- Introduction
- Ease of app deployment
- Updating apps
- Cost
- Application Catalogue
- macOS Support
- User Experience
- Requirements
- Multi-tenant support
- Customization
- API Support
- Data Sovereignty
- Conclusion
Introduction
Packaging, deploying and updating applications can be hugely time consuming, especially when trying to keep on top of the latest zero-day exploit in your apps (I’m looking at you Chrome!)
Fortunately there are now a handful of package managers available to take away this pain, especially useful when you have multiple customers with largely the same app estate.
For this post I’m going to be looking at what I think are the main contenders: Windows Packager Manager (Winget), Chocolatey, Patch My PC, Scappman (now owned by PMPC), Intune Pckgr, PDQ Connect, Robopack, ZeroTouch.AI and Microsoft Enterprise App Management.
Latest update October 2024
I will be looking at the ease of deployment, updating, cost, application catalogue, the user experience, app customization, APIs and any required infrastructure.
Let’s start with a quick look at the contenders:
Windows Package Manager (Winget) is a command line tool very similar to those Linux users will be familiar with. It is now built in to the latest versions of Windows 11 and Intune integration is due soon. Whilst it’s a Microsoft application, it is open source and available on GitHub
Chocolatey is another command line tool with a large community backing it with the latest packages and can be integrated into SCCM or Intune using Powershell.
Patch My PC is a Windows PC/Server application which then links in to either Intune or SCCM (or both) to deploy both applications and updates.
Scappman is a cloud based solution which integrates directly into Intune to deploy applications.
NOTE: Scappman has been purchased by Patch My PC, but at present, both are still available individually. This will be updated as and when this changes.
Intune Pckgr is a cloud based solution based on the Winget library with direct Intune integration to deploy and update applications
PDQ Connect is a new product from the company who created PDQ Deploy which is fully cloud based. It does not have Intune integration but runs using its own agent. This is a new offering with an exciting roadmap.
Intune Enterprise App Management is an addition to the Microsoft Intune suite which manages application deployment and updates all within the Intune console. A new release with a lot of applications planned!
Robopack is a relative newcomer with a large selection of applications, fully SaaS and Intune integrated
ZeroTouch.ai offers more than just app management with full RMM capabilities, a drop-in replacement for ESP and more. For the purposes of this, I’m just looking at the apps
Ease of App Deployment
Arguably the most important part, how easy is it to deploy applications?
Winget
Winget without any Intune integration, the only deployment method is via Powershell (to find the commands, winstall.app is a good choice). Let’s use 7-Zip as an example for all of these, it’s one of the first apps I usually install on any new machine. We will cover custom repositories later.
To deploy 7-Zip using Winget, we need a command to run:
winget install 7zip
We could push this out as a Powershell script directly in Intune, but wrapping and packaging as an application is my preferred approach to keep things similar across applications and also give the option for users to self-service install. Wrapping using PowerShell Application Deployment Toolkit (PSADT) would be a good choice for this.
In an ideal world, I’d add “–scope machine” to the install command, but currently Winget runs in the user context so would prompt for elevation which I’d hope won’t work for the majority of enterprise users! There is a workaround to deploy in the system context as I mentioned here, but it isn’t ideal and not officially supported.
There are now some third party tools to deploy Winget apps directly into Intune such as this from Stephan van Rooij , Win32 deployer from Florian Salzmann and my own tool.
I have also added a new web interface to mine to quickly deploy Winget apps directly from a website here
Rating (currently): 2/10
Rating with community tools: 7.5/10
Chocolatey
Similar to Winget, Chocolatey is PowerShell based so we’ll need to wrap a script into a Win32 application to deploy (again, I’d look at PSADT). Chocolatey has a full searchable community repository on their website. We will cover custom repositories later.
For our 7-Zip example:
choco install 7zip
Chocolatey installs in the system context and community applications are largely configured to install silently by default.
Rating: 5/10
Patch My PC
Patch My PC has a GUI application which runs on a Windows device (usually a deployment server), either on-prem, or could be in Azure. Once configured, deploying an application is a case of finding the application in the list and marking it for deployment:
You can also configure assignments via the right-click menu to further reduce the effort on the Intune portal.
After the next sync schedule (or a manual sync), the application will display in Intune and Company Portal (if deployed as available).
There is also a new web based portal for Patch My PC which removes the requirements for a server, simply select your app and deploy it:
You then select the assignments and any other app details and it will deploy for you.
