Gareth Oxendine
Using Intune and Winget to Install, Uninstall, and Update Windows Applications
Updated: Aug 11
If you are like me, you are responsible for installing, updating, and uninstalling applications on devices at your company. There are several ways to perform these tasks. This article will go over a built-in Windows command line tool called winget. Knowing how to use this command line program will add another tool to your "endpoint management tool belt."
The winget command line tool enables users to discover, install, upgrade, remove and configure applications on Windows 10 and Windows 11 computers. This tool is the client interface to the Windows Package Manager service. — Microsoft
Table of Contents
Prerequisites
Before deploying PowerShell scripts using the winget command, take note of the following prerequisites.
Always try to run the winget command in an elevated PowerShell shell. If the users of the devices are local administrators, then you can run the script under the user context.
Winget may not run correctly if executing the PowerShell script under the system context. If possible, try to run it as the user. If the user is not an administrator, you may want to consider another alternative to managing the application if the test fails.
Installing Applications
Step 1: Retrieve the App ID and Source
Before you can install an application, you first need its app ID as well as the source of the application [there are two primary sources for applications: winget and the Microsoft Store (msstore)]. Use the command below on your computer first to find the ID and source:
winget search "app_name"
Below are two examples where I used the winget search command to find the ID and source.
In the first example, the ID is Google.Chrome.EXE and the source is winget. In the second example, the ID is XPFFZHVGQWWLHB and the source is msstore.
Step 2: Create the Script
Now that you have the app ID and the source, you can create a PowerShell script to install the application using the command below:
winget install -h --id "app_id" [--source "source"] --accept-source-agreements --accept-package-agreements
-h: silent install
--id: copy and paste the app ID you retrieved in step 1
--source: optionally, copy and paste the source you retrieved in step 1
--accept-source-agreements: force the computer to accept Microsoft's Store policy if the source is "msstore." If this flag is not used, the script may stop and request the user to accept the policy.
--accept-package-agreements: force the computer to accept the license agreement. If this flag is not used, the script may stop and request the user to accept the policy.
Below is an example PowerShell command to install Google Chrome.
Step 3: Upload and Deploy the Script
Open the Endpoint Manager (Intune) portal.
Select Devices in the left-hand menu blade then select Windows.
Select Scripts and remediations then select the Platform Scripts tab.
Select + Add (see below).
Uninstalling Applications
Step 1: Create the Script
Use the following command to uninstall applications:
winget uninstall -h --id "app_id" [--version "version"]
-h: uninstall silently
--id: the application ID; if you do not know it:
Use the winget list "app_name" command if the application is installed on your machine.
Use the winget search "app_name" command if the application is not installed on your machine.
Note: if no ID is listed in the output, then use the app name instead, replacing the --id parameter (Ex. winget uninstall -h OneNote)
--version: optionally, you can specify which version of the application to uninstall
Below is an example PowerShell script used to uninstall Chrome. To prevent your PowerShell script from having any errors, use the if statement to check if Chrome is installed first.
Step 2: Upload and Deploy the Script
Open the Endpoint Manager (Intune) portal.
Select Devices in the left-hand menu blade then select Windows.
Select Scripts and remediations then select the Platform Scripts tab.
Select + Add.
Updating Applications
You can also use winget to update an application. A use-case for this could be forcing an update on an application that your end-users installed themselves.
Step 1: Create the Script
Use the following command to upgrade an application:
winget upgrade -h --id "app_id" [--source "source"] --accept-source-agreements --accept-package-agreements
-h: upgrade silently
--id: you must provide the app ID; if you do not know it:
Use the winget list "app_name" command if the application is installed on your machine.
Use the winget search "app_name" command if the application is not installed on your machine.
--source: optionally, provide the source of the application
--accept-source-agreements: force the computer to accept Microsoft's Store policy if the source is "msstore." If this flag is not used, the script may stop and request the user to accept the policy.
--accept-package-agreements: force the computer to accept the license agreement. If this flag is not used, the script may stop and request the user to accept the policy.
Below is an example PowerShell script used to update Chrome. To prevent your PowerShell script from having any errors, use the if statement to check if Chrome is installed first.
Step 2: Upload and Deploy the Script
Open the Endpoint Manager (Intune) portal.
Select Devices in the left-hand menu blade then select Windows.
Select Scripts and remediations then select the Platform Scripts tab.
Select + Add.
Troubleshooting Scripts that use Winget
After you deploy a PowerShell script that contains a winget command, you may receive errors in Endpoint Manager. Below are common errors along with potential causes/resolutions.
User Account Control (UAC) Prompt
If your users receive a UAC prompt from the script with the winget commands, then the user is most likely not a local administrator.
Error 1603
You may receive this error for any of the following reasons provided by Microsoft.
Windows Installer is attempting to install an app that is already installed on your PC.
The folder that you are trying to install the Windows Installer package to is encrypted.
The drive that contains the folder that you are trying to install the Windows Installer package to is accessed as a substitute drive.
The SYSTEM account does not have Full Control permissions on the folder that you are trying to install the Windows Installer package to. You notice the error message because the Windows Installer service uses the SYSTEM account to install software.
Another potential cause is the script is being deployed under the user context and the user is not a local administrator.