Thank you so much for all your help! You explain scripting in such a way that really helped me understand what was going on! You deserve a million subscribers!!!! You really are an amazing teacher!
John is superb. I look amazing at work because he spells things out in a way that helps folks who have the capacity to learn, just maybe without all the hoopla. I wingetted my weekend away and most of my apps can be updated by winget (sweet), however I like controlling what is out there, so no --all for me. Its an easy tool.
well done! I have been ill for a week and slow on replies, slowly getting better now. Thanks for the commend and yeah I would not recommend -all switch either, better to mange them one and one as you do. But if you help a none technical person you could teach them the -all switch for their home system as a good update advice
Another great video John it was a 40 minutes video but felt like it was only 10 minutes very clear and easy to follow along also appreciate when you have little pop ups of information to explain things which is much appreciated as a beginner I can make sense of what your saying and follow along . Can’t wait for the next video and congratulations on 700 subscribers
Man - You have helped me tremendously. I also integrated Chocolatey with Remediation scripts but Infosec has issues with this. lol - You should do one with Chocolatey!
I love this guy! You are helping me in many ways around intune my friend ;). But regarding the Winget auto update, you created update remediation + winget for VLC, but does this mean you have to do this for all applications that we have? I mean, those will be alot of remedation reports as we have a lot of applications installed on some systems. It would be cool that it detects the installed applications and then update them all as much as possible and accept all source agreements. Yes, we have a few mendatory apps, but also a lot of apps that users need and are installed via Company portal. These also need to be updated of course, but there has to be a way to make just one remediation + winget scripting right?
Thanks a lot for your comment, you can do one-liner and update all, it is: winget.exe upgrade --all --silent I read the there is a bug that if you got 10 software to update only the first is silent and the other 9 are none but they get installed. Not all works, if you installed TeamViewer with MSI package and Winget takes down a EXE file it will complain but for home users the 'winget upgrade -all' is a pro-tip to update software I do scripts for each software at my work, for several reasons, I like to control what I update, I like to see the stats per app to report to my manager how many got updated and also we got software that we want to control the version because if it introduce new features I don't want the end users to be the first to tell us "Hey why does Outlook now show the icons on the right side instead of before left" or "since the upgrade this add-in stopped to work" etc... For an enterprise I would recommend not to run the '--all' switch and do them one by one, the template provided in this video makes it go fast, you just change the ID and you are good to go :) for home users or small businesses, sure use the --all switch and check what does not get updated and investigate why.
I think you are making a very valid point there. Thank you that. I can maybe do a setup for the top 10 important / command applications for on, lets say the Tuesday and a update all version set for on the Thursday. The Thursday will then see that the important apps are already up to date.
Good idea, however don't use Intune's own Software Inventory as a base for success since it can take up to a week before you see changes there (that one is slow) but if you see in ProActive Remediation the stats you can trust them.
Thanks again! this is one of my favorite videos, since it used Proactive Remediation that I use for so much stuff and also one of my new friends winget.exe that I have started to use a lot
Thanks, It will install the latest version if not using the -v switch and then it will show success and not run again. Once installed you can just do a Proactive Remediation Script that run same command but you change "install" to "upgrade" and have it run every week or alike. I might do a video about that, I use it a lot at my work
John you are the Microsoft Intune master. I am learning so many things from your channel. I just had one doubt, can I upgrade Chrome or other applications using this method? I deployed these apps using LOB and Win32 app installation and not with Winget. Do you think this script will work for LOB and Win32 apps upgrade?
Happy to hear Yunus, you can skip the last Oracle Java videos they are very specific for a few people and in general not things you need to know. Thanks for message. If you always want the latest Google Chrome I would use winget.exe, a lot of Organizations use Google Chrome as their app for finance, or sales tools and want to be sure not a new update break their tool and control the version. If that is the case I would Win32 app package it and control the version. My next video is going to be more about Autopilot but the one after that is going to be howto manage a lot of Google Chrome settings (not with Intune but with a free Google tool)
thanks a lot, a huge fan myself of winget.exe and uses it also to update existing installations with remediation scripts (got a few videos on that also)
Do you need a check if the app is running when the remediation script runs? Maybe do the whole packaging with PSADT around the winget command and you can show popup for the user that there is an update and the app needs to close and timeout the popup?
Hi DanZi, great idea. You don't want to update Zoom or Teams in the middle of a conference LOL :) I have avoided this by schedule the Remediation Scripts to run in the morning hours, I often put it at 4:00am or alike. I do like your idea and would recommend that for apps that are critical for users to not update in the middle while using it. Thanks for sharing this idea
Thank you so much, it is one of my own favorite videos also, I love Winget, crazy about it, and also love Remediation Scripts, so those two together are so powerful for a lot of things :)
Good question, I checked on my own device and I don't have any saying "unknown" but know that can happen, when you run the 'winget list' for that software, and it shows unknown does it still have the header available ? if so it will work, else there is an easy way to expand the script to pick up the unknown value and action that also
@@IntuneVitaDoctrina I just tried installing one app (visual studio code) that has "unknown" value in Version column when running (winget search "Visual Studio Code") But after installing, it shows up with "Microsoft Visual Studio Code (User)" and has a specific version when running "winget.exe list". So the script would work fine with it. Thank you very much! May I have your idea on how to use winget to upgrade apps silently if the app is installed with user context, meaning that the app does not show up when running "winget list" but it is located in user profile (e.g: AppData\Local\Programs)?