Rating 10/10
Scappman
Scappman is fully cloud based so all application deployment is via their portal. After logging in, navigate to the app store and find your application, click Get and then click Install
Clicking Advanced gives a lot of additional options some of which are very powerful. As well as the assignments (which links directly to your Entra tenancy to discover groups), you can configure pre and post-install tasks and even deployment rings to deploy updates in a staggered manner.
After clicking install, the application will display within Intune soon afterwards.
Rating: 10/10 (in Advanced mode)
Intune Pckgr
Similar to Scappman, Intune Pckgr uses a web-based portal to find and deploy applications. Simply click the + button to add to your Company:
Then deploy it:
The application is then added to Intune, but not assigned so you do have that additional step involved
Rating 8/10
PDQ Connect
The first step with PDQ Connect is to deploy the agent to your devices. I did this by packaging as a Win32 and then deploying via Intune which did seem a little counter-productive, but this solution is designed to also work stand-alone.
Once adding the agent, application deployment is straight forward, find your application, click deploy and select either devices or configured groups from the list:
I found deployment to be extremely quick and totally silent, definitely quicker than waiting for an Intune sync.
The obvious downsides are the lack of Intune integration so it’s another portal to manage, no user-based assignments and no self-service option
Rating: 6/10
Intune Enterprise App Management
As you would expect with a native feature, deploying apps is incredibly straight forward, you select the application as you would when deploying a store application. It then converts to a Win32 and deploys to your environment. Similar to the other options, all application details are pre-configured
Deployments are as quick as any other Intune application
Rating: 10/10
Robopack
Once you have added your tenant in the Settings menu, it is simply a case of searching for your application and clicking Import. Once in your apps, you can then deploy to Intune. You can also configure assignments as required with some default templates in place which work well.
You also have the option of adding your own applications which it will convert to intunewin and deploy for you
Deployments are as quick as any other Intune application. Out of the box the apps deploy using PSADT with the option to change to your own script if required
Rating: 10/10
ZeroTouch.AI
After onboarding your tenant(s) it is very straight forward to deploy applications, either pre-packaged, or customer applications.
You can then deploy directly to devices, or import into Intune. You can also create Intune applications with a simple GUI within the tool.
It has all of the usual group configuration you would expect
Deployments are as quick as any other Intune application if published via Intune, or as ZeroTouch has an agent on the device, direct deployments are definitely quicker.
There is also the useful ability to install apps directly onto single devices.
Rating: 10/10
Updating Apps
Deploying apps is obviously a key part, but I would say keeping them updated is the main purpose of a package manager. The issue has always been around applications which are “Available” for install rather than Required apps. With a required application, you know it’s there and simply deploy the update to the same group. Intune now natively supports updating of available applications as well, so, let’s see how our contenders compare:
Winget
Winget has the –upgrade command where we can specify a single application, or tell it to upgrade all applications on the machine. We can then use pro-active remediation to detect if the application is installed and if detected, run the update script on a fixed schedule. This works nicely, but obviously if you start hitting hundreds of applications, it’s a chore to setup initially.
Using the switch to upgrade all apps will get us around this issue and also won’t require any detection, but, it will try and update EVERY application it detects on the machine which it has listed in the repo, even those installed using another method. In my testing, this included Microsoft Office which then completely bypassed my carefully configured update rings and just threw everything onto Current Branch (excluding/pinning apps has been requested here). Using a custom repo may help with this, but I like more control over my application updates, especially once we hit the likes of Java runtimes.
Update:
Using community tools such as this application and ADMX, you can fully automate the updating of Winget applications
Rating: 6/10
Rating: 9/10 with community tools
Chocolatey
Similar to Winget, updating is via a command line to either specify an application, or kick off an update on all applications. Fortunately Chocolatey does have an exclude command so at least I can remove some applications, but this does mean hard-coding a list of applications to exclude and there is always the chance that one particular application slips through and causes issues.
Rating: 7/10
Patch My PC
Patch My PC works differently. For each new version of an application, it publishes a new package into Intune automatically. This gives you the ability to test the new applications prior to deployment and then deploy when happy (either manually assigning, or use supercedence).
It also adds a secondary application for an Update to the application.
Updating available applications works well via a custom detection script, but obviously it requires deploying the update application to everyone and then let the script work it out.
These all work well (although I should mention that when testing with GIMP, the app update wasn’t quite as silent as I would have expected, even though the install strings appeared correct).
Also, adding all machines/users into the update applications can clutter the success/fail of applications with a lot of additional “Not Applicable” entries.
