Packaging, deploying and updating applications can be hugely time consuming, especially when trying to keep on top of the latest zero-day exploit in your apps (I’m looking at you Chrome!)
Fortunately there are now a handful of package managers available to take away this pain, especially useful when you have multiple customers with largely the same app estate.
For this post I’m going to be looking at what I think are the main 4 contenders: Windows Packager Manager (Winget), Chocolatey, Patch My PC and Scappman.
Update November 2023 – Now including Intune Pckgr and PDQ Connect
Update February 2024 – Now includes Intune Enterprise App Management and Robopack
I will be looking at the ease of deployment, updating, cost, application catalogue, the user experience and any required infrastructure.
Let’s start with a quick look at the contenders:
Windows Package Manager (Winget) is a command line tool very similar to those Linux users will be familiar with. It is now built in to the latest versions of Windows 11 and Intune integration is due soon. Whilst it’s a Microsoft application, it is open source and available on GitHub
Chocolatey is another command line tool with a large community backing it with the latest packages and can be integrated into SCCM or Intune using Powershell.
Patch My PC is a Windows PC/Server application which then links in to either Intune or SCCM (or both) to deploy both applications and updates.
Scappman is a cloud based solution which integrates directly into Intune to deploy applications.
NOTE: Scappman has been purchased by Patch My PC, but at present, both are still available individually. This will be updated as and when this changes.
Intune Pckgr is a cloud based solution based on the Winget library with direct Intune integration to deploy and update applications
PDQ Connect is a new product from the company who created PDQ Deploy which is fully cloud based. It does not have Intune integration but runs using its own agent. This is a new offering with an exciting roadmap.
Intune Enterprise App Management is an addition to the Microsoft Intune suite which manages application deployment and updates all within the Intune console. A new release with a lot of applications planned!
Robopack is a relative newcomer with a large selection of applications (mostly Winget), fully SaaS and Intune integrated
Ease of App Deployment
Arguably the most important part, how easy is it to deploy applications?
Winget
Winget without any Intune integration, the only deployment method is via Powershell (to find the commands, Winget.run is a good choice). Let’s use 7-Zip as an example for all of these, it’s one of the first apps I usually install on any new machine. We will cover custom repositories later.
To deploy 7-Zip using Winget, we need a command to run:
winget install 7zipWe could push this out as a Powershell script directly in Intune, but wrapping and packaging as an application is my preferred approach to keep things similar across applications and also give the option for users to self-service install. Wrapping using PowerShell Application Deployment Toolkit (PSADT) would be a good choice for this.
In an ideal world, I’d add “–scope machine” to the install command, but currently Winget runs in the user context so would prompt for elevation which I’d hope won’t work for the majority of enterprise users! There is a workaround to deploy in the system context as I mentioned here, but it isn’t ideal and not officially supported.
Update:
There are now some third party tools to deploy Winget apps directly into Intune such as this from Stephan van Rooij , Win32 deployer from Florian Salzmann and my own tool
Rating (currently): 2/10
Rating with community tools: 7/10
Chocolatey
Similar to Winget, Chocolatey is PowerShell based so we’ll need to wrap a script into a Win32 application to deploy (again, I’d look at PSADT). Chocolatey has a full searchable community repository on their website. We will cover custom repositories later.
For our 7-Zip example:
choco install 7zipChocolatey installs in the system context and community applications are largely configured to install silently by default.
Rating: 5/10
Patch My PC
Patch My PC has a GUI application which runs on a Windows device (usually a deployment server), either on-prem, or could be in Azure. Once configured, deploying an application is a case of finding the application in the list and marking it for deployment:
You can also configure assignments via the right-click menu to further reduce the effort on the Intune portal.
After the next sync schedule (or a manual sync), the application will display in Intune and Company Portal (if deployed as available).
Rating 9/10
Scappman
Scappman is fully cloud based so all application deployment is via their portal. After logging in, navigate to the app store and find your application, click Get and then click Install
Clicking Advanced gives a lot of additional options some of which are very powerful. As well as the assignments (which links directly to your Entra tenancy to discover groups), you can configure pre and post-install tasks and even deployment rings to deploy updates in a staggered manner.
