Use Winget with Intune

I had this post on my to-do list for a while. How to use winget with Intune to deploy your packages and create a default deployment method for these packages. If you deploy packages via this method you won’t have to update Intune again with new versions of packages.

Peter van der Woude inspires this post with his default chocolatey deployment blog. You can find it here. I built my deployment method around this idea.

Prerequisites

You need an Intune environment with proper licensing.

You need the Win32App packaging tool.

After that, you are ready to start this blog!

The deployment method for Winget with Intune

I already created all the scripts for using Winget, installing prerequisites on devices that need them, and installing an application afterward. For the example deployment, I am using Adobe Reader 64-bit.

I created 3 scripts and published them on my GitHub:

Use Winget with Intune - Github scripts

Download these scripts and put these in a temp folder for later packaging. I’ll go through these scripts 1 by 1.

Firstly, the install.ps1. This script has a value for the package id in Winget(1), detects which version of the App Installer is Installed (2), creates a log folder (3), and checks if the App Installer version lower than “2022.506.16.0”.

After that, if Windows 10 is detected Winget + dependencies will be installed and the package (Adobe.Acrobat.Reader.64-bit) is installed. Check the full install.ps1 at your own pace, it was too large to post the entire script here.

Next the Detection.ps1. You fill in the same value for the Package name as in the install.ps1 (1), and after that the package is detected (2):

Lastly, the uninstall.ps1 script. Again, you fill the Package name variable with the package id (1), a new log file for uninstallation is created (2), and the package is uninstalled if detected (3).

Furthermore, If you want to deploy another package with Winget. Change the $PackageName in the Winget package id.

You can search for this using winget. For example 7zip:

Create Intune Package

I assume that you downloaded the IntuneWin32App tool. If you didn’t, use this link.

Double-click the IntuneWinAppUtil.exe and fill in your variables:

As a result, you see this output:

Next, log on to Intune.

(if you want more details about the process below, please check out this post.)

1. Go to Apps and create a new Win32App
2. Select the app package file. This is the Install.intunewin file from the picture above.
3. Name the application and fill in a description.
4. The install command is: powershell.exe -ExecutionPolicy Bypass -File .\Install.ps1
5. The uninstall command is: powershell.exe -ExecutionPolicy Bypass -File .\UnInstall.ps1
6. The requirements are Windows 10 20H2 and 64-bit. (you can change this if you like).
7. The detection rule is the detection.ps1 script.
8. No dependencies and supersedence needed.
9. Assign the application to a group and click on review and create!

As a result, the package is created in Intune:

Intune Package Deployment

Lastly, I want to talk about the results.

On the targetted PC you see this log:

If you open the log, you can see the results of the installation:

Furthermore, If you send the uninstallation command, there will also be a _uninstall log file:

References

Rudy Ooms Winget Installation

29 thoughts on “Use Winget with Intune”

  1. Hi Niels,
    This is a great addition to using winget. However I have problem with the detection script and as a result the app is not installed. Gave it a try with “Microsoft.PowerToys” and the app is detected by the script even if it’s not installed and hence it will not install. Have you encountered this?

    Reply
    • Hi Erik,

      Thanks for your comment. Did you try to run the script as system manually on the machine? What is the result? You can use the sysinternals toolkit to run cmd or powershell as system.

      Regards,
      Niels

      Reply
      • Hi Niels,
        No, only with Intune to machine (runs as system), psexec is blocked so I’ll give it a try on a test PC.
        When you deploy with Intune, do do deploy to machine? I think earlier versions of winget required deployment to user and the user needed to be admin, has this changed?

        Reply
      • Hi Erik,
        I too am having a problem with the detection script. I’m no PS guru, but it seems that at line 14, the If is supposed to compares the variable $InstalledApps (loaded with the status string from line 12) to something, or Else. But the string isn’t compared to values that indicate status.
        My line 14 has been updated to “if ($InstalledApps -neq ‘No installed package found matching input criteria.’) {” but is there is a better way I’m here for it.
        Thanks for your works! 🙂

        Reply
          • Hi Niels, I ran the detection script through ChatGPT-4 and asked it about line 14:
            “My apologies for not catching that issue earlier. You are correct; there is a potential problem with line 14 in the script. The if ($InstalledApps) condition could lead to false positives if the output of .\winget.exe list –id $PackageName contains any text even if the package is not actually installed. To address this issue, we should modify the condition to check for the specific package ID in the output.
            Now, on line 14, the script uses the -match operator to check if the output of the .\winget.exe list –id $PackageName command contains the specific package ID. This should prevent false positives and provide more accurate results.”
            God help us all…
            Updated code:
            if ($InstalledApps -match $PackageName) {
            Write-Host “$($PackageName) is installed”
            Exit 0

          • Hi Chris,

            Thank you for checking. Let me check it also and update the blog.