Rating: 9/10
Scappman
Scappman has a different approach again. When deploying using the Advanced deployment features, you can specify update rings, same as I recommend for Windows and Office.
When a new version of an application is available, it will push out the update depending on the ring the user/device is in so a new version can go through UAT before reaching the full estate.
Each version replaces the previous one so it looks neater in Intune, but should you have an issue with a particular version, I haven’t found a way of rolling back to the previous one.
Updating Available applications works in the same way as Patch My PC with an additional application and custom detection script, the only difference is the assignments configuration is done for you.
My testing found this worked well and it correctly updated an application installed manually as well as one pushed out centrally.
Rating: 9/10
Intune Pckgr
In the interest of fairness, this is working on the purchase of the advanced package as most of our other options are paid-for.
Updates are handled automatically via a checkbox during deployment which leverages the Graph API to push out latest versions with versioning. There is also the option to deploy an update only application which uses custom requirements scripts to deploy accordingly.
As with Patch My PC, the only compliant is application clutter for a regularly updating application
Rating: 9/10
PDQ Connect
By leveraging the Automations functionality, you can set your applications to remain always updated automatically. You can also configure Device Groups should you wish to use rings to test initially and configure the schedules accordingly.
If this supported user-based deployment, it would score the full 10
Rating: 9/10
Enterprise App Management
App updates have their own menu within Intune where you can quickly review which applications in the estate require updates and select them within the UI.
Updating is a manual process, but is quick and easy to complete. Bulk actions would be a welcome addition though for larger estates, especially as the app catalogue increases
Rating: 9/10
Robopack
Similar to Enterprise App Management, there is a menu option for updating applications in the estate with a simple button to deploy the update. There is also bulk update functionality available.
A newly added feature, Robopack can now use update rings for a fully tested approach. You can specify a group to use (which can be removed from the assignments on completion) and a success rate before progressing to the next deployment stage. You can also set notifications so whilst it’s fully automated, you can be informed along the way.
Rating: 10/10
ZeroTouch
ZeroTouch makes app updates extremely straight forward as the agent deals with everything for you. It does lack the ring approach available in Robopack though which would be a very welcome addition
Rating: 9/10
Cost
This all sounds ideal, I’m a firm believer that if something can be automated, it absolutely should be, why spend 5 minutes doing a quick task when you can spend 3 days writing a script to do it for you (but future you will thank you for it). The question is, at what cost does this automation come…let’s find out:
Winget
It’s made by Microsoft, but it’s open source and on GitHub. The only potential cost would be hosting your own repository, probably on an Azure Storage blob. You can host on GitHub for the repo, but I haven’t seen any way to use a private repository so it’s a bit more risky if you start publishing private or paid applications.
Rating: 9.5/10 (I’d host my own)
Chocolatey
Chocolatey has a free version using the community repository or you can host your own on the free plan as well. There is also a business version which adds extra functionality (comparison here) for $15.60 per machine, per year.
Rating: 9.5/10 (self-hosted, community version)
Patch My PC
Patch My PC have three different licensing options, Enterprise (MEMCM/SCCM only), Intune or Enterprise Plus (both). To keep things fair, I’ll work on the Intune only license at $2.50 per device per year. I should point out that it does have a minimum of $2000 per year so if you don’t have a large fleet, the device cost should be calculated accordingly.
Rating: 7/10
Scappman
Scappman has a fixed price for up to 1000 users of $11 per user, per year so it is more cost effective up to around 175 users compared to Patch My PC.
Rating: 7/10
Intune Pckgr
Intune Pckgr runs at device-based licensing with different tiers depending on the number of devices. You do not pay per-device, it is a fixed rate for the device levels (100, 1000, 2500, 5000). The costs range from $19 per month to $79 per month (with discounts for annual subscriptions). The basic 100 device subscription is also single-tenant so any small MSPs will need 1000 devices.
All price levels compare favourably to PMPC and Scappman
Rating: 8/10
PDQ Connect
PDQ Connect has a minimum of $1200 per year for 100 devices with an additional cost of $12 per device, per year.
For a small environment, this is slightly cheaper than PMPC and Scappman, but more expensive than Intune Pckgr.
When looking at over 1000 devices/users, it is the most expensive option here.