After clicking install, the application will display within Intune soon afterwards.
Rating: 10/10 (in Advanced mode)
Intune Pckgr
Similar to Scappman, Intune Pckgr uses a web-based portal to find and deploy applications. Simply click the + button to add to your Company:
Then deploy it:
The application is then added to Intune, but not assigned so you do have that additional step involved
Rating 8/10
PDQ Connect
The first step with PDQ Connect is to deploy the agent to your devices. I did this by packaging as a Win32 and then deploying via Intune which did seem a little counter-productive, but this solution is designed to also work stand-alone.
Once adding the agent, application deployment is straight forward, find your application, click deploy and select either devices or configured groups from the list:
I found deployment to be extremely quick and totally silent, definitely quicker than waiting for an Intune sync.
The obvious downsides are the lack of Intune integration so it’s another portal to manage, no user-based assignments and no self-service option
Rating: 6/10
Intune Enterprise App Management
As you would expect with a native feature, deploying apps is incredibly straight forward, you select the application as you would when deploying a store application. It then converts to a Win32 and deploys to your environment. Similar to the other options, all application details are pre-configured
Deployments are as quick as any other Intune application
Rating: 10/10
Robopack
Once you have added your tenant in the Settings menu, it is simply a case of searching for your application and clicking Import. Once in your apps, you can then deploy to Intune. You can also configure assignments as required with some default templates in place which work well.
You also have the option of adding your own applications which it will convert to intunewin and deploy for you
Deployments are as quick as any other Intune application. Out of the box the apps deploy using PSADT with the option to change to your own script if required
Rating: 9/10
Updating Apps
Deploying apps is obviously a key part, but I would say keeping them updated is the main purpose of a package manager. The issue has always been around applications which are “Available” for install rather than Required apps. With a required application, you know it’s there and simply deploy the update to the same group. With Available applications, Intune has no way of knowing easily who has it and whilst you can push out an updated application, it won’t update any existing installs. So, let’s see how our contenders manage:
Winget
Winget has the –upgrade command where we can specify a single application, or tell it to upgrade all applications on the machine. We can then use pro-active remediation to detect if the application is installed and if detected, run the update script on a fixed schedule. This works nicely, but obviously if you start hitting hundreds of applications, it’s a chore to setup initially.
Using the switch to upgrade all apps will get us around this issue and also won’t require any detection, but, it will try and update EVERY application it detects on the machine which it has listed in the repo, even those installed using another method. In my testing, this included Microsoft Office which then completely bypassed my carefully configured update rings and just threw everything onto Current Branch (excluding/pinning apps has been requested here). Using a custom repo may help with this, but I like more control over my application updates, especially once we hit the likes of Java runtimes.
Update:
Using community tools such as this application and ADMX, you can fully automate the updating of Winget applications
Rating: 6/10
Rating: 9/10 with community tools
Chocolatey
Similar to Winget, updating is via a command line to either specify an application, or kick off an update on all applications. Fortunately Chocolatey does have an exclude command so at least I can remove some applications, but this does mean hard-coding a list of applications to exclude and there is always the chance that one particular application slips through and causes issues.
Rating: 7/10
Patch My PC
Patch My PC works differently. For each new version of an application, it publishes a new package into Intune automatically. This gives you the ability to test the new applications prior to deployment and then deploy when happy (either manually assigning, or use supercedence).
It also adds a secondary application for an Update to the application.
Updating available applications works well via a custom detection script, but obviously it requires deploying the update application to everyone and then let the script work it out.
These all work well (although I should mention that when testing with GIMP, the app update wasn’t quite as silent as I would have expected, even though the install strings appeared correct).
My only complaint is that Intune can become a bit cluttered with apps which regularly update so there is some house-keeping required. Also, adding all machines/users into the update applications can clutter the success/fail of applications with a lot of additional “Not Applicable” entries.
Rating: 9/10
Scappman
Scappman has a different approach again. When deploying using the Advanced deployment features, you can specify update rings, same as I recommend for Windows and Office.
When a new version of an application is available, it will push out the update depending on the ring the user/device is in so a new version can go through UAT before reaching the full estate.
