Packaging, deploying and updating applications can be hugely time consuming, especially when trying to keep on top of the latest zero-day exploit in your apps (I’m looking at you Chrome!)
Fortunately there are now a handful of package managers available to take away this pain, especially useful when you have multiple customers with largely the same app estate.
For this post I’m going to be looking at what I think are the main 4 contenders: Windows Packager Manager (Winget), Chocolatey, Patch My PC and Scappman.
I will be looking at the ease of deployment, updating, cost, application catalogue, the user experience and any required infrastructure.
Let’s start with a quick look at the contenders:
Windows Package Manager (Winget) is a command line tool very similar to those Linux users will be familiar with. It is now built in to the latest versions of Windows 11 and Intune integration is due soon. Whilst it’s a Microsoft application, it is open source and available on GitHub
Chocolatey is another command line tool with a large community backing it with the latest packages and can be integrated into SCCM or Intune using Powershell.
Patch My PC is a Windows PC/Server application which then links in to either Intune or SCCM (or both) to deploy both applications and updates.
Scappman is a cloud based solution which integrates directly into Intune to deploy applications.
Ease of App Deployment
Arguably the most important part, how easy is it to deploy applications?
Winget without any Intune integration, the only deployment method is via Powershell (to find the commands, Winget.run is a good choice). Let’s use 7-Zip as an example for all of these, it’s one of the first apps I usually install on any new machine. We will cover custom repositories later.
To deploy 7-Zip using Winget, we need a command to run:
winget install -e --id 7zip.7zip --silent
We could push this out as a Powershell script directly in Intune, but wrapping and packaging as an application is my preferred approach to keep things similar across applications and also give the option for users to self-service install. Wrapping using PowerShell Application Deployment Toolkit (PSADT) would be a good choice for this.
In an ideal world, I’d add “–scope machine” to the install command, but currently Winget runs in the user context so would prompt for elevation which I’d hope won’t work for the majority of enterprise users! There is a workaround to deploy in the system context as I mentioned here, but it isn’t ideal and not officially supported.
Rating (currently): 2/10
Similar to Winget, Chocolatey is PowerShell based so we’ll need to wrap a script into a Win32 application to deploy (again, I’d look at PSADT). Chocolatey have a full searchable community repository on their website. We will cover custom repositories later.
For our 7-Zip example:
choco install 7zip
Chocolatey installs in the system context and community applications are largely configured to install silently by default.
Patch My PC
Patch My PC has a GUI application which runs on a Windows device (usually a deployment server), either on-prem, or could be in Azure. Once configured, deploying an application is a case of finding the application in the list and marking it for deployment:
You can also configure assignments via the right-click menu to further reduce the effort on the Intune portal.
After the next sync schedule (or a manual sync), the application will display in Intune and Company Portal (if deployed as available).
Scappman is fully cloud based so all application deployment is via their portal. After logging in, navigate to the app store and find your application, click Get and then click Install
Clicking Advanced gives a lot of additional options some of which are very powerful. As well as the assignments (which links directly to your Entra tenancy to discover groups), you can configure pre and post-install tasks and even deployment rings to deploy updates in a staggered manner.
After clicking install, the application will display within Intune soon afterwards.
Rating: 10/10 (in Advanced mode)
Deploying apps is obviously a key part, but I would say keeping them updated is the main purpose of a package manager. The issue has always been around applications which are “Available” for install rather than Required apps. With a required application, you know it’s there and simply deploy the update to the same group. With Available applications, Intune has no way of knowing easily who has it and whilst you can push out an updated application, it won’t update any existing installs. So, let’s see how our contenders manage:
Winget has the –upgrade command where we can specify a single application, or tell it to upgrade all applications on the machine. We can then use pro-active remediation to detect if the application is installed and if detected, run the update script on a fixed schedule. This works nicely, but obviously if you start hitting hundreds of applications, it’s a chore to setup initially.
Using the switch to upgrade all apps will get us around this issue and also won’t require any detection, but, it will try and update EVERY application it detects on the machine which it has listed in the repo, even those installed using another method. In my testing, this included Microsoft Office which then completely bypassed my carefully configured update rings and just threw everything onto Current Branch (excluding/pinning apps has been requested here). Using a custom repo may help with this, but I like more control over my application updates, especially once we hit the likes of Java runtimes.
