Automatically Update Apps with WinGet and Intune
As a system administrator, keeping applications up to date without disrupting users is a constant balancing act. Over the years, I’ve tried various approaches, but recently I’ve settled on using Winget Auto Update (WAU) — a tool that’s helped streamline the update process while keeping user experience front and center.
Why WAU?
WAU automates application updates using Microsoft’s Winget package manager. It’s lightweight, flexible, and integrates well with Group Policy and Intune, making it ideal for enterprise environments. But like any tool, its effectiveness depends on how it’s configured.
Deployment
Deploying WAU couldn’t be easier. The developers have recently moved to an msi package which is super easy to deploy with Group Policy or Intune.
Tips for Version Management
- MSI GUIDs may change between releases (e.g., v2.0.0 vs v2.0.1), so version supersedence in Intune requires careful tracking.
- Use PowerShell to extract GUIDs before packaging new versions.
# Define the display name of the MSI application
$AppName = "WinGet-AutoUpdate"
# Search both 32-bit and 64-bit uninstall registry paths
$registryPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
)
foreach ($path in $registryPaths) {
Get-ItemProperty $path | Where-Object {
$_.DisplayName -like "*$AppName*"
} | Select-Object DisplayName, DisplayVersion, UninstallString, PSChildName
}Example Output
DisplayName : WinGet-AutoUpdate
DisplayVersion : 2.0.1
UninstallString : MsiExec.exe /X{12345678-ABCD-1234-EFAB-1234567890AB}
PSChildName : {12345678-ABCD-1234-EFAB-1234567890AB}My Configuration Strategy
I’ve chosen to trigger updates at user logon. This decision was driven by a need to avoid updating applications while they’re running — a scenario that can lead to data corruption or user frustration. Here’s how I’ve configured WAU:
- Updates at Logon: Enabled
- Minimizes disruption by updating apps before they’re launched.
- Log Management: Enabled
- Allowed Log Files: 30
- Keeps a healthy history of update logs for troubleshooting and auditing.
- Allowed Log Files: 30
- GPO Management Activation: Enabled
- Allows centralized control via Group Policy.
- Notification Level: Enabled
- Mode: Full (Default)
- Users receive a clear notification upon login, keeping them informed without overwhelming them.
- Mode: Full (Default)
User experience
With this setup, users log in and receive a notification like the one below. It’s unobtrusive, informative, and ensures transparency in the update process
Lessons Learned
- Timing is everything: Updates at logon strike a good balance between control and convenience.
- Logging is essential: Keeping 30 logs has helped me trace issues quickly.
- User communication matters: Notifications reduce confusion and support tickets.
Final Thoughts
WAU has become a reliable part of my system administration toolkit. It’s not perfect, but with thoughtful configuration, it can significantly reduce the overhead of manual updates and improve the overall user experience.
If you’re considering WAU, I’d recommend starting with logon-based updates and gradually refining your setup based on user feedback and system performance.
Huge thanks to Romanitho for their excellent work on what I would consider an essential tool in every sysadmins kit.