I want to make windows clients at my workplace more secure by using software obtained with winget and have it automatically updated on a regular schedule. I have a Linux (Gentoo and Debian) background.
In the majority of cases the users are AD users without Administrator rights, so they cannot do winget upgrade --all in PowerShell. My idea was to create a scheduled task which runs as the SYSTEM user, but unfortunately, a PowerShell spawned that way cannot access winget, reporting that this Cmdlet cannot be found.
I recently saw WAU (Winget-AutoUpdate). I did not try it myself yet. Can it do the job? What are you doing to maintain 50+ windows clients with users that are not Administrators on their system and lack the knowledge to update software besides what Windows 11 does for them out-of-the-box.
Interestingly, there does not seem to exist anything on Windows that is as easy as cron, systemd.timers or unattended-updates. And, in most cases users of Linux clients get sudo rights, because you can expect some basic knowledge about the package manager. On the other hand it wouldn’t strictly be neccessary if they are not devs and need only a static set of software. The beauty of having it all in one repo + flatpaks in user space makes it all possible on Linux.
Even with winget which is a great relieve on Windows, btw., OS updates are seperate from app updates; basically only “flatpak”, but without native auto-updates.
One additional remark: The apps need to be preinstalled before a new AD user logs on; I have to use --scope machine with winget. Users should not be bothered installing software themselves, not even with winget install --scope machine
I like to read, what you are using and I hope, it can be done without spending money on it. An open source solution is preferred.
Have your looked at chocolatey?
No, thx, I’ll check it out.
I can vouch for WAU. Been using it for over a year now on 8k+ PC’s for around 100 different apps. Using app whitelist via gpo/intune to ensure only apps we have tested are included in updates. You may find challenges with some apps that have custom things like network license servers (JetBrains) not correctly working with this automation. Some apps are tricky as they aren’t capable at system level since they install into %appdata%, so we install those at the user level deployment in sccm.
One issue I see is that if you are on win11, these updates don’t start processing until at least one user has logged into the system. This is a Windows issue, not WAU. These deployments start installing as soon as they login and the wait times are pretty short.
Thx for sharing your experience! I think I will try WAU tomorrow. In the meantime I have read, it has block/allow lists, too.
At my institution GPO/intune is not allowed; we have on-premis ActiveDirectory, and my access is restricted to the clients I need to manage.
So far, I could preinstall almost all apps with the
--silentflag. I assume that this also means, that they will update gracefully as SYSTEM user managed by WAU. Having the updates only applied when any normal AD user without admin rights logs on, is not an issue, as long as it works.There is only one specific app to install user certificates; this can stay a manual task after first logon, because it requires user credentials anyway. (:
Don’t do this
You need a proper endpoint management solution