Rating: 5/10
Enterprise App Management
Ignoring the Intune Suite here to keep it a fair comparison, this costs $2 per user, per month which is considerably more than the likes of Scappman and PMPC, if we compare to PMPC, even if a user has two devices, it is still 10 times the cost. For large environments this could be problematic, especially on top of the M365 licensing costs
Rating: 3/10
Robopack
Robopack have a similar pricing structure to IntunePckgr where you pay a fixed fee per year depending on the number of devices across all managed tenants. At the time of writing the pricing is:
100 clients – FREE
250 clients – $1750 per year ($7 per client per year)
500 clients – $2500 per year ($5 per client per year)
1500 clients – $4950 per year ($3.3 per client per year)
3000 clients – $9000 per year ($3 per client per year)
5000 clients – $12500 per year ($2.5 per client per year)
10000 clients – $22250 per year ($2.25 per client per year)
Over 200000 clients – $2 per client per year
This is competitive pricing to the other options in the market. If you quote my name on the contact form, you will also receive 20% off the pricing here!
Rating: 8/10 (an extra point for the free tier)
ZeroTouch
As with Enterprise App Management, for a fair comparison I am going to ignore the numerous other features available and just look at this from a purely app management approach.
The basic cost is $4 per user per month, but as with the others, it does scale depending on the size of the estate so for that reason it gets an extra point over the Microsoft offering
Rating: 4/10
Application Catalogue
The all important one, just how many applications can I use this for? Clearly using a paid solution is only going to be worthwhile for a decent number of applications.
You can quickly check which platforms support your applications with my site here:
https://appcheck.euctoolbox.com
Winget
Winget currently has roughly 6000 packages in the community repository (here) which can be searched using the very useful winstall.app website. You can also add your own to the main repository, a private one, or a UNC path to deploy using a custom manifest file.
Rating:9/10
Chocolatey
Chocolatey, at the time of writing, has just over 9000 packages in the community repository which can be searched here. You can, of course, add your own either to the community repository, or a private one.
Rating: 10/10
Patch My PC
Patch My PC currently have 1603 supported applications which are listed here. There is currently no way to add custom applications to this, although this should change with the cloud version.
Rating: 8/10
Scappman
Scappman has “over 1000” applications available (list here), but it does have the option to add your own.
Rating: 8/10
Intune Pckgr
At present, this has around 400 applications (full list here) which are all using the Winget community catalogue, but with further testing carried out by the Intune Pckgr team to extra peace of mind. There are also some packaged curated by them directly available. All install scripts have been digitally code signed for additional security.
Rating: 5/10
PDQ Connect
At the time of writing, there are 154 packages available for deployment with the option to add your own custom applications (full list here). This is a very new product so I expect this to grow, but rating is as of June 2024
Rating: 2/10
Enterprise App Management
At the time of writing, there roughly 450 packages available for deployment including a few which are quite niche. The roadmap looks exciting, but rating is based on the current catalogue (June 2024). Daniel Bradley keeps a list of them here
Rating: 5/10
Robopack
Robopack has an “instant apps” library of over 35000 applications including both Winget and the MS Store. All applications in the catalogue go through stringent testing and are repaired as required. The ability to add your own applications is a plus.
Another very useful feature, you can see exactly what is installed within an installer, every single file!
Rating: 10/10
ZeroTouch
ZeroTouch has 15000+ pre-packaged applications which have all been verified. It then also adds Winget, Chocolatey and various stores taking the published total to over 4 million!
Rating: 10/10
It should be noted, these ratings are purely based on the number of applications and you should always check the lists to make sure your key applications are on there. Whilst Chocolatey has a massive number of applications, a good percentage won’t be enterprise apps, unlike Patch my PC and Scappman where they are built for the enterprise so will have a higher percentage of those applications.
macOS Support
Intune support just keeps improving for macOS so it’s only right your apps should be managed too!
Winget
It’s a Windows package manager, so obviously nothing
Rating:0/10
Chocolatey
Also Windows only sadly
Rating: 0/10
Patch My PC
It’s listed on the Roadmap which is worth a point
Rating: 1/10
Scappman
Not currently an option and I find it more unlikely since being bought by PMPC
Rating: 0/10
Intune Pckgr
It’s in beta, but it’s there and working. In ahead of the rest too!
Rating: 9/10
PDQ Connect
None and it uses an agent, so also unlikely
Rating: 0/10
Enterprise App Management
Maybe one day, but nothing there yet
Rating: 0/10
Robopack
Nothing yet and currently no sign on the roadmap
Rating: 0/10
ZeroTouch
macOS app support via adding your own files, or connecting to Apple VPP. Not quite as good as Pckgr with the pre-packaged options, but still better than the rest
Rating: 8/10
User Experience
From my testing, the user experience is the same across all platforms, as long as the work is put in to handle deployments and updates, the experience within Company Portal, or when updating applications should not differ in any way. The only thing I did notice is that some applications would uninstall and re-install rather than a straight upgrade, but this is something which can easily be picked up with some user-comms.