Similar to Winget, updating is via a command line to either specify an application, or kick off an update on all applications. Fortunately Chocolatey does have an exclude command so at least I can remove some applications, but this does mean hard-coding a list of applications to exclude and there is always the chance that one particular application slips through and causes issues.
Patch My PC
Patch My PC works differently. For each new version of an application, it publishes a new package into Intune automatically. This gives you the ability to test the new applications prior to deployment and then deploy when happy (either manually assigning, or use supercedence).
It also adds a secondary application for an Update to the application.
Updating available applications works well via a custom detection script, but obviously it requires deploying the update application to everyone and then let the script work it out.
These all work well (although I should mention that when testing with GIMP, the app update wasn’t quite as silent as I would have expected, even though the install strings appeared correct).
My only complaint is that Intune can become a bit cluttered with apps which regularly update so there is some house-keeping required. Also, adding all machines/users into the update applications can clutter the success/fail of applications with a lot of additional “Not Applicable” entries.
Scappman has a different approach again. When deploying using the Advanced deployment features, you can specify update rings, same as I recommend for Windows and Office.
When a new version of an application is available, it will push out the update depending on the ring the user/device is in so a new version can go through UAT before reaching the full estate.
Each version replaces the previous one so it looks neater in Intune, but should you have an issue with a particular version, I haven’t found a way of rolling back to the previous one.
Updating Available applications works in the same way as Patch My PC with an additional application and custom detection script, the only difference is the assignments configuration is done for you.
My testing found this worked well and it correctly updated an application installed manually as well as one pushed out centrally.
This all sounds ideal, I’m a firm believer that if something can be automated, it absolutely should be, why spend 5 minutes doing a quick task when you can spend 3 days writing a script to do it for you (but future you will thank you for it). The question is, at what cost does this automation come…let’s find out:
It’s made by Microsoft, but it’s open source and on GitHub. The only potential cost would be hosting your own repository, probably on an Azure Storage blob. You can host on GitHub for the repo, but I haven’t seen any way to use a private repository so it’s a bit more risky if you start publishing private or paid applications.
Rating: 9.5/10 (I’d host my own)
Chocolatey has a free version using the community repository or you can host your own on the free plan as well. There is also a business version which adds extra functionality (comparison here) for $15.60 per machine, per year.
Rating: 9.5/10 (self-hosted, community version)
Patch My PC
Patch My PC have three different licensing options, Enterprise (MEMCM/SCCM only), Intune or Enterprise Plus (both). To keep things fair, I’ll work on the Intune only license at $2.50 per device per year. I should point out that it does have a minimum of $2000 per year so if you don’t have a large fleet, the device cost should be calculated accordingly.
Scappman has a fixed price for up to 1000 users of $11 per user, per year so it is more cost effective up to around 175 users compared to Patch My PC.
The all important one, just how many applications can I use this for? Clearly using a paid solution is only going to be worthwhile for a decent number of applications.
Winget currently has roughly 3000 packages in the community repository (here) which can be searched using the very useful winget.run website. You can also add your own to the main repository, a private one, or a UNC path to deploy using a custom manifest file.
Chocolatey, at the time of writing, has just over 9000 packages in the community repository which can be searched here. You can, of course, add your own either to the community repository, or a private one.
Patch My PC
Patch My PC currently have 618 supported applications which are listed here. There is currently no way to add custom applications to this.
Scappman has “over 480” (edit: Now over 500 and growing!) applications available (list here), but it does have the option to add your own.
It should be noted, these ratings are purely based on the number of applications and you should always check the lists to make sure your key applications are on there. Whilst Chocolatey has a massive number of applications, a good percentage won’t be enterprise apps, unlike Patch my PC and Scappman where they are built for the enterprise so will have a higher percentage of those applications.
From my testing, the user experience is the same across all platforms, as long as the work is put in to handle deployments and updates, the experience within Company Portal, or when updating applications should not differ in any way. The only thing I did notice is that some applications would uninstall and re-install rather than a straight upgrade, but this is something which can easily be picked up with some user-comms.