@@IntuneVitaDoctrina I tried installing one app (visual studio code) that has version of "unknown" when running winget search "visual studio code". But after installed, it shows up as "Microsoft Visual Studio Code (User)" with "known" version when running winget list. In this case, I suppose the script would work fine with it. Thank you. May I have your idea on how to use winget to upgrade apps that are installed with user context, meaning it could not be found when running winget list, but it is located in user profile, e.g: AppData\Local\Programs\Microsoft VS Code\Code.exe
Thank you so much, got a series of videos under production, unfortunately the next coming are specific for Oracle Java 8 users that needs to load Java in browser, it will not apply to everyone but those who need it will like those videos. For none Java 8 users it still be some videos in that is useful for everyone, like IE mode and some package/winget stuff. My goal is to release one video per month but lately it has been two or more, see if I can keep up with that :) it is fun! thanks again!
Great post.. I getting the same null error with 22h2. It seems Winget desktop app installer is not installed on my tablets. is there a way to run the install previously in your script? Thank you and your video was great.
Thanks a lot Mike, if you run as a user winget.exe does it like say doesn't exist or you get an output? A pretty common issue is this one, you have winget.exe but it fails running under SYSTEM to get any output, is that what you mean with "null error"? if so solution is in this thread: github.com/microsoft/winget-cli/issues/2748 But maybe you issue is that winget isn't at all at the system?
Thanks for a great video… i wanted to update .Net on few machines which were not having the latest version of it… tried other detection scripts in Intune but din’t work. I will try your scipt and check if it work.
Thanks for comment, I update .NET Framework with Windows Update, I wonder if this could be used to have winget.exe update it? winget.run/pkg/Microsoft/DotNet.Framework.DeveloperPack_4 winget upgrade -e --id Microsoft.DotNet.Framework.DeveloperPack_4
I got a few videos of that: Compliance Videos: ruclips.net/video/bjp6db3DT1Q/видео.html&ab_channel=Intune%26VitaDoctrina ruclips.net/video/4xKAlyuYNjg/видео.html&ab_channel=Intune%26VitaDoctrina ruclips.net/video/nzpk5Pq4Tl4/видео.html&ab_channel=Intune%26VitaDoctrina Configuration Profiles: ruclips.net/video/o8FSHgfZJRg/видео.html&ab_channel=Intune%26VitaDoctrina ruclips.net/video/WT9JbSpDiJw/видео.html&ab_channel=Intune%26VitaDoctrina ruclips.net/video/B1Ppfy3RbPo/видео.html&ab_channel=Intune%26VitaDoctrina ruclips.net/video/ChTIakzWmY0/видео.html&ab_channel=Intune%26VitaDoctrina
Is there a way to "Safely" upgrade ALL Apps that has an update available? Using the same Remediation Script approach? I tried the Winget upgrade all and it doesn't always work. It seems like it depends on wether or not the APP is available via MSstore or Winget and also the source agreements doesn't automatically accept all the time
Safely upgrade all, is not possible. You can add silent switch and hope for the best. If everything was ORGINIALLY installed by Winget you can upgrade them with Winget but if you for example installed TeamViewer with MSI and then run Winget to upgrade it will download an EXE and fail.
Some yes, before winget, some MSI resides always at the same URL, like on a cloud url, like cloudfront (AWS) and then do logic to see if the latest is installed, if not download that and run. Some scripts scrape web pages download sites but those often stop to work after awhile when they rediesign the web page so don't like those so much. I hope more and more will put their software on winget. Also hoping Windows 12 when released will integrate winget even more.
When you deploy a software update using Proactive Remediations and Winget, the original app uninstall location in the registry is removed. How can you uninstall software, using Intune, that was updated using winget? What is the uninstall command? Or would you have to create another Proactive Remediation to uninstall the software?
Good question, so Winget.Exe got uninstall, if you installed with Winget it will always work to uninstall, if not installed with Winget you might need to add a line like (Get-WmiObject -Classname Win32_Product | Where-Object Name -like 'NameOfSoftWareToRemove*').Uninstall() But if installed with Winget you can run winget uninstall, got an example for 7-Zip down here: ### Software Remediation Remove 7-Zip ### Author: John Bryntze ### Date: 4th July 2023 ## Variables $JBNAppID = "7zip.7zip" ## Help System to find winget.exe Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe") ## Run upgrade of the software .\winget.exe uninstall -e --id $JBNAppID --silent --accept-source-agreements
Thanks for this! I have been looking for something that will make it easier to use WinGet. I however have a challenge that I have not been able to remediate. Running the script, it complains about scripts being disabled on the system. No matter how I add the line to bypass the Execution policy, it just won't work, unless I first bypass /disable the Execution policy and then run the script after that. This will be a problem when deploying via Intune, since it will block the script from running. Any ideas?
I would like to see that script and what you set, but sounds like you do all correct. What about first line of the script is: Set-ExecutionPolicy Unrestricted -Force Then run your lines and at the end set back the ExecutionPolicy that you want? The script run under SYSTEM right and not User?