Each version replaces the previous one so it looks neater in Intune, but should you have an issue with a particular version, I haven’t found a way of rolling back to the previous one.
Updating Available applications works in the same way as Patch My PC with an additional application and custom detection script, the only difference is the assignments configuration is done for you.
My testing found this worked well and it correctly updated an application installed manually as well as one pushed out centrally.
Rating: 9/10
Intune Pckgr
In the interest of fairness, this is working on the purchase of the advanced package as most of our other options are paid-for.
Updates are handled automatically via a checkbox during deployment which leverages the Graph API to push out latest versions with versioning. There is also the option to deploy an update only application which uses custom requirements scripts to deploy accordingly.
As with Patch My PC, the only compliant is application clutter for a regularly updating application
Rating: 9/10
PDQ Connect
By leveraging the Automations functionality, you can set your applications to remain always updated automatically. You can also configure Device Groups should you wish to use rings to test initially and configure the schedules accordingly.
If this supported user-based deployment, it would score the full 10
Rating: 9/10
Enterprise App Management
App updates have their own menu within Intune where you can quickly review which applications in the estate require updates and select them within the UI.
Updating is a manual process, but is quick and easy to complete. Bulk actions would be a welcome addition though for larger estates, especially as the app catalogue increases
Rating: 9/10
Robopack
Similar to Enterprise App Management, there is a menu option for updating applications in the estate with a simple button to deploy the update. There is also bulk update functionality available.
Rating: 9/10
Cost
This all sounds ideal, I’m a firm believer that if something can be automated, it absolutely should be, why spend 5 minutes doing a quick task when you can spend 3 days writing a script to do it for you (but future you will thank you for it). The question is, at what cost does this automation come…let’s find out:
Winget
It’s made by Microsoft, but it’s open source and on GitHub. The only potential cost would be hosting your own repository, probably on an Azure Storage blob. You can host on GitHub for the repo, but I haven’t seen any way to use a private repository so it’s a bit more risky if you start publishing private or paid applications.
Rating: 9.5/10 (I’d host my own)
Chocolatey
Chocolatey has a free version using the community repository or you can host your own on the free plan as well. There is also a business version which adds extra functionality (comparison here) for $15.60 per machine, per year.
Rating: 9.5/10 (self-hosted, community version)
Patch My PC
Patch My PC have three different licensing options, Enterprise (MEMCM/SCCM only), Intune or Enterprise Plus (both). To keep things fair, I’ll work on the Intune only license at $2.50 per device per year. I should point out that it does have a minimum of $2000 per year so if you don’t have a large fleet, the device cost should be calculated accordingly.
Rating: 5/10
Scappman
Scappman has a fixed price for up to 1000 users of $11 per user, per year so it is more cost effective up to around 175 users compared to Patch My PC.
Rating: 5/10
Intune Pckgr
Intune Pckgr runs at device-based licensing with different tiers depending on the number of devices. You do not pay per-device, it is a fixed rate for the device levels (100, 1000, 2500, 5000). The costs range from $19 per month to $79 per month (with discounts for annual subscriptions). The basic 100 device subscription is also single-tenant so any small MSPs will need 1000 devices.
All price levels compare favourably to PMPC and Scappman
Rating: 7/10
PDQ Connect
PDQ Connect has a minimum of $1200 per year for 100 devices with an additional cost of $12 per device, per year.
For a small environment, this is slightly cheaper than PMPC and Scappman, but more expensive than Intune Pckgr.
When looking at over 1000 devices/users, it is the most expensive option here.
Rating: 4/10
Enterprise App Management
Ignoring the Intune Suite here to keep it a fair comparison, this costs $2 per user, per month which is considerably more than the likes of Scappman and PMPC, if we compare to PMPC, even if a user has two devices, it is still 10 times the cost. For large environments this could be problematic, especially on top of the M365 licensing costs
Rating: 2/10
Robopack
Robopack have a similar pricing structure to IntunePckgr where you pay a fixed fee per year depending on the number of devices across all managed tenants. At the time of writing the pricing is:
250 clients – $1750 per year ($7 per client per year)
500 clients – $2500 per year ($5 per client per year)
1500 clients – $4950 per year ($3.3 per client per year)
3000 clients – $9000 per year ($3 per client per year)
5000 clients – $12500 per year ($2.5 per client per year)
10000 clients – $22250 per year ($2.25 per client per year)
Over 200000 clients – $2 per client per year
This is competitive pricing to the other options in the market. If you quote my name on the contact form, you will also receive 20% off the pricing here!
