WinGet Hacks: Automate Windows provisioning, upgrades, and maintenance

WinGet has quietly become one of the most practical productivity tools in a Windows 11 power user's toolbox — not just for installing apps, but for managing whole system states, enforcing upgrade policies, and automating maintenance. A recent MakeUseOf piece showed four simple WinGet workflows — using WinGet Configuration files, running a one-line upgrade for every app, pinning packages to prevent unwanted updates, and scheduling WinGet tasks for unattended maintenance — and these small techniques can reshape how you provision, maintain, and secure Windows devices at scale.

Overview​

WinGet (the Windows Package Manager) is the command-line utility that brings package-manager-style efficiency to Windows. Beyond single-package installs, WinGet includes a configuration system, pinning, export/import, and an upgrade engine designed for automation and reproducible system states. The features the MakeUseOf guide highlights are real, robust, and deliberately aimed at power users who want repeatable, low-friction workflows for new machines, upgrades, and long-term maintenance.
This article explains the four WinGet hacks in practical detail, verifies the commands and behaviors against official documentation, highlights important security and operational caveats, and offers a recommended, hardened set of workflows to adopt in the enterprise or on a personal technician’s toolkit.

---

Background: why WinGet matters now​

Windows historically pushed software installation through GUIs and the Microsoft Store, which works for casual users but is inefficient for admins and enthusiasts. WinGet fills that gap by offering:

• Single-line installation and updates for apps hosted in the WinGet and Microsoft Store sources.
• Declarative configuration (YAML/DSC-style) that can reproduce a desired machine state.
• Export/import so you can snapshot installed apps and reapply them on another system.
• Pinning and gating to control upgrade behavior for specific packages.

Microsoft’s documentation confirms that WinGet is maintained as part of the App Installer and includes commands like configure, export/import, upgrade, and pin to support reproducible and automated workflows. (learn.microsoft.com)

---

1) WinGet configure: managing an entire system state​

What it does​

The winget configure command lets you apply a WinGet Configuration file (YAML/DSC-style) to a machine so it reaches a defined desired state: specific packages installed, settings applied, and modules managed. This moves WinGet from a one-off installer into the realm of infrastructure as code for desktop environments. (learn.microsoft.com)

How to use it (quick example)​

• Author a configuration file (typical extension: .winget or .dsc.yaml) containing the list of packages and resources you want.
• Copy that file to the target computer.
• Open PowerShell as Administrator and run:
• winget configure -f .\mysetup.dsc.yaml
  The command processes the configuration, downloads packages from configured sources, and performs silent or unattended installs according to the manifest. (learn.microsoft.com)

Verification and safety​

• Microsoft explicitly warns to review the contents of any WinGet configuration file before applying it, because these manifests drive package downloads and installer execution. Treat configuration files like code: inspect, sign, or vet them before use. (learn.microsoft.com)
• The winget configure command includes flags to disable interactivity and accept configuration agreements; you should use these in controlled automation but avoid them when testing unknown manifests. (learn.microsoft.com)

Strengths​

• Reproducible desktop setup: identical apps and versions across machines.
• Fast provisioning for new hardware and lab images.
• Declarative approach reduces human error.

Risks​

• A malicious or misconfigured YAML can install arbitrary binaries or unwanted software; always version-control and audit configuration files.
• Some installers still require elevation; running winget configure non-elevated may prompt or fail for machine-scoped installs (see Administrator considerations below). (learn.microsoft.com)

---

2) winget upgrade --all: one command to update everything​

What it does​

winget upgrade --all enumerates installed applications, checks configured sources for newer package versions, and upgrades those applications in sequence. This is the simplest way to bring every WinGet-tracked app on a device up to date. (learn.microsoft.com)

Useful flags explained​

• --include-unknown (-u) — upgrade packages even when WinGet can't determine the current version. Useful for packages that don't expose version metadata.
• --force — forces the upgrade flow and can override certain checks; use cautiously.
• --accept-package-agreements and --accept-source-agreements — auto-accept license prompts (necessary for unattended scripts). (learn.microsoft.com)

Example:

• winget upgrade --all --include-unknown --force --accept-package-agreements --accept-source-agreements

Caveats and verification​

• Some packages do not expose version metadata; the --include-unknown flag is required to attempt upgrades for those items. (learn.microsoft.com)
• WinGet can only upgrade packages available from configured sources. For apps installed outside WinGet repositories, WinGet might be unable to upgrade them, or the upgrade behavior depends on the package manifest. (learn.microsoft.com)

Strengths​

• Massive time saver: update dozens of apps in one run.
• Great for periodic maintenance windows or pre-imaging refresh.