@@IntuneVitaDoctrina So I am testing locally with the logged in user, so I am assuming (and yes it's not good to assume, haha), that it's running under user context by default. I have not deployed the Script via Intune to a Test-VM and will check back with the results. Inserting "Set-ExecutionPolicy Unrestricted -Force" as the first line does work if that line is run first. And then secondly the other part of the script. But I would like it to set the execution policy and then run the rest of the script automatically. But let me see. If it works via Intune Remediation scripting, then I won't be bothered by that line then.
Hi John, thanks a lot for your video, it helped us a lot. I already tried your scripts and its working fine. Now i want to update Office Apps and i tried your script by just changing the App ID it gives error "Installer failed with exit code: 17006" when i searched i found that the error means the apps is open and need to closed. What i need to add in script so that it gives users warning to close the apps which are open or automatically close the apps so that upgrade can happen. Your help is really appreciate.
Hi, happy to hear, I have taken another approach on 365 Apps, I send out a normal PowerShell script that runs only once and create a scheduled task that runs on all devices to update Office regularly, so it prompts user to close apps etc.. Let me know if you want I do a video about it, else the script is here that you can use: ### Create ScheduledTask to run Microsoft 365 Apps update ### John Bryntze ### 18th April 2023 if(Get-ScheduledTask -TaskPath "\JBN\*" -TaskName "Microsoft 365 Apps Update*") { Unregister-ScheduledTask -TaskName "Microsoft 365 Apps Update*" -Confirm:$False } ### Create Scheduled Task if doesn't already exists if(!(Get-ScheduledTask -TaskPath "\JBN\*" -TaskName "Microsoft 365 Apps Update*")) { $JBNAction = New-ScheduledTaskAction -Execute "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" -Argument "/update USER Displaylevel=true" $JBNTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Wednesday -At 5am $JBNSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries $JBNTask = New-ScheduledTask -Action $JBNAction -Trigger $JBNTrigger -Setting $JBNSettings Register-ScheduledTask -TaskPath "\JBN Images\" -Taskname "Microsoft 365 Apps Update" -InputObject $JBNTask ### Win8 actually sets Windows 10, and StartWhenAvailable make it to run directly after 5am if device is down $JBNTaskSettings = New-ScheduledTaskSettingsSet -StartWhenAvailable -Compatibility Win8 Set-ScheduledTask -TaskPath "JBN\" -TaskName "Microsoft 365 Apps Update" -Settings $JBNTaskSettings }
@@IntuneVitaDoctrina thank you so much, i will try the above script, video is always better😀 and useful for others also. I have seen a task scheduler already exist and it is running daily at 3:00 am but still the Office Apps are on older version.
Hi Edward, yes, since Remediation Script installs, you don't have to modify there, but the Detection Script you have to change it to always exit with 1 EXCEPT if the latest is already installed. I can post a full scrip here if needed, but in general you should just change the part where it says it doesn't find the software and change exit from 0 to 1
@@IntuneVitaDoctrina Gotcha makes sense, I guess the only other hurdle I have is, what if the software version installed is 32 bit and I'd like to remove that and upgrade to 64?
Hi, interesting. Is the app itself installed under c:\progam files? or under user profile or elsewhere? If you let me know which app it is the wingetID, I'll take a look. You could do the upgrades for them, by running a remediation script every day, and have SYSTEM update it, unless like you say it is a user app, but user apps normally doesn't require local admin as it is installed in the users own space. please give me more info and I'll do my best to help you
@@IntuneVitaDoctrina I am pushing through MDM Jump Cloud with all use able switches it downloaded the required updates at the installation ask for non admin users to provide password like I update Adobe Acrobat Reader
Hi John, and maybe someone else did have and fix this issue. I'm pushing your detection/remediation scripts to my machines (Zoom app) and around 70% are upgrade ok. The rest of them I see in the logs that detection fails (Powershell exit code is 1), which mean it should proceed to remediation and upgrade, but it never happens (I don't see remediation to run) or sometimes the AgentExecutor log say it did run and with exit code 0, but I'm pretty sure it didn't, as I have my custom logs in the script, and I don't see them being generated. So I'm just wondering of someone else got a similar issue and second question will remediation script actually execute if for example Zoom app/process is actually running or it will drop it and attempt to upgrade next time? Thanks all.
Great job Oleg, I would remote to one of those device failing and run the both scripts manually or from SYSTEM with help of psexec -i -s to see what output you get from the variables.
@@IntuneVitaDoctrina on most of them running it manually will just work fine, but what's interesting on some of them when I run .\winget.exe list or upgrade it doesn't give me any output, instead I can install or uninstall using --id. Looks like winget issue. Do you know if there is a way to re-install/uninstall Winget? Initially I've tried to push it using new store app, but did run into some issues and pushing it now as Win32 app. Some of the machines has it under to location. So just wondering that initial install does cause some issue and if I can clean them up and reinstall? Thanks again for your patience about my stupid questions :)
Yes I have had some older devices not giving any output, annoying, fixed it from this link: github.com/microsoft/winget-cli/issues/2748 basically needed a newer version of Visual C++ Redistributables was needed, read in the comments of the link above the post from "rozmansi commented on Jan 30" that fixed it for me, hope it does for you and I strongly believe so
PBI = Power BI? This sound complicated, but maybe still possible. The Storage account, is that in Azure? either way the script must have permission there, and if you put credentials or an API token or alike in the script, it will be in clear text for a short while on the client itself. First the script needs to create the data, that is easy, then connect to the storage with credentials (risky)... yeah could work but hmmm doesn't sound optimal for this user case
@@IntuneVitaDoctrina This guy has done something similar to what we need, but to difficult for me to follow without some script examples: ruclips.net/video/JOYcOmJOk6k/видео.html
if the process lock the file then no, but you can write to a Database that handles it or a queue system, but now we are way out of Intune and Remediation scripts, so maybe we are complicating things too much :) Do you got any other system that can pick up data? like Splunk?
