How to Configure Outlook as Default Mail Client Using Microsoft Intune

First, you need to create the XML file that defines Outlook as the default mail client. This requires a reference Windows machine with Outlook already set as the default.

On your reference machine, configure Outlook as the default mail client:

1. Open Settings > Apps > Default apps
2. Click Choose defaults by protocol
3. Find MAILTO and select Microsoft Outlook

Now export the current default app associations using DISM. Open Command Prompt as Administrator and run:

Dism /online /Export-DefaultAppAssociations:C:\DefaultApps.xml

This creates an XML file with all current default app associations. Open C:\DefaultApps.xml in a text editor and verify it contains the Outlook associations. The file should include entries like:

The Settings Catalog in Intune requires the XML file to be Base64-encoded. You'll convert your DefaultApps.xml file using PowerShell.

Open PowerShell and run the following command to convert your XML file to Base64:

[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((Get-Content "C:\DefaultApps.xml" -Raw)))

This command will output a long Base64 string. Copy this entire string - you'll need it for the Intune configuration. The output will look something like:

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0ibWFpbHRvIiBQcm9nSWQ9Ik91dGxvb2suVVJMLm1haWx0by4xNSIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgT3V0bG9vayIgLz4NCjwvRGVmYXVsdEFzc29jaWF0aW9ucz4=

Save this Base64 string in a text file for easy access during the Intune configuration.

Now you'll create the Intune configuration profile using the modern Settings Catalog approach, which is the recommended method as of 2026.

Sign in to the Microsoft Intune admin center and navigate to:

1. Devices > Configuration profiles
2. Click Create > New policy
3. Select Platform: Windows 10 and later
4. Select Profile type: Settings catalog
5. Click Create

Configure the profile basics:

• Name: Outlook Default Mail Client Configuration
• Description: Enforces Microsoft Outlook as the default email application for mailto links and email file types

Click Next to proceed to the configuration settings.

In the Settings catalog configuration, you'll add the specific setting that controls default app associations.

On the Configuration settings page:

1. Click Add settings
2. In the settings picker, search for "Application Defaults"
3. Expand Application Defaults
4. Select Default Associations Configuration
5. Click Add

Back in the configuration settings page, you'll see the Default Associations Configuration setting. Configure it as follows:

• Default Associations Configuration: Paste your Base64-encoded XML string from Step 2

The setting should now show "Configured" with a preview of your Base64 string. Click Next to proceed to assignments.

Now you'll assign the configuration profile to your target devices or user groups.

On the Assignments page, configure the deployment scope:

For organization-wide deployment:

• Under Included groups, click Add all devices

For targeted deployment:

• Under Included groups, click Add groups
• Select specific device groups or user groups
• Click Select

You can also configure exclusions if needed:

• Under Excluded groups, add any groups that should not receive this policy

Configure applicability rules if you need to target specific Windows versions:

• Click Add rule
• Set conditions like OS version, device type, or other criteria

Click Next to proceed to the review page.

On the final Review + create page, verify all your configuration details:

• Name: Outlook Default Mail Client Configuration
• Platform: Windows 10 and later
• Profile type: Settings catalog
• Settings: Default Associations Configuration (configured)
• Assignments: Your selected groups

If everything looks correct, click Create to deploy the policy.

The policy will now appear in your Configuration profiles list with a status of "Pending" initially, then "Succeeded" once created.

Monitor the deployment status by clicking on the policy name and reviewing:

• Device status: Shows how many devices have successfully applied the policy
• User status: Shows user-level deployment status
• Per-setting status: Detailed status for the Default Associations Configuration setting

To speed up policy deployment and testing, you can force an immediate sync on target devices rather than waiting for the automatic check-in cycle.

Method 1: From Intune Admin Center

1. Go to Devices > All devices
2. Select a target device
3. Click Sync in the device actions menu
4. Wait for the sync to complete (usually 2-5 minutes)

Method 2: From the Target Device

On the Windows device, users can trigger a manual sync:

1. Open Settings > Accounts > Access work or school
2. Click on the work or school account
3. Click Info
4. Click Sync

Method 3: PowerShell Command

Run this PowerShell command as Administrator on the target device:

Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

You can also force a Group Policy update (which processes Intune policies) with:

gpupdate /force

After the policy has been applied and the device has synced, verify that Outlook is now the default mail client.

Test Method 1: Windows Settings

1. Open Settings > Apps > Default apps
2. Verify Email shows Microsoft Outlook
3. Click Choose defaults by protocol
4. Verify MAILTO is set to Microsoft Outlook

Test Method 2: Registry Verification

Open Registry Editor and navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\mailto\UserChoice

The ProgId value should be Outlook.URL.mailto.15

Test Method 3: Functional Testing

• Open a web browser and click a mailto: link (e.g., mailto:test@example.com)
• Outlook should open with a new email composition window
• Double-click an .eml or .msg file - it should open in Outlook

Test Method 4: Command Line Test

Open Command Prompt and run:

start mailto:test@example.com

This should launch Outlook with a new email to test@example.com.

Monitor the ongoing compliance and troubleshoot any devices where the policy isn't applying correctly.

Monitor Compliance in Intune:

1. Go to Devices > Configuration profiles
2. Click on your Outlook Default Mail Client Configuration policy
3. Review the Device status and User status tabs
4. Look for devices showing "Error" or "Not applicable" status

Common Issues and Solutions:

Issue 1: Policy shows "Not applicable"

• Verify the device meets Windows version requirements (1703+)
• Check if the device is properly enrolled in Intune
• Ensure Outlook is installed on the device

Issue 2: Policy applied but Outlook not default

• Force a device restart or user sign-out/sign-in
• Check for conflicting Group Policies or other configuration profiles
• Verify the Base64 encoding is correct

Issue 3: New Outlook app conflicts

If your organization has both classic and new Outlook, you may need to block the new Outlook migration:

# PowerShell script to disable new Outlook migration
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Outlook\Preferences" -Name "NewOutlookMigrationUserSetting" -Value 0 -PropertyType DWORD -Force

Advanced Troubleshooting:

Use PowerShell to check current default associations:

# Check current mailto handler
$mailtoHandler = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\mailto\UserChoice" -Name "ProgId" -ErrorAction SilentlyContinue
Write-Output "Current mailto handler: $($mailtoHandler.ProgId)"