top of page
  • Writer's pictureNathan Hutchinson

Deploying winget apps with Microsoft Endpoint Manager and auto-update!

It's not long until the new Microsoft Store will be integrated in Endpoint Manager, and when that does happen deploying apps via Windows Package Manager (otherwise known as winget) will likely be a breeze, but until that happens we need a way to deploy apps now using the same methods - Thankfully this is relatively easy and I wanted to summarize the way that I do this using community provided tools and scripts. One area that is slightly more difficult with Endpoint Manager, at least when deploying apps manually (without the use of a service like Scappman or Patch my PC) is app updates, thankfully there's also a solution for that!


App Installer, what?

It's worth noting that in order to use winget, you must have Windows Package Manager already installed on the device, this should be installed by default on Windows 11 machines and most up to date Windows 10 devices but it's worth deploying it anyway. I do this via the current Microsoft Store for Business app called App Installer and I use the offline version but there are other ways you can install this if you prefer another method - Just remember if you do it the same way I do to set the license type to Device.



I deploy this way as a required app before deploying any winget apps.


App deployment using Winget

I will start by mentioning that the method and scripts I use are provided by Romanitho and can be found on his GitHub page here: GitHub - Romanitho/Winget-Install: Powershell scripts for Winget with SCCM/Intune - There are options for deploying with SCCM and Intune as well as the option to customise the scripts allowing to add your own into the mix, for this we are going to keep it nice and simple. Start by downloading the Winget-install folder and extracting this.


The file you want to start with is winget-install.ps1 - You'll notice if you open up the script there are some examples on how to use it, which might be of help to you, for now though all we need to do next is wrap the script using the Intune Win32 Content Prep tool.



Once it's wrapped you can go ahead and upload it to Endpoint Manager, but first we need to decide what app we want to deploy! There are a few different ways to search for winget available apps such as winget.run | Finding winget packages made simple. or you can simply search for an app using winget via PowerShell.


You'll want to make sure you have the correct version of the app you are searching for but this is typically pretty easy to locate, in this example I am going to deploy Microsoft PowerToys, take note of the app ID as you'll need this for the deployment.


Now go ahead and upload your wrapped script to MEM as a Win32 app and fill in the appropriate info in the description page.




The next page is where we specify the install and uninstall commands, this is also where we will decide what app the script installs using Package Manager, as well as any additional commands, such as logging. Be mindful to always test your deployments, some apps prefer to be installed in the User context, Discord is a good example of this!


The commands I am using for install and uninstall are like so.


Install: %systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File winget-install.ps1 -AppIDs Microsoft.PowerToys -LogPath "C:\vital-temp\MSpowertoys-winget-logs"


Uninstall: %systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -File winget-install.ps1 -AppIDs Microsoft.PowerToys -Uninstall


All you need to do is update the bits in bold with your required App ID and choose your install context based on your needs, set your requirements and then move onto the detection page.


Here is where you are going to make use of the second script provided in the winget-install-main folder, this time though you'll want to open it up to edit.


All you need to do is update the $AppToDetect and then save it back.

Once you've saved that, go ahead and upload that as your detection script.


Follow through the setup process and assign the app to your desired group, in my case I have published to all users as available for enrolled devices, I find the application shows up in Company Portal quickly, I assume this is because the installer is so small being just a PowerShell script.


Go ahead and install the app from Company Portal or force a sync if you are deploying as a required app.


Once it has installed, you should see the usual popup advising you as such. Super easy!


Updates for all!

Great, so now you can deploy your apps via winget nice and easy, but what about keeping them up to date? Well Romanitho has got you covered with his awesome winget-autoupdate application GitHub - Romanitho/Winget-AutoUpdate: WAU daily updates apps as system and notify connected users. (Allowlist and Blocklist support)


This tool is very cool and allows you to incorporate your own application block and allow list, change notification language, default install location and loads more - For the purpose of this article we are going to keep it simple but we will deploy it with an update schedule.


For this to work you are going to want to extract the downloaded zip and then right click on each of the .bat files and unblock the files - Tick the box to unblock it!


Then take the contents and add them to your source folder you normally use when packaging apps using the content prep tool.



Notice I have copied them to my source folder.


Then go ahead and prep the Win32 app using the Winget-AutoUpdate-Install.ps1 as the setup file.


Once that is done you can upload this to the MEM portal as a Win32 app.


Notice the install and uninstall commands I am using as this is also where you would specify any additional commands, such as the update schedule you want to use - In my example I want it to run at logon but also check for updates weekly.

The detection rule will be dependant on where you decide to install it, for me it is the default location.


Then go ahead and deploy the app as either required or available - I would suggest deploying it as a required app so you know you will be keeping your users apps up to date.


You will often find that the application will start to update apps you have installed right away and in my experience it tries to update apps that are available via winget but may not have been installed this way, when this happens (at least for me) it fails the update so worth keeping in mind, I have more success with updates if the app has been deployed via winget in the first place.


You will know once it is working as you'll receive a notification, like so.


Happy deploying folks!








Recent Posts

See All

2 Comments


Fatimah Zahid
Fatimah Zahid
Mar 21, 2023

how to update a single application using winget via intune? as your script is updating all application but what I need is to update a single application and detection should check monthly or weekly for an update and then update that specific application individually?

Like
Nate Hutchinson
Nate Hutchinson
Apr 03, 2023
Replying to

Hi Fatimah,


You can use the 'allow list' function of the auto updater script which will effectively only update pre-selected apps, this should do what you want: GitHub - Romanitho/Winget-AutoUpdate: WAU daily updates apps as system and notify connected users. (Allowlist and Blocklist support)

Like
bottom of page