Microsoft is now using a Windows driver to prevent users from changing the configured Windows 10 and Windows 11 default browser through software or by manually modifying the Registry.
To anyone saying “just use GPOs”, here’s a quote from the SetUserFTA page:
Microsoft offers a solution with GPO, but it is Computer-based and not User-based – and rather complicated. this means, you can not associate your Users on the same Server/Client with different file types. for example:
you have a PDF viewer and a PDF editing software on your XenApp server. Now you want that a certain group opens their PDF’s in the editor and the others only in the viewer (for licensing reasons for example). this is NOT possible anymore and Microsoft states “it is by design” and “this is a security measure”.
Said solution:
Set up a reference computer
Install applications
Go to Control Panel\All Control Panel Items\Default Programs and configure default apps associations.
Export/import the custom default app association with dism.exe
[…]
As some recommended applications can manage more extensions with each new Windows 10 version available, it’s a good practice to refresh your XML. For example, in Windows 10 1703, Microsoft Edge registers the epub extension. If you’re using an XML file from Windows 10 1607, epub is missing. As a result, you will get an app reset notification for epub.
[…]
Configure a policy for your domain-joined computer: file association will be configured at each logon. User will be able to change file association, but at the next logon file association will be configured using XML file. This policy works only for domain-joined computer.
This is just about the most convoluted, annoying way they could come up with for doing this, doesn’t help people whose machines aren’t part of AD and isn’t scriptable. If they were mainly concerned about security they’d have an option for not allowing the user to change these preferences even temporarily on domain-joined machines.
To anyone saying “just use GPOs”, here’s a quote from the SetUserFTA page:
Said solution:
This is just about the most convoluted, annoying way they could come up with for doing this, doesn’t help people whose machines aren’t part of AD and isn’t scriptable. If they were mainly concerned about security they’d have an option for not allowing the user to change these preferences even temporarily on domain-joined machines.
That’s on purpose.