Rating: 5/10
Application Catalogue
The all important one, just how many applications can I use this for? Clearly using a paid solution is only going to be worthwhile for a decent number of applications.
Winget
Winget currently has roughly 5500 packages in the community repository (here) which can be searched using the very useful winget.run website. You can also add your own to the main repository, a private one, or a UNC path to deploy using a custom manifest file.
Rating:9/10
Chocolatey
Chocolatey, at the time of writing, has just over 9000 packages in the community repository which can be searched here. You can, of course, add your own either to the community repository, or a private one.
Rating: 10/10
Patch My PC
Patch My PC currently have 862 supported applications which are listed here. There is currently no way to add custom applications to this.
Rating: 7/10
Scappman
Scappman has “over 480” (edit: Now over 500 and growing!) applications available (list here), but it does have the option to add your own.
Rating: 6/10
It should be noted, these ratings are purely based on the number of applications and you should always check the lists to make sure your key applications are on there. Whilst Chocolatey has a massive number of applications, a good percentage won’t be enterprise apps, unlike Patch my PC and Scappman where they are built for the enterprise so will have a higher percentage of those applications.
Intune Pckgr
At present, this has around 400 applications (full list here) which are all using the Winget community catalogue, but with further testing carried out by the Intune Pckgr team to extra peace of mind. There are also some packaged curated by them directly available. All install scripts have been digitally code signed for additional security.
Rating: 5/10
PDQ Connect
At the time of writing, there are 154 packages available for deployment with the option to add your own custom applications. This is a very new product so I expect this to grow, but rating is as of November 2023
Rating: 2/10
Enterprise App Management
At the time of writing, there roughly 100 packages available for deployment including a few which are quite niche. The roadmap looks exciting, but rating is based on the current catalogue (February 2024)
Rating: 2/10
Robopack
The instant apps claims over 19000 apps, most of which I imagine are Winget apps and store apps. All applications in the catalogue go through stringent testing and are repaired as required. The ability to add your own applications is a plus.
Rating: 10/10
User Experience
From my testing, the user experience is the same across all platforms, as long as the work is put in to handle deployments and updates, the experience within Company Portal, or when updating applications should not differ in any way. The only thing I did notice is that some applications would uninstall and re-install rather than a straight upgrade, but this is something which can easily be picked up with some user-comms.
Rating: It’s a tie (although PDQ Connect is quicker to deploy apps)
Requirements
Winget
Winget is built in to Windows 11 and can be deployed as a Windows Store app on Windows 10 or from the GitHub Repo. If you are using the community repository, that is all that is required. If, however, you are opting for a custom repository you will need a method of storing the applications (GitHub or Azure blob) and it’s also not easy (Instructions here). I’m hoping it will be easier to add a custom repository in future releases. To keep things fair, I’m rating on a custom repository.
Rating: 6/10
Chocolatey
Chocolatey requires installing on Windows, but it’s carried out via a simple Powershell script so can be easily deployed during an Intune build (and prior to app installs). Again, there is the choice of the community repository, but for this I’m going to look at the custom repository so I can control my application deployments. Chocolatey supports a much wider range of sources, including a simple UNC path, a server, or a package gallery hosted on an Azure Blob.
Rating: 8/10
Patch My PC
Patch My PC has no requirements on the end-user devices, but does require a machine of some sort to run the Publishing Server (instructions here). The requirements are minimal, but it will require storage for the application installers.
Rating: 8/10
Scappman
Scappman is fully cloud based and hosted so no requirements on the end-user devices, or any back-end infrastructure. If adding custom applications, an internet accessible location to host the install files will be required.
Rating: 10/10
Intune Pckgr
Intune Pckgr is also cloud based so no requirements apart from an application registration into Graph.
Rating: 10/10
PDQ Connect
Also cloud based, but does require the agent to sit on devices.