My problem is that the company is very decentralised and not all clients are configured using intune, they are however all enrolled in intune now, but the reporting is rather difficult to get out. At Group level, this is what we are trying to get hold of and visualise using Power BI. I don't have Splunk, but can setup most other common and easily managed Azure services.We would like to see Firewall status (this one you can actually export fine, would like it automatic though), OS Patch status and Bitlocker. The last 2 are problematic.
much possible it doesn't honor the --silent switch, which it should, can send arguments, forgot if it is an EXE or MSI. I will check next time I run it
@@IntuneVitaDoctrina It was the section under finding winget.exe. "Cannot index into a null aray". I also get Unexpected token '.Path' in expression or statement.
That could mean that the device you run it on is missing that path and winget.exe, what OS is it? Windows 11 Professional, Enterprise? or is it Windows 10? is it 22H2?
21H2 is a bit old now, you can install winget.exe (Windows Package Manager), either install it or why not update to 22H2 at least and it should come with it
"hate" is too strong word for me, but yes I agree it is too slow. It is because Intune is an Enterprise tool and you deploy to 10000 devices etc... but when you deploy to only one... it is sooo long to get feedback unless you check the local logs of course :) For macOS the tool Jamf, it is soo fast! it report quickly success/failures in console.
#As an alternative way to find path to winget.exe Set-Location -Path ('{0}\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe' -f $env:ProgramW6432)
I missed this question, sorry, running as System is disabled, if it runs as the logged in user they should already have a path to it so you should just need to call winget.exe, no need for full path
thanks, I noticed the same, it got the 6th of March version and not the 20th. Zoom Zoom.Zoom 5.13.11835 winget I'm going to speak my Zoom rep and ask why they are so late to update version on Winget. Until then you can download the installer and Win32 App package it but I know it is not so fun: zoom.us/client/5.14.0.13888/ZoomInstallerFull.exe?archType=x64 Alternative I'll look into do a PowerShell Script that scrape the download site on the latest version, download and install, that could be another video for my channel also
Hi John, I would like suggest you this code to find winget folder, it's shorter $path = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\winget.exe" Set-Location $(Get-ItemProperty $path).DirectoryName
Thanks a lot Ajax, yours is a lot shorter, better, easier to understand than my code that takes more lines, nice one! I have now started to use a one-liner from another comment on another video that I slightly modified: Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe") also the below would work on all systems that install on C: and got default English names for Program Files Set-Location -Path ("C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")
Thank you so much for all your help! You explain scripting in such a way that really helped me understand what was going on! You deserve a million subscribers!!!! You really are an amazing teacher!
Thank you so much! One of the comments who made the happiest to read - thanks a lot 🙏🏻
Merci John! Another great Intune videos and all working well on my test lab. Looking forward to your next videos!
Thank you so much! recording a video howto enroll a Linux device in next video coming soon
John is superb. I look amazing at work because he spells things out in a way that helps folks who have the capacity to learn, just maybe without all the hoopla. I wingetted my weekend away and most of my apps can be updated by winget (sweet), however I like controlling what is out there, so no --all for me. Its an easy tool.
well done! I have been ill for a week and slow on replies, slowly getting better now.
Thanks for the commend and yeah I would not recommend -all switch either, better to mange them one and one as you do. But if you help a none technical person you could teach them the -all switch for their home system as a good update advice
Another great video John it was a 40 minutes video but felt like it was only 10 minutes very clear and easy to follow along also appreciate when you have little pop ups of information to explain things which is much appreciated as a beginner I can make sense of what your saying and follow along . Can’t wait for the next video and congratulations on 700 subscribers
Thank you so much for this comment, wow yes 700 :) thanks again, next video should come within two weeks if not sooner
@@IntuneVitaDoctrina keep up the great content. Will patiently wait to see the next video :)
Man - You have helped me tremendously. I also integrated Chocolatey with Remediation scripts but Infosec has issues with this. lol - You should do one with Chocolatey!
Thanks, that is a good idea also, Chocolatey (love the name) - big fan of Winget and hope in Windows 12 it be even better and more integrated.
Amazing tutorial !!! I implemented this and this is working like a charm. Thank you 😊
Well done! and thanks for comment, that made my day, thanks a lot
Excellent example John, thank you very much!
Thanks Victor so happy to hear that!
I love this guy! You are helping me in many ways around intune my friend ;).
But regarding the Winget auto update, you created update remediation + winget for VLC, but does this mean you have to do this for all applications that we have? I mean, those will be alot of remedation reports as we have a lot of applications installed on some systems. It would be cool that it detects the installed applications and then update them all as much as possible and accept all source agreements.
Yes, we have a few mendatory apps, but also a lot of apps that users need and are installed via Company portal. These also need to be updated of course, but there has to be a way to make just one remediation + winget scripting right?
Thanks a lot for your comment, you can do one-liner and update all, it is:
winget.exe upgrade --all --silent
I read the there is a bug that if you got 10 software to update only the first is silent and the other 9 are none but they get installed.