Rating: It’s a tie (although PDQ Connect and ZeroTouch are quicker to deploy apps)
Requirements
Winget
Winget is built in to Windows 11 and can be deployed as a Windows Store app on Windows 10 or from the GitHub Repo. If you are using the community repository, that is all that is required. If, however, you are opting for a custom repository you will need a method of storing the applications (GitHub or Azure blob) and it’s also not easy (Instructions here). I’m hoping it will be easier to add a custom repository in future releases. To keep things fair, I’m rating on a custom repository.
Rating: 6/10
Chocolatey
Chocolatey requires installing on Windows, but it’s carried out via a simple Powershell script so can be easily deployed during an Intune build (and prior to app installs). Again, there is the choice of the community repository, but for this I’m going to look at the custom repository so I can control my application deployments. Chocolatey supports a much wider range of sources, including a simple UNC path, a server, or a package gallery hosted on an Azure Blob.
Rating: 8/10
Patch My PC
Patch My PC has no requirements on the end-user devices, but does require a machine of some sort to run the Publishing Server (instructions here). The requirements are minimal, but it will require storage for the application installers.
The new cloud version removes these requirements completely so I will rate for both
Server Rating: 8/10
Cloud Rating: 10/10
Scappman
Scappman is fully cloud based and hosted so no requirements on the end-user devices, or any back-end infrastructure. If adding custom applications, an internet accessible location to host the install files will be required.
Rating: 10/10
Intune Pckgr
Intune Pckgr is also cloud based so no requirements apart from an application registration into Graph.
Rating: 10/10
PDQ Connect
Also cloud based, but does require the agent to sit on devices.
Rating: 9/10
Intune Enterprise App Management
As this is built in to Intune, no requirements beyond licensing
Rating: 10/10
Robopack
Robopack is also cloud based so no requirements apart from an application registration into Graph.
Rating: 10/10
ZeroTouch
ZeroTouch is fully cloud based and like the others runs from an App Registration. A client is optional if you want to deploy directly to devices, or use some of the extra functionality, but it isn’t required for deploying straight to Intune
Rating: 10/10
Multi-Tenant Support
If you’re in an MSP environment, deploying the same application to multiple clients is incredibly time consuming and unproductive.
Winget
Winget can obviously be pointed to a central repository which can be used across multiple customers to reduce the amount of times an application is updated. The initial Intune configuration for both application deployments and updates will, however, still need to be completed manually on each tenant. This could be automated using Powershell, JSON and the Microsoft Graph API, but it’s not exactly straight forward (happy to cover this in a future blog post if there is sufficient demand).
If using a community tool such as IntuneBackup.com you can automate the deployment across tenants.
Rating: 5/10
Rating if using Intunebackup.com: 7/10
Chocolatey
Similar to Winget, Chocolatey applications will need configuring on each individual tenancy, but can also be automated using Powershell, Graph and JSON.
Rating: 5/10
Patch My PC
Patch My PC is currently one install per tenant so you will need multiple hosts to run the clients. The config work is all done in the publishing application though so there is less effort on the Intune side.
Multi-tenant support is now available using the MSP release (with different pricing)
Rating: 8/10
Scappman
Scappman supports multi-tenancy out of the box, in the portal, you simply switch between them.
Mutli-tenant deployments are covered via App Sets so an application can be deployed to multiple tenants in one single deployment. This is potentially a game changer for any mutli-tenant MSPs! Rating increased accordingly
Rating: 10/10
Intune Pckgr
As long as you are running above the basic package, multi-tenant support is included, but you do need to deploy the applications to each tenant individually.
Rating: 9/10
PDQ Connect
As there is currently no Entra ID or Intune integration, tenants do not exist at this point, all devices are treated the same. This does mean you will need to put in some more effort on grouping if supporting multiple companies
Rating: 8/10
Intune Enterprise App Management
As this is integrated directly into Intune, the UI is per-tenant so those working for an MSP will need to use Graph API to manage multiple customers
Rating: 6/10
Robopack
Robopack supports multiple tenants. Initial app deployment is per-tenant, but updates can be done cross-tenant.
Rating: 9/10
ZeroTouch
There is an MSP version coming soon, at the moment though it’s one instance per tenant
Rating: 5/10
Customization
Whilst a full hands-off approach is great, you may need to add your own apps, or customize the apps in the catalog. Here we will look at how each option handles these.
