTTPS into the Current User registry hive (HKCU). However, you may notice that these settings are frequently reverted or ignored by the OS.
The executable utilizes "REG.exe" to modify the registry. Modern Windows versions include a feature called "User Choice Protection Driver (UCPD)". This system perceives direct registry edits via scripts or CLI tools as a violation of the user's right to choose their own default applications. Consequently, Windows often resets these "unauthorized" changes to system defaults to prevent hijacking.
For years, many administrators have relied on the third-party tool "SetUserFTA" (by Christoph Kolbycz) to bypass this by generating the required hash for the "UserChoice" registry key.
While effective, the official Microsoft-supported method remains the XML configuration via GPO.
Solution: GPO & XML Association File (domain joined servers only)
Forcing HTTP/HTTPS links to open with a specific application (e.g., "tsplus.urlonclient") is under the responsibility of the environment's system administrator. The most reliable way to achieve this is through a Managed Default Associations .xml configuration file.
### 1. Create the XML Configuration File
Create a file named "DefaultApps.xml" with the following content :
<DefaultAssociations>
<Association Identifier="http" ProgId="tsplus.urlonclient" ApplicationName="Url On Client" />
<Association Identifier="https" ProgId="tsplus.urlonclient" ApplicationName="Url On Client" />
</DefaultAssociations>
### 2. Host the File
Place the XML file in a shared folder accessible by the target servers or workstations.
Ensure the "Everyone" group has read rights on both the share and NTFS levels.
### 3. Configure the GPO
This policy is a "Computer Configuration", meaning it applies to the machine itself, regardless of which user logs in.
Computer Configuration > Policies > Administrative Templates > Windows Components > File Explorer : "Set a default associations configuration file"
### 4. Verification Steps :
After applying the policy and running "gpupdate /force" (or rebooting), open an HTTP link and verify it triggers the correct application, or check the value of the following registry key within the user's session :
HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
===> Deployment & Enforcement :
By default, Windows applies these associations during the first logon of a new user profile.
If a profile already exists, the GPO may not automatically overwrite a manual user choice. To force the update, the admin can either delete the user profile (resetting it) or delete the specific "UserChoice" registry key for HTTP/HTTPS.
Interestingly, when SetFileTypeAssociation.exe is used in conjunction with this GPO, the association also updates existing profiles without manual registry deletion.
For servers in workgroup :
SetFileTypeAssociation.exe may not be enough for already existing profiles.
If it is not then the following solutions should apply the association :
==> For new users :
- keep URLonClient enabled
- run in an elevated powershell window : Dism /Online /Import-DefaultAppAssociations:C:\FTA\DefaultApps.xml (adpat - with the local location where your .xml file is stored)
- Open a session with a newly created user to check if it works
==> For already created users :
These method won't work unfortunately.
Therefore, the admin can either choose to use a third party solution (like SetUserFTA by Colbycz), or teach users to set 'URLonClient.exe' as default web browser manually (at least as default application for HTTP / HTTPS protocols).
Another possible way could be to find a way to workaround the UCPD restriction by finding a way to apply the association another way, or by deactivating the UCPD using method that can be found on the internet.
Additional sources :
https://www.ninjaone.com/blog/how-to-manage-userchoice-protection-driver-in-windows-11/
https://kolbi.cz/blog/2024/04/03/userchoice-protection-driver-ucpd-sys/
https://kolbi.cz/blog/2025/07/15/ucpd-sys-userchoice-protection-driver-part-2/