            KR,
            Niels

  2. Hello.
    First, congratulations on the excellent script.
    As I understand it, your script will only install Adobe Reader (in the given example) if it is not installed.
    If it’s installed, your script won’t upgrade, right?

    Reply
  3. Sort of a winget related question… thanks for the scripts btw…

    We have the Microsoft Store locked down for all our users, but it seems with Winget they can install whatever they like by just opening a command prompt and using winget without Administrative credentials. Is there any way we can lock down winget the same way we did with the Microsoft Store while still being able to push applications to our users with scripts like these?

    Reply
    • Hi Marcel,

      You could take a look at Windows Defender Application Control (WDAC) or Applocker. WDAC is easier to deploy than Applocker. I would recommend you to take a look at it first.

      Thanks,
      Niels

      Reply
    • # Define the registry path
      $regPath = “HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller”

      # Check if the registry path exists, if not create it
      if (-not (Test-Path $regPath)) {
      New-Item -Path $regPath -Force | Out-Null
      }

      # Set the AppInstaller-AllowAppInstalls value to 1 to enable WinGet
      Set-ItemProperty -Path $regPath -Name “EnableAppInstaller” -Value 1

      # Output confirmation
      Write-Host “App Installer registry key is now enabled for WinGet.”

      Reply
  4. Been playing around with the script for some time. In my test I wanted to use it to install WhatsApp (whatsapp.whatsapp). This does not seem to work with the script as of yet. I think the challenge lies in WhatsApp wanting to install in the user context instead of the system context. You might give it a try by just changing the $packagename in your script to whatsapp.whatsapp to see if it still works as expectd (might be doing something wrong on my side)

    I solved this challenge in my own environment by using the Powershell App Deployment Toolkit and run most parts of the script in the system context, but the part where it says ‘.\winget.exe install $PackageName –silent –accept-source-agreements –accept-package-agreements’ is run with a Execute-ProcessAsUser so it runs in the current logged on user context. This works for me.

    I don’t use it in Production for know because I am waiting to take a look at the new Microsoft Store App (new) functionality once it arrives in our tenant, but I like the effort you put into this kind of solutions.

    Reply
    • Hi Marcel,

      Thanks for your comment. It is true that the winget application is not as mature as it needs to be. If you take a look at chocolatey, that might fit your use case better.

      Thanks,
      Niels

      Reply
  5. Hi Niels,
    Thank you for the great work and your great blog!
    I am testing setting up intune for the first time and was testing installing apps in different ways. Because adobe reader always has a lot of (security) updates I hoped to just use the new option called “windows store apps” (new) and install it from the windows store. in the MS docs it says that the app should also auto update this way. Is that an option now? I hope so because it is really easy and quick. 🙂
    Kind regards, Peter

    Reply
    • Hi Peter,

      Sure, you can use winget to install Adobe Reader from the MSStore. If that version has all the features you want, you can use it.

      Thanks,
      Niels

      Reply
  6. Niels,
    excellent instructions! How could we make some uninstalls silent? In some instances, the gui pops up requesting input to proceed with the uninstall.

    Reply
    • Niels,
      on my previous reply, I saw that you had the –silent command added to the uninstall.ps1 script (line 27), but still a on couple of applications I still had to check some boxes for the uninstall to complete. Does an additional command need to be added? Thanks in advance

      Reply
  7. Hey! Great write up. How is it possible to deploy these apps via WinGet using Company Portal / Available status and not Required?

    Thanks!

    Reply
      • Thanks for the response!
        Install behaviour should be changed to User rather than System? And then just a user group assigned to ‘required’.
        I will test today.
        Thanks!

        Reply
  8. Hi,
    Thanks for the script, looks great. When i push out via intune, the install keeps failing with the below in the logs:
    Installer hash does not match; this cannot be overridden when running as admin

    Any ideas?

    Thanks.

    Reply
    • Hi Jake,

      Which package are you trying to install? If the hashes don’t match that is usually a red flag and wouldnt recommend installing the application. Did you have try a simple one like 7zip.7zip?

      Thanks,
      Niels

      Reply

Leave a Comment