Not all works, if you installed TeamViewer with MSI package and Winget takes down a EXE file it will complain but for home users the 'winget upgrade -all' is a pro-tip to update software
I do scripts for each software at my work, for several reasons, I like to control what I update, I like to see the stats per app to report to my manager how many got updated and also we got software that we want to control the version because if it introduce new features I don't want the end users to be the first to tell us "Hey why does Outlook now show the icons on the right side instead of before left" or "since the upgrade this add-in stopped to work" etc...
For an enterprise I would recommend not to run the '--all' switch and do them one by one, the template provided in this video makes it go fast, you just change the ID and you are good to go :) for home users or small businesses, sure use the --all switch and check what does not get updated and investigate why.
I think you are making a very valid point there. Thank you that. I can maybe do a setup for the top 10 important / command applications for on, lets say the Tuesday and a update all version set for on the Thursday. The Thursday will then see that the important apps are already up to date.
Good idea, however don't use Intune's own Software Inventory as a base for success since it can take up to a week before you see changes there (that one is slow) but if you see in ProActive Remediation the stats you can trust them.
@@IntuneVitaDoctrina check, thanks. I am going to play with the scripts then. Write at least for the most important apps that we always use.
@@marvnl Great Idea
Great video once again!
Thanks again! this is one of my favorite videos, since it used Proactive Remediation that I use for so much stuff and also one of my new friends winget.exe that I have started to use a lot
my new IT Hero :D
Great video. Another one!
I was under the impression that Winget apps would update automatically regardless of being installed as a Win32 app?
Thanks, It will install the latest version if not using the -v switch and then it will show success and not run again.
Once installed you can just do a Proactive Remediation Script that run same command but you change "install" to "upgrade" and have it run every week or alike. I might do a video about that, I use it a lot at my work
Great tutorial, thank you! Keep up the good work!
Thanks a lot, this is one of my favorite that I use a lot at work, I got over 50 scripts updating software's and I love it
John you are the Microsoft Intune master. I am learning so many things from your channel. I just had one doubt, can I upgrade Chrome or other applications using this method? I deployed these apps using LOB and Win32 app installation and not with Winget. Do you think this script will work for LOB and Win32 apps upgrade?
Happy to hear Yunus, you can skip the last Oracle Java videos they are very specific for a few people and in general not things you need to know. Thanks for message.
If you always want the latest Google Chrome I would use winget.exe, a lot of Organizations use Google Chrome as their app for finance, or sales tools and want to be sure not a new update break their tool and control the version. If that is the case I would Win32 app package it and control the version.
My next video is going to be more about Autopilot but the one after that is going to be howto manage a lot of Google Chrome settings (not with Intune but with a free Google tool)
Great 👍! Thanks so much ❤
This is great, thank you!
Thank you so much Justin
great video! Been looking to run winget as system profile and this should fix it.
thanks a lot, a huge fan myself of winget.exe and uses it also to update existing installations with remediation scripts (got a few videos on that also)
Good session brother ☺️👏👍
Thanks ✌
Do you need a check if the app is running when the remediation script runs? Maybe do the whole packaging with PSADT around the winget command and you can show popup for the user that there is an update and the app needs to close and timeout the popup?
Hi DanZi, great idea.
You don't want to update Zoom or Teams in the middle of a conference LOL :)
I have avoided this by schedule the Remediation Scripts to run in the morning hours, I often put it at 4:00am or alike.
I do like your idea and would recommend that for apps that are critical for users to not update in the middle while using it.
Thanks for sharing this idea
super useful, thank you!
Thank you so much, it is one of my own favorite videos also, I love Winget, crazy about it, and also love Remediation Scripts, so those two together are so powerful for a lot of things :)
@@IntuneVitaDoctrina what if the application has "unknown" version such as visual studio code? Does the logic in the script still work?
Good question, I checked on my own device and I don't have any saying "unknown" but know that can happen, when you run the 'winget list' for that software, and it shows unknown does it still have the header available ? if so it will work, else there is an easy way to expand the script to pick up the unknown value and action that also
@@IntuneVitaDoctrina I just tried installing one app (visual studio code) that has "unknown" value in Version column when running (winget search "Visual Studio Code")
But after installing, it shows up with "Microsoft Visual Studio Code (User)" and has a specific version when running "winget.exe list". So the script would work fine with it. Thank you very much!
May I have your idea on how to use winget to upgrade apps silently if the app is installed with user context, meaning that the app does not show up when running "winget list" but it is located in user profile (e.g: AppData\Local\Programs)?
@@IntuneVitaDoctrina I tried installing one app (visual studio code) that has version of "unknown" when running winget search "visual studio code". But after installed, it shows up as "Microsoft Visual Studio Code (User)" with "known" version when running winget list. In this case, I suppose the script would work fine with it. Thank you.
May I have your idea on how to use winget to upgrade apps that are installed with user context, meaning it could not be found when running winget list, but it is located in user profile, e.g: AppData\Local\Programs\Microsoft VS Code\Code.exe
I am waiting for new videos. Good explanation, really i am interested in your videos
Thank you so much, got a series of videos under production, unfortunately the next coming are specific for Oracle Java 8 users that needs to load Java in browser, it will not apply to everyone but those who need it will like those videos. For none Java 8 users it still be some videos in that is useful for everyone, like IE mode and some package/winget stuff. My goal is to release one video per month but lately it has been two or more, see if I can keep up with that :) it is fun! thanks again!
