In this blog post I will be outlining some of the possibilities you have in Microsoft Endpoint Manager (aka Intune) in terms of application deployment on Windows devices and in which contexts you would want to use the different methods. I won’t be going too in-depth on all the technical setup as it’s already been covered extensively online.
Packaging and deploying
There are currently several ways of packaging and deploying apps through Endpoint Manager, both natively and third-party. Initially third-party solutions were more reliable and robust, but with the introduction of the Windows Package Manager and the general improvements to Endpoint Manager you can easily deploy apps without acquiring a third-party solution.
winget – Windows Package Manager
Winget 1.0 was released in May 2021 and is effectively an official Microsoft version of third-party package managers such as Chocolaty, PatchMYPC, etc. Other package managers have had a head start over Winget and as such you might find certain features or packages missing, but if you were starting fresh, I would consider sticking to winget.
If you go for a different solution you might wish to replace it when winget is fully integrated in Endpoint Manager. In addition, I imagine most security departments would find it easier to approve of an official Microsoft product rather than acquiring a third-party solution, especially when it comes to software installation.
No longer need to maintain simple packages that take up a lot of time, and instead focus on either custom applications or other tasks.
The main benefit of Winget is that you no longer need to maintain simple packages that take up a lot of time, and instead focus on either custom applications or other tasks. You don’t even need to deploy a client to your devices as it now comes pre-installed on Windows 10 and 11.
You push a simple command line to your devices and instead of having to manually package and deploy applications, everything should work straight away. It’s also beneficial to deploy a scheduled task or create a proactive remediation script in Endpoint Manager that runs the “upgrade” command to keep your applications up to date. If you were using the Win32 Content Prep Tool, you’d have to create a completely new package whenever there was an update. When you’ve deployed an application to the Company Portal or assigned it to your devices, you never have to worry about it again.
If you have certain applications you’re wary about updating, due to compatibility issues for instance, you can specify which apps to update instead of running an “upgrade all” command.
Note: the “Winget upgrade –all" command will not only update packages installed through winget, but also any applications it discovers on the device that are also present in the repository.
Winget – Intune integration
Currently there’s no integration with Intune/Endpoint Manager, but it’s expected to be released in early 2022 and is on the roadmap for the upcoming versions of winget after the release of 1.2 (current version is 1.1).
There’s no information about what this integration will entail exactly.
As of right now you should still use the Win32 Content Prep Tool to deliver the winget command, as it’s the best way to display software in the Company Portal and it gives you a better overview of your current applications. You simply package a PowerShell script with the winget command using the Content Prep Tool and make it available to your users. Hopefully, the integration coming in 2022 will eliminate the need for this method and make it possible to deploy solely through the Endpoint Manager console and display apps in the Company Portal.
At any rate it’s worth keeping an eye on the developments, as this seems to be the future of application deployment in Endpoint Manager and the Windows platform.
With the deprecation of the Windows Store for Business/Education coming up in early 2023, winget is the natural successor and with version 1.1 released in October 2021 you can install applications from the Windows Store. This also means that you should avoid deploying any apps using the Windows Store for Business in Endpoint Manager and look to migrate over any apps you’re pushing from there currently. This might be a good place to start testing winget.
Until recently the best way to create and deploy custom packages in Endpoint Manager has been using the Win32 Content Prep Tool, but with the release of winget you can host your own private repository and query it just like the official Microsoft repository. An argument can be made as to why you would bother maintaining your own repository when you have to create the packages and deploy them anyway, but in general I would argue it’s easier to organize, update and test when you don’t have to work with the Win32 Content Prep Tool. Like mentioned earlier you would still use the Prep Tool to deploy the command line, but hopefully this won’t be necessary with the upcoming integration. It does require some groundwork, but if you have a somewhat large collection of applications not available on the official repository it might be worth the configuration needed.
Deploying a simple app In this short example I’ll show the basic steps to deploying WinRAR using winget and Endpoint Manager
Search for the app using “winget search WinRAR”
Locate the ID, in this case it’s “RARLab.WinRAR”
Make a PowerShell script containing the command “winget install --id RARLab.WinRAR --exact --silent .”
Package the .PS1 file using the Win32 Content Prep Tool
Upload the .intunewin file to Endpoint Manager, make sure you install it in a user context
Assign it as required or available to the users of your choice