Winget
Out of the box, you have to use the community manifest files. You can add your own apps to the manifest, but clearly in-house apps won’t work.
The other option is a custom manifest file which does cover both custom commands and custom apps, but is a learning curve (I have covered it here)
You can also host your own repository on Azure, but obviously this comes with costs (and time)
Rating: 5/10
Chocolatey
With chocolatey, you can easily host your own repository for your own custom apps. Customizing install commands would require forking the package into your own repo though so it is a bit more of a hassle
Rating: 6/10
Patch My PC
You can customize the install commands and add pre/post scripts by right-clicking on applications. The new cloud version also includes the ability to add custom applications
Rating: 9/10
Scappman
You can add custom apps to Scappman and as the apps use PSADT underneath, you can edit the commands or add pre/post install commands with the Advanced options
Rating: 10/10
Intune Pckgr
This is purely winget so no changes available here
Rating: 0/10
PDQ Connect
You can add your own applications and scripts into this platform, but the in-built apps are less flexible.
Rating: 5/10
Intune Enterprise App Management
The apps are created as Win32 so you can edit install/uninstall commands and add custom requirements. Obviously custom apps aren’t an option (they would just be Win32) and pre/post would require new apps with dependencies
Rating: 2/10
Robopack
Full access to create your own apps, including bulk import and also import from SCCM. By default installations use PSADT so you can specify different command line, pre/post installs even at a per-tenant level.
Rating: 10/10
ZeroTouch
Full control over the existing apps, you can customize install strings, anything you like. You can also add your own applications including those with multiple installers.
Rating: 10/10
API Support
For those who like a bit of automation, can we tap into the inner workings of these?
Winget
As this is entirely client based, no API for interacting with app deployments, it could be done with a PS Script and Azure runbook with webhooks, but it’s certainly not native
Rating: 1/10
Chocolatey
Choco has an API, but it’s for interrogating devices and mostly GET commands. As with Winget, it would require some custom work
Rating: 1/10
Patch My PC
No public API (that I can find), everything in the UI/portal
Rating: 0/10
Scappman
Also no public API
Rating: 0/10
Intune Pckgr
Also no API
Rating: 0/10
PDQ Connect
This has an API for deploying apps to devices, checking groups and more (info here)
Rating: 7/10
Intune Enterprise App Management
As with everything Intune, it’s Graph underneath so if you can run it in the portal, you can run it in Graph!
Rating: 9/10
Robopack
Robopack include an API to view available apps, add to your account and better still, download the source code (in Intunewin, PSADT, or raw source). A welcome addition!
Rating: 7/10
ZeroTouch
An API is also available for ZeroTouch, maybe this is the start of a new trend!
Rating: 7/10
Data Sovereignty
Not to be rated, but this may be of interest depending on your compliance requirements
Winget
The manifests are all on GitHub (here), the actual location isn’t listed, presumed US
Chocolatey
Unknown, contact location us US so presuming the data is US as well
Patch My PC
All data is stored in US
Scappman
A mixture of European Union and US (a result of the PMPC purchase)
Intune Pckgr
Data is all stored in Australia
PDQ Connect
Seems to be US based
Intune Enterprise App Management
Hopefully matches your tenant location
Robopack
All data is stored in the European Union
ZeroTouch
Data location is selected during onboarding and all remains in the Azure region
Conclusion
Windows Package manager (Winget) shows a lot of potential, but as it currently stands is not ready for enterprise use, the lack of running in an elevated command is, to me at least, a deal-breaker. The idea is excellent and building it into Windows 11 will push adoption, but I’m hoping the future Intune integration will resolve the initial issues (if anyone from MS wants to add me into the preview, I’m always open to test).
By utilizing community offerings, it can be a very useful application deployment tool however and the free pricing is always a bonus.
Chocolatey is more established and easier to host a custom repository (plus it runs in the system context). The deployment of applications and especially updating is not as easy as some of the other options, but if cost is an issue, it’s always a safe bet (I tend to include it as standard on an AVD build and then use Azure Runbooks to deploy and update applications by querying a text file hosted on an Azure blob). You can easily add your own applications as well to reach a fully Chocolatey controlled estate. Obviously it isn’t quite as polished as some of the paid alternatives when looking purely at Intune deployments.
Patch My PC is a solid and cost effective offering with a good selection of applications and if you prefer to keep things in-house rather than using a hosted platform, it is an excellent option. The addition of a hosted option is extremely welcome and well worth considering. They have a huge customer base and the package inventory is constantly growing.
