Skip to content

Latest commit

 

History

History
138 lines (112 loc) · 9.12 KB

README.md

File metadata and controls

138 lines (112 loc) · 9.12 KB

WinGet-Wrapper

PowerShell Scripts to deploy and bulk import WinGet packages to InTune including metadata.
Automatically detect latest version using dynamic detection script.
Detection script checks local installed version against latest winget available version or a defined fixed target version.
Bulk import WinGet packages to InTune including WinGet package metadata using WinGet-WrapperImportGUI.exe

  • Dynamically finds the WinGet directory to be used under System Context.
  • Kill selected process before WinGet command
  • Allows running pre and post script before installation
  • Detection script that dynamically finds latest package available trough WinGet
  • Requirement script to allow creating packages for update purposes only
  • Logs to $env:ProgramData\WinGet-WrapperLogs (Usually C:\ProgramData\WinGet-WrapperLogs)
  • Dynamically detect if running in user or system context
  • Performs automatic cleanup of log files older than 60 days.
  • Directly import and deploy WinGet packages to InTune including WinGet package metadata

Background / Why?

WinGet have a few limitations in terms of automation and is not integrated with common endpoints management products.
System Context is not possible by using "winget" as the .exe location must be found and this location is not static due to versioning in the directory name.

Requirements

Windows 10 20H2 or newer
Powershell 5.1
Client language must be en-US, as Winget-Wrapper parses only English output.
Module "IntuneWin32App" and "Microsoft.Graph.Intune" needed for import to InTune

WinGet-WrapperImportGUI.exe

WinGet-WrapperImportGUI is a graphical interface designed to streamline the import of WinGet packages into InTune.
This tool complements WinGet-Wrapper, providing an intuitive way to upload WinGet packages to InTune, along with their metadata.

Features:

  • Search and Select: Seamlessly search for WinGet packages, get detailed info and package versions.
  • InTune Integration: Import selected WinGet packages directly into InTune for deployment.
  • CSV Support: Export and import packages using CSV files, facilitating batch operations.

image

Usage:

Open the GUI: Run WinGet-WrapperImportGUI.exe to open the GUI
Search Packages: Enter your search query and click "Search" to find WinGet packages.
Select Packages: Select from search results, then click the center arrow to move them to the import list.
Adjust: Select target version if required, UpdateOnly, Installation context, etc.
Import to InTune: Enter your Tenant ID and click "Import to InTune" to import selected packages.
Additional Actions: Use buttons for exporting CSV, deleting, or importing from CSV.

WinGet-Wrapper.ps1

image

Usage:

Powershell.exe -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File WinGet-Wrapper.ps1 -PackageName "PackageName for log file" -StopProcess "kill process using Stop-Process (do not add .exe)" -PreScript "somefile.ps1" -PostScript "somefile.ps1" -ArgumentList "Arguments Passed to WinGet.exe"

WinGet-WrapperDetection.ps1

Matches locally installed version with newest available version using WinGet or specified version using $TargetVersion
Can be setup to accept newer installed version locally $AcceptNewerVersion

image

WinGet-WrapperRequirements.ps1

Checks if application is detected locally. If not detected will not attempt update/install
To be used when only wanting to update if application is already installed. (Update Only)

image

Outputs either "Installed" or "Not Installed"

image

WinGet-WrapperImportFromCSV.ps1

Imports packages from WinGet to InTune (incuding available WinGet package metadata)
Package content is stored under Packages\Package.ID-Context-UpdateOnly-UserName-yyyy-mm-dd-hhssmm
Create deployment using csv columns: InstallIntent, Notification, GroupID

image

Usage: Import from CSV (InTune)

Open the sample CSV file WinGet-WrapperImportFromCSV.csv and add any WinGet Package IDs to import (Case Sensitive)

Usage:

WinGet-WrapperImportFromCSV.ps1 -TenantID company.onmicrosoft.com -csvFile WinGet-WrapperImportFromCSV.csv -SkipConfirmation

Process:

image

Results:

image

Columns:

  • PackageID = Exact PackageID (Required)
  • Context = Which context the Win32App is run under (Machine or User) (Required)
  • AcceptNewerVersion = Allows newer installed version locally than specified (Set to 0 or 1)(Required)
  • UpdateOnly = Update package only. Application will only update if application is already installed (Set to 0 or 1)(Required)
  • TargetVersion = Specfic version of the application. If not set, the package will always be the latest version
  • StopProcessInstall = Kill a specific process (Stop-process) before installation (.exe should not be defined)
  • StopProcessUninstall = Kill a specific process (Stop-process) before uninstallation (.exe should not be defined)
  • PreScriptInstall = Run powershell script before installation
  • PostScript = Run powershell script after installation
  • PreScriptUninstall = Run powershell script before uninstallation
  • PostScriptUninstall = Run powershell script after uninstallation
  • CustomArgumentListInstall = Arguments passsed to WinGet (default: install --exact --id PackageID --silent --accept-package-agreements --accept-source-agreements --scope Context
  • CustomArgumentListUninstall = Arguments passsed to WinGet (default: uninstall --exact --id PackageID --silent --accept-source-agreements --scope Context
  • InstallIntent = Available or Required deployment
  • Notification = Notification level on deployment - Valid values: showAll, showReboot, hideAll
  • GroupID = InTune GroupID to deploy package to

Usage: Manual Import (InTune)

Application Installation

In InTune create an Windows app (Win32) and upload WinGet-Wrapper.InTuneWin as the package file.

Install: Powershell.exe -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File WinGet-Wrapper.ps1 -PackageName "VideoLAN.VLC" -StopProcess "VLC" -ArgumentList "install --exact --id VideoLAN.VLC --silent --accept-package-agreements --accept-source-agreements --scope machine"

Uninstall: Powershell.exe -NoLogo -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File WinGet-Wrapper.ps1 -PackageName "VideoLAN.VLC" -StopProcess "VLC" -ArgumentList "Uninstall --exact --id VideoLAN.VLC --silent --accept-source-agreements --scope machine"

Change the $id variable to match the package id in the detection script and upload it ($id = "VideoLAN.VLC")
If specific version is required change the $TargetVersion (Ex. $TargetVersion = "1.0.0.0")

image

Application Update Only

For creating application that will only update/install if application is already installed
Perform the same steps as in "Application Installation".
Setup Requirement rule script with return string value of "Installed"

image

image

Is Winget Safe to Use in Enterprise?

Winget (Windows Package Manager) is generally safe for enterprise use due to the following security features:

  • Package Verification: Utilizes hash checks to ensure package integrity.
  • Microsoft Vetting: Packages undergo thorough testing and scanning before approval.
  • Manual Approvals: Human oversight adds an extra layer of security.
  • User Controls: Enterprises can restrict installations through whitelisting.
  • Regular Updates: Active maintenance and community involvement enhance security.

Overall, Winget is a secure option for enterprises, especially when proper management practices are implemented. Continuous monitoring is key to maintaining security.

Disclaimer

While Winget provides various security measures, no software management tool is entirely risk-free. Organizations should continually assess their security posture and policies when using Winget or any other software deployment tool.

This software is provided "AS IS" with no warranties. Use at your own risk.