Great post.. I getting the same null error with 22h2. It seems Winget desktop app installer is not installed on my tablets. is there a way to run the install previously in your script? Thank you and your video was great.
Thanks a lot Mike, if you run as a user winget.exe does it like say doesn't exist or you get an output?
A pretty common issue is this one, you have winget.exe but it fails running under SYSTEM to get any output, is that what you mean with "null error"? if so solution is in this thread: github.com/microsoft/winget-cli/issues/2748
But maybe you issue is that winget isn't at all at the system?
Awesome content!I think finally MS moved the remediation to "Devices" a year later 🤣🤣 so fast hey
yes! too lazy to update all videos with that, but true, and I prefer the new place :)
Thanks for the comment
@@IntuneVitaDoctrina haha I can't judge as I'm lazy too!
Thanks for a great video… i wanted to update .Net on few machines which were not having the latest version of it… tried other detection scripts in Intune but din’t work. I will try your scipt and check if it work.
Thanks for comment, I update .NET Framework with Windows Update, I wonder if this could be used to have winget.exe update it?
winget.run/pkg/Microsoft/DotNet.Framework.DeveloperPack_4
winget upgrade -e --id Microsoft.DotNet.Framework.DeveloperPack_4
can you pls create videos on how to get the settings related to compliance policies and configuration profiles in Intune ?
I got a few videos of that:
Compliance Videos:
ruclips.net/video/bjp6db3DT1Q/видео.html&ab_channel=Intune%26VitaDoctrina
ruclips.net/video/4xKAlyuYNjg/видео.html&ab_channel=Intune%26VitaDoctrina
ruclips.net/video/nzpk5Pq4Tl4/видео.html&ab_channel=Intune%26VitaDoctrina
Configuration Profiles:
ruclips.net/video/o8FSHgfZJRg/видео.html&ab_channel=Intune%26VitaDoctrina
ruclips.net/video/WT9JbSpDiJw/видео.html&ab_channel=Intune%26VitaDoctrina
ruclips.net/video/B1Ppfy3RbPo/видео.html&ab_channel=Intune%26VitaDoctrina
ruclips.net/video/ChTIakzWmY0/видео.html&ab_channel=Intune%26VitaDoctrina
Is there a way to "Safely" upgrade ALL Apps that has an update available? Using the same Remediation Script approach?
I tried the Winget upgrade all and it doesn't always work. It seems like it depends on wether or not the APP is available via MSstore or Winget and also the source agreements doesn't automatically accept all the time
Safely upgrade all, is not possible. You can add silent switch and hope for the best.
If everything was ORGINIALLY installed by Winget you can upgrade them with Winget but if you for example installed TeamViewer with MSI and then run Winget to upgrade it will download an EXE and fail.
Have you built a remediation script yet that upgrades apps that are not available on WinGet?
Some yes, before winget, some MSI resides always at the same URL, like on a cloud url, like cloudfront (AWS) and then do logic to see if the latest is installed, if not download that and run. Some scripts scrape web pages download sites but those often stop to work after awhile when they rediesign the web page so don't like those so much. I hope more and more will put their software on winget. Also hoping Windows 12 when released will integrate winget even more.
When you deploy a software update using Proactive Remediations and Winget, the original app uninstall location in the registry is removed. How can you uninstall software, using Intune, that was updated using winget? What is the uninstall command? Or would you have to create another Proactive Remediation to uninstall the software?
Good question, so Winget.Exe got uninstall, if you installed with Winget it will always work to uninstall, if not installed with Winget you might need to add a line like
(Get-WmiObject -Classname Win32_Product | Where-Object Name -like 'NameOfSoftWareToRemove*').Uninstall()
But if installed with Winget you can run
winget uninstall, got an example for 7-Zip down here:
### Software Remediation Remove 7-Zip
### Author: John Bryntze
### Date: 4th July 2023
## Variables
$JBNAppID = "7zip.7zip"
## Help System to find winget.exe
Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")
## Run upgrade of the software
.\winget.exe uninstall -e --id $JBNAppID --silent --accept-source-agreements
Thanks for this! I have been looking for something that will make it easier to use WinGet.
I however have a challenge that I have not been able to remediate. Running the script, it complains about scripts being disabled on the system. No matter how I add the line to bypass the Execution policy, it just won't work, unless I first bypass /disable the Execution policy and then run the script after that.
This will be a problem when deploying via Intune, since it will block the script from running.
Any ideas?
I would like to see that script and what you set, but sounds like you do all correct.
What about first line of the script is:
Set-ExecutionPolicy Unrestricted -Force
Then run your lines and at the end set back the ExecutionPolicy that you want?
The script run under SYSTEM right and not User?
@@IntuneVitaDoctrina So I am testing locally with the logged in user, so I am assuming (and yes it's not good to assume, haha), that it's running under user context by default.
I have not deployed the Script via Intune to a Test-VM and will check back with the results.
Inserting "Set-ExecutionPolicy Unrestricted -Force" as the first line does work if that line is run first. And then secondly the other part of the script. But I would like it to set the execution policy and then run the rest of the script automatically. But let me see. If it works via Intune Remediation scripting, then I won't be bothered by that line then.
ah cool, yeah if you deploy it under SYSTEM with Remediation script you should be good
Hi John, thanks a lot for your video, it helped us a lot. I already tried your scripts and its working fine. Now i want to update Office Apps and i tried your script by just changing the App ID it gives error "Installer failed with exit code: 17006" when i searched i found that the error means the apps is open and need to closed. What i need to add in script so that it gives users warning to close the apps which are open or automatically close the apps so that upgrade can happen. Your help is really appreciate.
