Categories
Cloud advice

Road to Cyber Essentials: Winget/New Store Apps

Welcome to the 6th in the series, this time we’re going to talk about Winget and the new application deployment methods in Intune.  Winget and the new Store deployment method are a key pillar in CE, ensuring apps are up to date.  This post was partially written with Bing Chat Compose.

What is Winget?

Winget is a command-line tool that allows you to discover, install, upgrade, remove, and configure applications on Windows 10/11 PCs. Winget is part of the Windows Package Manager service from Microsoft that provides a centralized repository of curated applications from various sources such as Microsoft Store (UWP/Win32), GitHub (MSIX/AppInstaller), Chocolatey (EXE/MSI/NuGet), etc.

You can use Winget to install applications by specifying their name or ID from the repository. For example:

winget install vscode

This command will install Visual Studio Code on your PC using the default installer source. You can also specify a different source by using the –source option. For example:

winget install vscode --source winget

This command will install Visual Studio Code using the winget source which contains MSIX/AppInstaller packages.

You can also use Winget to search for applications by using the search command. For example:

winget search vscode

This command will show you all the available packages that match vscode in their name or description.

In addition to install and search commands, Winget provides other commands such as show (to display details on applications), list (to display installed applications), upgrade (to upgrade outdated applications), uninstall (to remove installed applications), settings (to configure winget options), source (to manage sources of packages), validate (to validate manifest files for packages), etc.

How do Intune and Winget work together?

Intune has recently introduced a new app type called Microsoft Store app that leverages Winget as the client interface tool. This app type allows you to deploy both UWP and Win32 apps from the Microsoft Store catalog using Winget commands. This app type features an expanded catalog of apps that includes both UWP apps
and Win32 apps.

To deploy a Microsoft Store app using Intune,
you need to follow these steps:

  1. Create a new app in Intune with the type
    Microsoft Store app.
  2. Search for the app by name, note that not all apps will show up or are supported by Intune currently
  3. Add a logo
  4. Set if the app is a User or System app (system apps can be installed during OOBE)
  5. Assign the app to your target groups with the required or available intent.
  6. The devices will receive the policy from Intune and execute winget commands to install the app from Microsoft Store.

What are the benefits of using Intune and Winget together?

By using Intune and Winget together, you can enjoy several benefits such as:

  • Simplified app deployment:
    You don’t need to upload any files or create any detection rules for deploying Microsoft Store apps.
  • Expanded app catalog:
    You can access more than 10K UWP and Win32 apps from Microsoft Store catalog using winget commands.

The “Intune Win32 Deployer”

If you are looking for a way to deploy Win32 applications to your devices using Microsoft Intune, you might be interested in the FlorianSLZ/Intune-Win32-Deployer – Github tool. This tool allows you to easily and automatically transform Windows Package Manager (winget) and Chocolatey installations into Intune-compatible Win32 applications (intunewin) and upload them directly to your Microsoft Endpoint Manager (MEM) environment. In this blog post, I will give you an overview of the features and benefits of this tool, as well as a step-by-step guide on how to use it.

Features and Benefits

The “Intune Win32 Deployer” tool has several features and benefits that make it a convenient and efficient way to deploy Win32 applications with Intune. Some of them are:

  • It supports both 32-bit and 64-bit operating system architecture for Windows applications.
  • It can automatically create the required dependencies for winget and chocolatey applications, such as the Windows Package Manager itself.
  • It can generate intunewin files without uploading them to Intune, if you prefer to do it manually or use another tool.
  • It has a simple and intuitive graphical user interface (GUI) that guides you through the process of adding, creating, and deploying applications
  • It uses PowerShell scripts under the hood to perform the tasks, which means you can customize them if needed.

Installation

To install the “Intune Win32 Deployer” tool, you need to download the complete current GitHub repository from FlorianSLZ/Intune-Win32-Deployer – Github and execute the file “INSTALL_Intune-Win32-Deployer.ps1” with PowerShell in the top level (right-click). This will copy the program files to your local Appdata folder and create a shortcut in the start menu.

Alternatively, you can also download an executable file from https://github.com/FlorianSLZ/Intune-Win32-Deployer/releases and run it as administrator.

Usage

To use the “Intune Win32 Deployer” tool, follow these steps:

  1. Launch the tool from the start menu or by double-clicking on its executable file.
  2. Click on “Add Application” button to add a new application. You can choose between winget or chocolatey as source type.
  3. Enter a name for your application and select its category from the drop-down list.
  4. Enter or paste the installation command for your application in winget or chocolatey format. For example: `winget install vscode` or `choco install firefox`.
  5. Optionally, enter or paste an uninstallation command for your application in winget or chocolatey format. For example: `winget uninstall vscode` or `choco uninstall firefox`.
  6. Optionally, enter some additional information about your application such as description, publisher name, version number, icon URL etc.
  7. Click on “Create Application” button to generate an intunewin file for your application based on its source type.
  8. Optionally, click on “Upload Application” button to upload your intunewin file directly to your MEM environment using Graph API authentication.
  9. Repeat steps 2-8 for any other applications that you want to deploy with Intune.

The “Intune Win32 Deployer” tool is a handy solution for deploying Win32 applications with Intune using winget or chocolatey sources. It simplifies and automates the process of creating intunewin files and uploading them to MEM environment without requiring any coding skills or complex configurations.

The tool installs into

%localappdata%\Intune-Win32-Deployer\

I’d recommend testing the intall.ps1 file for each package you create to see if it installs correctly.  We’ve found that occasionally that this parameter from install.ps1 needs to be removed and the install.intunewin repackaged.  You’ll know to do this if you get installer not found.

Remove from line 20 of install.ps1.

--scope=machine

To repackage you then run (replacing %appname% with the folder name)

$env:localappdata\Intune-Win32-Deployer\ressources\IntuneWinAppUtil.exe -c $env:localappdata\Intune-Win32-Deployer\apps-winget\%AppName% -s install.ps1 -o $env:localappdata\Intune-Win32-Deployer\apps-winget\%appname% -q

You can then replace that install.intunewin file in the app.

Gotcha’s

One of the Gotcha’s we’ve found with the Intune Win32 Deployer has been multiple Winget’s.  To solve this you can do a proactive remediation to force install the latest App Installer using https://aka.ms/getwinget.  You can find the detection and remediation script files in our intune scripts github: intune-scripts/AppInstaller-Update at main · Eduserv/intune-scripts (github.com).

In the Eduserv/intune-scripts (github.com) you can find additional resources to assist with your Intune journey.

Closing

In closing the new Store deployment method and Win32 apps in general are a huge improvement to app installation on Windows.  Gone are version locked msi installers, gone are manually updating the installers, gone is the Store for Business.  Obviously you need to deploy Company Portal, which you do with the Store deployment.

For help and support reach out to your Jisc Relationship Manager, or cloud@jisc.ac.uk.

More to come in the series.

By Nick Brown

Senior M365 Developer and Architect @ Jisc Cloud Solutions.
Find me on twitter @techienickb

2 replies on “Road to Cyber Essentials: Winget/New Store Apps”

I use it on my personal laptop, but it will only auto update apps in the context it’s running out of. We use Proactive Remediations instead to also give reporting back into Intune

Leave a Reply

Your email address will not be published. Required fields are marked *