Risks​

• Silent mass upgrades can introduce breaking UI/behavioral changes (e.g., PowerToys updates altering shortcuts).
• Some upgrades may require reboot, user interaction, or may change configuration; test on a staging device first.

---

3) winget pin: stop unwanted upgrades for individual apps​

Why pinning matters​

Not every app should auto-update. A UI overhaul or new behavior can reduce productivity or break automation. winget pin lets you exclude packages from winget upgrade --all, or lock them to a version/range so upgrades are controlled. (learn.microsoft.com)

Pin types​

• Pinning — excludes a package from upgrade --all but you can still upgrade it individually.
• Blocking — prevents upgrades entirely unless explicitly unpinned (can be overridden with --force).
• Gating — pins to a version or a version range (e.g., 1.2.*), allowing only compatible updates. (learn.microsoft.com)

Common commands​

• Pin PowerToys to skip blanket upgrades:
• winget pin add --id Microsoft.PowerToys
• Export pins so other machines can share the same locked state:
• winget pin export --output .\mypins.json
• Reapply pins on another device by importing the JSON or recreating pins with winget pin add. (The pinning export/import path supports consistent environments.) (learn.microsoft.com)

Strengths​

• Granular control: keep mission-critical apps stable.
• Shareable pin lists enable team-wide policy consistency.

Risks​

• A pinned package may still be updated by other mechanisms (OEM updaters, Microsoft Store auto-updates). Pinning is specific to WinGet behavior and not a global block unless other update paths are controlled.
• Overuse can lead to outdated and vulnerable software if admins forget to unpin and patch.

---

4) WinGet + Task Scheduler: automate maintenance​

What automation looks like​

Pairing WinGet with Task Scheduler lets you run winget upgrade --all on a schedule, or apply configuration manifests at set intervals. This turns manual maintenance into a hands-off process.
A scheduled task can invoke WinGet directly or run a PowerShell script that wraps WinGet with desired flags:

• Action (Program): powershell.exe
• Arguments: -NoProfile -WindowStyle Hidden -Command "winget upgrade --all --silent --accept-package-agreements --accept-source-agreements"

Or you can call WinGet directly (Task Scheduler supports starting executables with arguments). When tasks need elevated privileges, configure them to run with the highest privileges or under an account with appropriate rights. (woshub.com, learn.microsoft.com)

How to set it up (concise)​

• Open Task Scheduler → Create Task.
• On the General tab: name the task and check Run with highest privileges (if required).
• Add a Trigger (daily, weekly, at login, etc.).
• Add an Action: Start a program → Program/script: powershell.exe → Add arguments: -NoProfile -WindowStyle Hidden -Command "winget upgrade --all --accept-package-agreements --accept-source-agreements"
• Save and test manually first.

Administrator considerations​

• Running scheduled tasks with elevated privileges is supported — set RunLevel to Highest. If the task runs under a high-privilege account, it will execute installers without interactive elevation prompts. The Task Scheduler documentation explains how RunLevel affects UAC and privileges. (learn.microsoft.com)

Strengths​

• Fully automated, off-hours patching for installed apps.
• Repeatable maintenance suitable for personal use or small labs.

Risks and operational caution​

• Tasks that run with elevated rights are a security risk if the script or its folder can be modified by non-admin users. Always secure script locations with NTFS permissions, use service accounts where appropriate, and put scripts under version control.
• Silent installations that accept agreements remove user consent checkpoints — use only for trusted packages and in controlled environments.
• Always enable logging and check Task History; automation can silently fail if a package requires a reboot or manual interaction. (woshub.com, blog.netwrix.com)