Hi, happy to hear, I have taken another approach on 365 Apps, I send out a normal PowerShell script that runs only once and create a scheduled task that runs on all devices to update Office regularly, so it prompts user to close apps etc..
Let me know if you want I do a video about it, else the script is here that you can use:
### Create ScheduledTask to run Microsoft 365 Apps update
### John Bryntze
### 18th April 2023
if(Get-ScheduledTask -TaskPath "\JBN\*" -TaskName "Microsoft 365 Apps Update*")
{
Unregister-ScheduledTask -TaskName "Microsoft 365 Apps Update*" -Confirm:$False
}
### Create Scheduled Task if doesn't already exists
if(!(Get-ScheduledTask -TaskPath "\JBN\*" -TaskName "Microsoft 365 Apps Update*"))
{
$JBNAction = New-ScheduledTaskAction -Execute "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" -Argument "/update USER Displaylevel=true"
$JBNTrigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Wednesday -At 5am
$JBNSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
$JBNTask = New-ScheduledTask -Action $JBNAction -Trigger $JBNTrigger -Setting $JBNSettings
Register-ScheduledTask -TaskPath "\JBN Images\" -Taskname "Microsoft 365 Apps Update" -InputObject $JBNTask
### Win8 actually sets Windows 10, and StartWhenAvailable make it to run directly after 5am if device is down
$JBNTaskSettings = New-ScheduledTaskSettingsSet -StartWhenAvailable -Compatibility Win8
Set-ScheduledTask -TaskPath "JBN\" -TaskName "Microsoft 365 Apps Update" -Settings $JBNTaskSettings
}
@@IntuneVitaDoctrina thank you so much, i will try the above script, video is always better😀 and useful for others also. I have seen a task scheduler already exist and it is running daily at 3:00 am but still the Office Apps are on older version.
@@IntuneVitaDoctrina is the video on the way🤔 ...just asking out of curiosity 😉, anyways thank you so much for your help
@@TechNerd202 thanks for reminder, - next video be about LAPS and already recorded and after windows 365 but then this one should happen
@@IntuneVitaDoctrina Appreciate your support👍
Good session
Thanks a lot Sandeep, it is actually one of my own favorites of my own videos this one :)
I was wondering, is it possible to modify the script so that if it doesn't find the specified application installed, it then installs it?
Hi Edward, yes, since Remediation Script installs, you don't have to modify there, but the Detection Script you have to change it to always exit with 1 EXCEPT if the latest is already installed.
I can post a full scrip here if needed, but in general you should just change the part where it says it doesn't find the software and change exit from 0 to 1
@@IntuneVitaDoctrina Gotcha makes sense, I guess the only other hurdle I have is, what if the software version installed is 32 bit and I'd like to remove that and upgrade to 64?
I am struggling with one issue at the user level App prompt for the admin password to upgrade for standard user.Thanks for the detailed video.
Hi, interesting. Is the app itself installed under c:\progam files? or under user profile or elsewhere?
If you let me know which app it is the wingetID, I'll take a look. You could do the upgrades for them, by running a remediation script every day, and have SYSTEM update it, unless like you say it is a user app, but user apps normally doesn't require local admin as it is installed in the users own space. please give me more info and I'll do my best to help you
@@IntuneVitaDoctrina I am pushing through MDM Jump Cloud with all use able switches it downloaded the required updates at the installation ask for non admin users to provide password like I update Adobe Acrobat Reader
MDM Jump Cloud? not using Microsoft Intune?
Don't know that product, but can the software be pushed at System level that would be better
@@IntuneVitaDoctrina not using InTune however using Winget command to upgrade all app. It's ask for the password at user end.
# Upgrade all packages silently, forcing updates, and accepting license agreements
cmd.exe /c "winget upgrade --all --recurse --silent --force --disable-interactivity --accept-package-agreements --skip-dependencies --accept-source-agreements -a x64"
Hi John, and maybe someone else did have and fix this issue. I'm pushing your detection/remediation scripts to my machines (Zoom app) and around 70% are upgrade ok. The rest of them I see in the logs that detection fails (Powershell exit code is 1), which mean it should proceed to remediation and upgrade, but it never happens (I don't see remediation to run) or sometimes the AgentExecutor log say it did run and with exit code 0, but I'm pretty sure it didn't, as I have my custom logs in the script, and I don't see them being generated. So I'm just wondering of someone else got a similar issue and second question will remediation script actually execute if for example Zoom app/process is actually running or it will drop it and attempt to upgrade next time?
Thanks all.
Great job Oleg, I would remote to one of those device failing and run the both scripts manually or from SYSTEM with help of psexec -i -s to see what output you get from the variables.