Rating: 9/10
Intune Enterprise App Management
As this is built in to Intune, no requirements beyond licensing
Rating: 10/10
Robopack
Robopack is also cloud based so no requirements apart from an application registration into Graph.
Rating: 10/10
Multi-Tenant Support
If you’re in an MSP environment, deploying the same application to multiple clients is incredibly time consuming and unproductive.
Winget
Winget can obviously be pointed to a central repository which can be used across multiple customers to reduce the amount of times an application is updated. The initial Intune configuration for both application deployments and updates will, however, still need to be completed manually on each tenant. This could be automated using Powershell, JSON and the Microsoft Graph API, but it’s not exactly straight forward (happy to cover this in a future blog post if there is sufficient demand).
If using a community tool such as IntuneBackup.com you can automate the deployment across tenants.
Rating: 5/10
Rating if using Intunebackup.com: 7/10
Chocolatey
Similar to Winget, Chocolatey applications will need configuring on each individual tenancy, but can also be automated using Powershell, Graph and JSON.
Rating: 5/10
Patch My PC
Patch My PC is currently one install per tenant so you will need multiple hosts to run the clients. The config work is all done in the publishing application though so there is less effort on the Intune side.
Multi-tenant support is now in private preview so this should be resolved in a future release.
Rating: 6/10 (until multi-tenant release)
Scappman
Scappman supports multi-tenancy out of the box, in the portal, you simply switch between them. Each tenant does need configuring individually though so currently no option to pick and application and deploy to all of the tenants in one go (which would be awesome).
Edit to add: Mutli-tenant deployments are covered via App Sets so an application can be deployed to multiple tenants in one single deployment. This is potentially a game changer for any mutli-tenant MSPs! Rating increased accordingly
Rating: 10/10
Intune Pckgr
As long as you are running above the basic package, multi-tenant support is included, but you do need to deploy the applications to each tenant individually.
Rating: 9/10
PDQ Connect
As there is currently no Entra ID or Intune integration, tenants do not exist at this point, all devices are treated the same. This does mean you will need to put in some more effort on grouping if supporting multiple companies
Rating: 8/10
Intune Enterprise App Management
As this is integrated directly into Intune, the UI is per-tenant so those working for an MSP will need to use Graph API to manage multiple customers
Rating: 6/10
Robopack
Robopack supports multiple tenants. Initial app deployment is per-tenant, but updates can be done cross-tenant.
Rating: 9/10
Conclusion
Windows Package manager (Winget) shows a lot of potential, but as it currently stands is not ready for enterprise use, the lack of running in an elevated command is, to me at least, a deal-breaker. The idea is excellent and building it into Windows 11 will push adoption, but I’m hoping the future Intune integration will resolve the initial issues (if anyone from MS wants to add me into the preview, I’m always open to test).
By utilizing community offerings, it can be a very useful application deployment tool however and the free pricing is always a bonus.
Chocolatey is more established and easier to host a custom repository (plus it runs in the system context). The deployment of applications and especially updating is not as easy as some of the other options, but if cost is an issue, it’s always a safe bet (I tend to include it as standard on an AVD build and then use Azure Runbooks to deploy and update applications by querying a text file hosted on an Azure blob). You can easily add your own applications as well to reach a fully Chocolatey controlled estate. Obviously it isn’t quite as polished as some of the paid alternatives when looking purely at Intune deployments.
Patch My PC is a solid and cost effective offering with a good selection of applications and if you prefer to keep things in-house rather than using a hosted platform, it is an excellent option. Once the multi-tenant version is released, a simple Azure VM could be created to control all tenants from one server. Whilst I like the idea of having multiple versions of applications available, it does seem like additional work to configure the deployments for each one.
Scappman is an excellent option if you want to go fully hosted, especially with a multi-tenant environment where App Sets will change your life! The advanced features are excellent, I’m a fan of the deployment rings in particular and the ability to add custom apps is one feature which Patch My PC is currently lacking. It does come at a cost though and whilst $11 per user, per year doesn’t sound like a lot, it’s four times the cost of Patch My PC and when you look at larger estates, can become expensive.
