Created a weekly Scheduled Task to Run WINGET as SYSTEM & update all applications using a "portable" winget

[ebosche-OL]

Hello all,

I have been experimenting with winget for a few months bc it looked like a great solution to the horribly neglected task of keeping all the applications on workstations up to date, no matter if they're managed or not. I have about 200 windows workstations, & a lot of users who have an elevated account they can use to install software, so we have a lot of unmanaged/shadow IT in the environment. I'm working to clean all that up, but I wanted as a first step to somehow simply keep all those applications up to date, managed or not, and winget looked perfect for doing that.

Ideally, I wanted to pushout winget via Intune, and create a scheduled task to use winget to update everything 1 or 2 times per week.
I ran into the issue that winget can't be run under SYSTEM bc it seems that the directory where it installs isn't accessible by SYSTEM. I have been using a work-around that allows me to run winget.exe as SYSTEM by a scheduled task, I simply copied some necessary files out into a different directory and have SYSTEM run that instance of the exe, which so far has been working great to keep a lot of the applications on the workstations up to date.

I put the files in C:\CyberSec\WINGET\Application, and made a scheduled task to run this (and a few other commands)

C:\CyberSec\WINGET\Application\winget.exe upgrade --all --accept-package-agreements --accept-source-agreements --nowarn --disable-interactivity --include-unknown >> C:\CyberSec\WINGET\WinGet_Update_Sch-Tsk.log

A lot of those files likely aren't needed, but didn't bother with pruning it down to just the necessary ones since together they're <13 MB.

It is now run by a scheduled task that runs 1/wk

It doesn't have all the scripts and doesn't log to the default log at all , but it does the functions I want. Outputting the command line to a file results in a usable log of the task's results also.

It's a bit clunky, but so far has been working great on our workstations for about a month.

Has anyone else done this?
Are there any issues I should be concerned about?
Any headaches I'm going to run into?

[davidldennison]

Good stuff! I wouldn't include --include-unknown because sometimes winget doesn't know the actual version and will still try to install/upgrade that package even if it is still up to date. I've seen this mess up a few installs previously.