Rating: It’s a tie
Winget is built in to Windows 11 and can be deployed as a Windows Store app on Windows 10 or from the GitHub Repo. If you are using the community repository, that is all that is required. If, however, you are opting for a custom repository you will need a method of storing the applications (GitHub or Azure blob) and it’s also not easy (Instructions here). I’m hoping it will be easier to add a custom repository in future releases. To keep things fair, I’m rating on a custom repository.
Chocolatey requires installing on Windows, but it’s carried out via a simple Powershell script so can be easily deployed during an Intune build (and prior to app installs). Again, there is the choice of the community repository, but for this I’m going to look at the custom repository so I can control my application deployments. Chocolatey supports a much wider range of sources, including a simple UNC path, a server, or a package gallery hosted on an Azure Blob.
Patch My PC
Patch My PC has no requirements on the end-user devices, but does require a machine of some sort to run the Publishing Server (instructions here). The requirements are minimal, but it will require storage for the application installers.
Scappman is fully cloud based and hosted so no requirements on the end-user devices, or any back-end infrastructure. If adding custom applications, an internet accessible location to host the install files will be required.
If you’re in an MSP environment, deploying the same application to multiple clients is incredibly time consuming and unproductive.
Winget can obviously be pointed to a central repository which can be used across multiple customers to reduce the amount of times an application is updated. The initial Intune configuration for both application deployments and updates will, however, still need to be completed manually on each tenant. This could be automated using Powershell, JSON and the Microsoft Graph API, but it’s not exactly straight forward (happy to cover this in a future blog post if there is sufficient demand).
Similar to Winget, Chocolatey applications will need configuring on each individual tenancy, but can also be automated using Powershell, Graph and JSON.
Patch My PC
Patch My PC is currently one install per tenant so you will need multiple hosts to run the clients. The config work is all done in the publishing application though so there is less effort on the Intune side.
Multi-tenant support is now in private preview so this should be resolved in a future release.
Rating: 6/10 (until multi-tenant release)
Scappman supports multi-tenancy out of the box, in the portal, you simply switch between them.
Each tenant does need configuring individually though so currently no option to pick and application and deploy to all of the tenants in one go (which would be awesome).
Edit to add: Mutli-tenant deployments are covered via App Sets so an application can be deployed to multiple tenants in one single deployment. This is potentially a game changer for any mutli-tenant MSPs! Rating increased accordingly
Windows Package manager (Winget) shows a lot of potential, but as it currently stands is not ready for enterprise use, the lack of running in an elevated command is, to me at least, a deal-breaker. The idea is excellent and building it into Windows 11 will push adoption, but I’m hoping the future Intune integration will resolve the initial issues (if anyone from MS wants to add me into the preview, I’m always open to test).
Chocolatey is more established and easier to host a custom repository (plus it runs in the system context). The deployment of applications and especially updating is not as easy as some of the other options, but if cost is an issue, it’s always a safe bet (I tend to include it as standard on an AVD build and then use Azure Runbooks to deploy and update applications by querying a text file hosted on an Azure blob). You can easily add your own applications as well to reach a fully Chocolatey controlled estate. Obviously it isn’t quite as polished as some of the paid alternatives when looking purely at Intune deployments.
Patch My PC is a solid and cost effective offering with a good selection of applications and if you prefer to keep things in-house rather than using a hosted platform, it is an excellent option. Once the multi-tenant version is released, a simple Azure VM could be created to control all tenants from one server. Whilst I like the idea of having multiple versions of applications available, it does seem like additional work to configure the deployments for each one.
Scappman is an excellent option if you want to go fully hosted, especially with a multi-tenant environment where App Sets will change your life! The advanced features are excellent, I’m a fan of the deployment rings in particular and the ability to add custom apps is one feature which Patch My PC is currently lacking. It does come at a cost though and whilst $11 per user, per year doesn’t sound like a lot, it’s four times the cost of Patch My PC and when you look at larger estates, can become expensive.
There really is no standout winner on this one, if looking at the paid options, please make sure you check the application list first. I’ll be interested to see how the Intune integration works with Winget and also the implementation of multi-tenancy on Patch My PC.