Scappman is an excellent option if you want to go fully hosted, especially with a multi-tenant environment where App Sets will change your life! The advanced features are excellent, I’m a fan of the deployment rings in particular and the ability to add custom apps is one feature which Patch My PC is currently lacking. It does come at a cost though and whilst $11 per user, per year doesn’t sound like a lot, it’s four times the cost of Patch My PC and when you look at larger estates, can become expensive. It will be interesting to see if there is any development now it is part of PMPC
Intune Pckgr is a great low-cost option if you want something quick, cheap and secure but without the manual effort involved in running Winget yourself. The lack of auto-assignment is slightly annoying as it does add an extra step in the process and at present the app library isn’t as strong as the other options. There are also free alternatives if you don’t require any support.
PDQ Connect is a different option altogether as it completely bypasses Intune application management (apart from deploying the agent). The app deployment speed is impressive, but the app catalogue is currently too small to justify the cost. Looking at the roadmap though, this could be one to watch.
Enterprise App Management is the only native solution available and does have the backing of Microsoft. At the moment, the app catalogue doesn’t warrant the high pricing, but it will be interesting to see how it develops. Obviously if you are an Intune Suite customer for some of the other tooling, it is worth checking out.
Robopack is a quick and easy way to access a huge app catalogue as well as adding your own applications including deploying in different formats and bulk import. The addition of update rings (with success criteria) and over-rides for specifying commands really bring it as a front-runner. The pricing is competitive and the roadmap looks exciting! If you are under 100 users, this is a no-brainer, it’s free!
ZeroTouch.ai is so much more than a package manager. If you are only after app management, some of the other offerings here have the same basic functionality at a much lower price point so it would be difficult to recommend on that alone. However, if you currently have an RMM in place, switching to this will cover both that and your packaging and in those cases, I would definitely recommend it as a serious front-runner.
There really is no standout winner on this one, if looking at the paid options, please make sure you check the application list first. All have different price levels so you need to see how many apps apply to you then work out the yearly cost per app, this will give an idea of the cost effectiveness of the different platforms.
For larger environments, the ability to customise and add your own apps should also be looked at.
Please get in touch if you would like further information or advice!
Hello!
Thanks for this great comparative article.
I’ve tried a few of the solutions you mention here and recently discovered Action1, which offers a free plan for 100 workstations and features a web interface.
The only downside so far is the need to deploy an agent.
Did you know about this solution?
Hi,
Yes, I’ve heard good things about Action1 as an RMM, I haven’t managed to find an app catalogue for it though. I’ll grab a trial/free plan and experiment
Anyone using IntuneWin32Developer from Florian Salzmann (https://github.com/FlorianSLZ/IntuneWin32Deployer) should be aware that Falcon Sandbox indicated a possible keylogger: http://www.hybrid-analysis.com/sample/6b3bca249c7e8b8b8daddf4b7f6bf250a1274b0ce4e05ac156592ce9b7339ea6/66e09b02b26e9228260f9ad2
Hello Andrew, thank you for the wonderful and helpful article.
We have some users (devs) those have admin permissions on their devices. They have installed different apps as per their requirements which we do not control yet. Many are outdated and vulnerable.
Which tool is best for scanning the apps already installed and offer updates? Is it necessary to have agent based solution for this feature?
Winget can update all installed apps with upgrade all
For the others, you are best using the Discovered Apps and then adding those apps into the management tool
Hey Andrew, i appreciate the reviews and the info! I’m curious if you can review Ivanti’s Neurons Patch for Intune and see how it compares?
https://www.ivanti.com/products/ivanti-neurons-patch-for-intune
If I can get myself a free trial, I will happily test it
Hi Andrew,
Thanks for the comparing.
May i can ask you a question. I’m testing robopack actually. My goal is to add an application for all users as available in the company portal. So, if the user wants to use this application, he can install it. Now i want to update this application. I can create the deployment wave with robopack and can create a required deployment. But then the application will be deployed to all user in this group. Do you have tested this scenario?
Hi Robopack should use the Intune functionality to automatically update available applications when a new version is released. You shouldn’t need to create an additional deployment for it
Can you test out https://www.realmjoin.com/ and compare?
If I can get a free trial, absolutely happy to
Hi Andrew, thank you for the comparison.
I wanted to test the Enterprise App Management but i didnt know you pay for every user. I thought only the admin deploying the apps needs this subscription. Is it really so expensive?