@@IntuneVitaDoctrina on most of them running it manually will just work fine, but what's interesting on some of them when I run .\winget.exe list or upgrade it doesn't give me any output, instead I can install or uninstall using --id. Looks like winget issue. Do you know if there is a way to re-install/uninstall Winget? Initially I've tried to push it using new store app, but did run into some issues and pushing it now as Win32 app. Some of the machines has it under to location. So just wondering that initial install does cause some issue and if I can clean them up and reinstall? Thanks again for your patience about my stupid questions :)
Yes I have had some older devices not giving any output, annoying, fixed it from this link:
github.com/microsoft/winget-cli/issues/2748
basically needed a newer version of Visual C++ Redistributables was needed, read in the comments of the link above the post from "rozmansi commented on Jan 30" that fixed it for me, hope it does for you and I strongly believe so
How can we use Proactive remediations to update a CSV on a Storage account, that we can use for PBI reporting? :)
PBI = Power BI?
This sound complicated, but maybe still possible. The Storage account, is that in Azure? either way the script must have permission there, and if you put credentials or an API token or alike in the script, it will be in clear text for a short while on the client itself.
First the script needs to create the data, that is easy, then connect to the storage with credentials (risky)... yeah could work but hmmm doesn't sound optimal for this user case
@@IntuneVitaDoctrina This guy has done something similar to what we need, but to difficult for me to follow without some script examples: ruclips.net/video/JOYcOmJOk6k/видео.html
I am also not sure how multiple clients can update the same csv.
if the process lock the file then no, but you can write to a Database that handles it or a queue system, but now we are way out of Intune and Remediation scripts, so maybe we are complicating things too much :)
Do you got any other system that can pick up data? like Splunk?
My problem is that the company is very decentralised and not all clients are configured using intune, they are however all enrolled in intune now, but the reporting is rather difficult to get out. At Group level, this is what we are trying to get hold of and visualise using Power BI. I don't have Splunk, but can setup most other common and easily managed Azure services.We would like to see Firewall status (this one you can actually export fine, would like it automatic though), OS Patch status and Bitlocker. The last 2 are problematic.
z
Hi John, My proactive remediation doesn't apply at all. no error message or complete. devices are not showing in overview.
No idea who is Tim :) but yes a few got this, the fix is in this link
github.com/microsoft/winget-cli/issues/2748
@@IntuneVitaDoctrina My bad! I will check that. Thank you John!
@@IntuneVitaDoctrina I am
running it as a logged in user and still see the problem
the fix is to install VC++ think there is a link in the thread
@@IntuneVitaDoctrina Do you have a different method to update zoom rooms from intune or with powershell remotely?
Was just testing the winget commands and for whatever reason vlc does not want to run silently. Anyone else run into that issue?
much possible it doesn't honor the --silent switch, which it should, can send arguments, forgot if it is an EXE or MSI. I will check next time I run it
Sadly only works with E3 or above licenses
agree, too bad, it is a really nice feature
Having trouble with that "resolve-path". The script always fails for me when I run it with that.
Hi Sam, could you please post your first line? and you save it as a .ps1 file or running from PowerShell ISE?
What exactly message do you get?
@@IntuneVitaDoctrina It was the section under finding winget.exe. "Cannot index into a null aray".
I also get Unexpected token '.Path' in expression or statement.
That could mean that the device you run it on is missing that path and winget.exe, what OS is it? Windows 11 Professional, Enterprise? or is it Windows 10? is it 22H2?
@@IntuneVitaDoctrina Enterprise 21H2. It's odd because some machines find the winget.exe but some do not.
21H2 is a bit old now, you can install winget.exe (Windows Package Manager), either install it or why not update to 22H2 at least and it should come with it
I hate that Intune is not instant lol
"hate" is too strong word for me, but yes I agree it is too slow. It is because Intune is an Enterprise tool and you deploy to 10000 devices etc... but when you deploy to only one... it is sooo long to get feedback unless you check the local logs of course :)
For macOS the tool Jamf, it is soo fast! it report quickly success/failures in console.
#As an alternative way to find path to winget.exe
Set-Location -Path ('{0}\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe' -f $env:ProgramW6432)
Thanks a lot, FANTASTIC it not only shorter a one-liner it is also easier to to understand :) I will start to use this one from now on.
what path is that? on my kiosk device, it is located in the appdata\local\microsoft folder. How is Intune run that. Running as system is disabled.
I missed this question, sorry, running as System is disabled, if it runs as the logged in user they should already have a path to it so you should just need to call winget.exe, no need for full path
@@IntuneVitaDoctrina winget doesnt have the latest version of zoom room. 😢
thanks, I noticed the same, it got the 6th of March version and not the 20th.
Zoom Zoom.Zoom 5.13.11835 winget
I'm going to speak my Zoom rep and ask why they are so late to update version on Winget.
Until then you can download the installer and Win32 App package it but I know it is not so fun:
zoom.us/client/5.14.0.13888/ZoomInstallerFull.exe?archType=x64
Alternative I'll look into do a PowerShell Script that scrape the download site on the latest version, download and install, that could be another video for my channel also
Hi John,
I would like suggest you this code to find winget folder, it's shorter
$path = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\winget.exe"
Set-Location $(Get-ItemProperty $path).DirectoryName
Thanks a lot Ajax, yours is a lot shorter, better, easier to understand than my code that takes more lines, nice one!
I have now started to use a one-liner from another comment on another video that I slightly modified:
Set-Location -Path ("$env:ProgramW6432\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")
also the below would work on all systems that install on C: and got default English names for Program Files
Set-Location -Path ("C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe")
Great 👍! Thanks so much ❤
Thanks a lot for taking tile to coment Ibrahim!