Intune Pckgr is a great low-cost option if you want something quick, cheap and secure but without the manual effort involved in running Winget yourself. The lack of auto-assignment is slightly annoying as it does add an extra step in the process and at present the app library isn’t as strong as the other options.
PDQ Connect is a different option altogether as it completely bypasses Intune application management (apart from deploying the agent). The app deployment speed is impressive, but the app catalogue is currently too small to justify the cost. Looking at the roadmap though, this could be one to watch.
Enterprise App Management is the only native solution available and does have the backing of Microsoft. At the moment, the app catalogue doesn’t warrant the high pricing, but it will be interesting to see how it develops. Obviously if you are an Intune Suite customer for some of the other tooling, it is worth checking out.
Robopack is a quick and easy way to access a huge app catalogue as well as adding your own applications. The system works well, but without pricing, it is difficult to recommend at this point.
There really is no standout winner on this one, if looking at the paid options, please make sure you check the application list first. I’ll be interested to see how the Intune integration works with Winget and also the implementation of multi-tenancy on Patch My PC.
Great review, thanks Andrew 🙂
I believe there is new pricing planned for PMPC with the launch of the MSP version, so it may get cheaper if you can share a license pool across multiple Customers.
That leads onto the question for Scappman, if you need to buy a pool of licences per Customer, or per MSP? Plus I assume the cost per user comes down after 1,000?
Hi Paul, I’m looking forward to trying the MSP version of PMPC and see how well it works. Running it from one central server would definitely reduce the required infrastructure.
Scappman have special pricing available for MSPs, but I don’t know what it is. There is always the option to become a Partner as well which I imagine will come with discounted pricing too: https://www.scappman.com/partners. It’s probably worth dropping them a message, they were extremely helpful in configuring my demo account.
Thanks
Choco has a GUI that can be installed but they made it as a separate package: https://community.chocolatey.org/packages/ChocolateyGUI/1.1.1
I *think* winget now supports system context if I’m reading correctly (I’m new to this, basically learning about it all today). I also found this
https://github.com/Romanitho/Winget-autoupdate
which seems to be a clever way to deploy this in some way with whitelist/blacklist for packages to update. Locally, there’s a GUI that can detect installed software and add it to the list and you can then save that list into your whitelist before deploying it. I’ve not totally worked out what I’d need to do to use this from Intune as my updater, but it looks promising.
I’d been looking into some other patch managers/integrated management tools e.g. Atera and NinjaOne but they both seem to actually use chocolatey/winget behind the scenes anyway so for completeness I’m trying to work out whether we can use pure winget as a stopgap until we can justify the spend on something bigger…
In a fashion it does. If you use the Store App integration in Intune, that can run in the System context, but that is limited to store apps and a few selected third party apps, but it doesn’t have the selection that the community repo, Scappman or PMPC have.
As winget is open source, there are a few third party additions such as that which do work well and add functionality above what you get out of the box.
Watch this space for an announcement around Winget here as well 🙂
There is also Microsoft Advanced Package Management due out at some point as part of the Intune suite which is also worth considering. Once I’ve tried it, I’ll add it to the post
Andrew, I appreciate your time and effort reviewing these and sharing.
Glad you found it useful. I’ll give it an update when the new Patch My PC is released
Hi Andrew, great comparison.
Any chance you could add PDQ Connect to your list of comparisons?
It’s a new Product but from a much loved company.
I’ll grab a free trial and give it a test run
Updated now with my findings 🙂
Noticed you didn’t include Win32 deployer in the tools section for Winget?
Added now
Same rating (5/10) for Scappman and PMPC pricing does not seem fair.
11 USD per device is way more expensive than 2,5 USD per device (Intune Essentials edition).
Both have a lower limit of 2k USD per year. Scappman demands 200 devices as minimum, PMPC demands the 2k USD but grants you 615 devices for that price.
Scappman was priced per user when this was written. As PMPC now owns Scappman this will be updated when PMPC 2 is released to reflect
PatchMyPC does have cleanup rules, so you can tell it to keep the last x number of versions of that app in Intune. I haven’t had to do any housekeeping at all.
Why is the pricerating for Robopack only 5/10?
It’s similar to Patch My PC which is also 5/10