Thank you
Yes, every user needs a license, it is an expensive option
Hi Taylor, and thanks for the article.
i would be pleased to view your thinking about Ninite.
The great, small and highly efficient deployment solution.
Regards.
Hi,
I don’t think it has Intune integration so it would not be quite as seamless as the others. I’ll give it a try though
Hey Andrew –
I noticed there was no mention of how these package managers interact with ESP+Autopilot. Would like to start using these other package manager solutions to deploy apps, but not being able to use Choco or Winget pushed apps during ESP/Autopilot kills the feature for me. Have attempted to use them in the past but they all fail during ESP/Autopilot…
Is there a way to use package managed apps (like choco, winget, intunepckgr, etc) during ESP+Autopilot?
Hi Paul,
I think IntunePckgr have functionality to update Winget first so they work in ESP.
Choco you could use app dependancies so the choco installer hits first.
PMPC and Robopack should work natively in ESP.
I’ll definitely add a section though!
Thanks Andrew
Yet more valuable info!
Do you guys know of any tool to patch apps in Mac devices?
I haven’t come across any automatic ones, I’m guessing you’ve looked at Munki?
Patch Manager Plus, it’s agent based and will inventory and patch any packages discovered on the Mac.
You can also look at scripting package updates and deploying apps using Brew (community package manager) or deploy apps using Apples VPP program (if available, these will auto update).
Why is the pricerating for Robopack only 5/10?
It’s similar to Patch My PC which is also 5/10
PatchMyPC does have cleanup rules, so you can tell it to keep the last x number of versions of that app in Intune. I haven’t had to do any housekeeping at all.
Same rating (5/10) for Scappman and PMPC pricing does not seem fair.
11 USD per device is way more expensive than 2,5 USD per device (Intune Essentials edition).
Both have a lower limit of 2k USD per year. Scappman demands 200 devices as minimum, PMPC demands the 2k USD but grants you 615 devices for that price.
Scappman was priced per user when this was written. As PMPC now owns Scappman this will be updated when PMPC 2 is released to reflect
Noticed you didn’t include Win32 deployer in the tools section for Winget?
Added now
Hi Andrew, great comparison.
Any chance you could add PDQ Connect to your list of comparisons?
It’s a new Product but from a much loved company.
I’ll grab a free trial and give it a test run
Updated now with my findings 🙂
Andrew, I appreciate your time and effort reviewing these and sharing.
Glad you found it useful. I’ll give it an update when the new Patch My PC is released
I *think* winget now supports system context if I’m reading correctly (I’m new to this, basically learning about it all today). I also found this
https://github.com/Romanitho/Winget-autoupdate
which seems to be a clever way to deploy this in some way with whitelist/blacklist for packages to update. Locally, there’s a GUI that can detect installed software and add it to the list and you can then save that list into your whitelist before deploying it. I’ve not totally worked out what I’d need to do to use this from Intune as my updater, but it looks promising.
I’d been looking into some other patch managers/integrated management tools e.g. Atera and NinjaOne but they both seem to actually use chocolatey/winget behind the scenes anyway so for completeness I’m trying to work out whether we can use pure winget as a stopgap until we can justify the spend on something bigger…
In a fashion it does. If you use the Store App integration in Intune, that can run in the System context, but that is limited to store apps and a few selected third party apps, but it doesn’t have the selection that the community repo, Scappman or PMPC have.
As winget is open source, there are a few third party additions such as that which do work well and add functionality above what you get out of the box.
Watch this space for an announcement around Winget here as well 🙂
There is also Microsoft Advanced Package Management due out at some point as part of the Intune suite which is also worth considering. Once I’ve tried it, I’ll add it to the post
Choco has a GUI that can be installed but they made it as a separate package: https://community.chocolatey.org/packages/ChocolateyGUI/1.1.1
Great review, thanks Andrew 🙂
I believe there is new pricing planned for PMPC with the launch of the MSP version, so it may get cheaper if you can share a license pool across multiple Customers.
That leads onto the question for Scappman, if you need to buy a pool of licences per Customer, or per MSP? Plus I assume the cost per user comes down after 1,000?
Hi Paul, I’m looking forward to trying the MSP version of PMPC and see how well it works. Running it from one central server would definitely reduce the required infrastructure.
Scappman have special pricing available for MSPs, but I don’t know what it is. There is always the option to become a Partner as well which I imagine will come with discounted pricing too: https://www.scappman.com/partners. It’s probably worth dropping them a message, they were extremely helpful in configuring my demo account.
Thanks