---

Administrator considerations, scope, and limitations​

• WinGet behavior depends on whether you run it as an administrator. Running non-elevated may prompt for UAC when installers require elevation; running elevated will bypass those prompts. That makes it essential to run scheduled or bulk installs under an account with appropriate privileges. (learn.microsoft.com)
• Some installer types (MSIX, machine-scoped installs) and certain package behaviors can complicate automated, machine-wide installations — explicitly passing --scope machine or running as an elevated account is sometimes required. There are known issues and GitHub discussions around scope handling for particular installer types; test your exact package set. (github.com)
• WinGet only manages packages that are available in configured sources. If your environment uses private repos, ensure they are added to the WinGet sources and that source agreements are accepted in automation. (learn.microsoft.com)
• WinGet is distributed via the App Installer. On some systems WinGet may not be immediately available until App Installer registers; Microsoft documents how to re-register App Installer if needed. (learn.microsoft.com)

---

PowerToys Run and WinGet: native integration — myth vs. reality​

Several community projects and PowerToys features bridge PowerToys Run and WinGet. A community plugin exists (and can be installed) that lets you search and install WinGet packages directly from PowerToys Run, and PowerToys has added Desired State Configuration support that interacts with WinGet configuration files. However, a fully native, one-click PowerToys → WinGet experience depends on either PowerToys’ feature set or third-party plugins and may vary by version. Confirm your PowerToys version and plugin before relying on it for production workflows. (github.com, tenforums.com)
Caveat: community plugins are convenient but are not the same security boundary as Microsoft-managed code. Treat them as any third-party tool — audit and run in test environments before broad deployment. (github.com)

---

Practical, hardened workflows for technicians and admins​

Below are recommended, production-ready workflows that build on the four hacks while minimizing risk.

A. Reprovisioning a workstation (safe, reproducible)​

• Maintain a Git repo for your WinGet configuration (.winget / .dsc.yaml files).
• Review and sign configuration files. Use automated tests or a staging device to validate expected installs.
• On the new machine:
• Ensure App Installer/WinGet is available (re-register if required).
• Run PowerShell as Administrator.
• winget configure -f .\mysetup.dsc.yaml --accept-configuration-agreements --disable-interactivity
• Log output and inspect the WinGet logs location after completion. (learn.microsoft.com)

B. Periodic maintenance (safe automation)​

• Create a PowerShell wrapper script that:
• Logs start and end times.
• Runs winget upgrade --all --accept-package-agreements --accept-source-agreements --include-unknown.
• Captures result codes and writes them to a central log.
• Schedule the script in Task Scheduler as a service account with the minimum rights necessary, using Run with highest privileges when machine-scoped installs are required.
• Monitor logs and configure alerts for failure patterns or packages that consistently require manual intervention. (woshub.com, learn.microsoft.com)

C. Controlled exceptions and pinning​

• Maintain a mypins.json (or a pinning strategy stored in Git).
• Use winget pin add --id <PackageId> to lock packages that must not upgrade automatically.
• Export pins regularly and treat pin files as part of your provisioning repo. (learn.microsoft.com)

---

Security and governance checklist before you automate​

• Ensure the script and config files are secured with NTFS permissions against modification by non-admin accounts.
• Use code signing or repository-based controls (branch protections, PR reviews) for configuration manifests.
• Run automated updates on a staging ring first (canary devices) before broad rollout.
• Keep a rollback plan: record installed versions (winget export --include-versions) before upgrades so you can re-image or restore predictable states. (learn.microsoft.com)

---

Common pitfalls and troubleshooting​

• Unexpected elevation prompts: verify Task Scheduler run level and script user context. (learn.microsoft.com)
• Packages that don’t appear in winget upgrade lists: they may not expose version metadata; try --include-unknown. (learn.microsoft.com)
• App Installer missing or not registered: re-register the App Installer package or reinstall via the Microsoft Store. (learn.microsoft.com)
• Differences between user-scoped and machine-scoped installs: test with --scope and confirm behavior, especially for MSIX packages. (github.com)

---

Final assessment — strengths, limitations, and recommended next steps​

WinGet is a powerful enabler for modern Windows workflows. The four hacks in the MakeUseOf guide — configuration-driven provisioning, upgrade --all, pinning, and scheduling — are practical and validated by Microsoft documentation. They let technicians and admins:

• Provision machines quickly and reproducibly using YAML configuration files. (learn.microsoft.com)
• Keep systems updated with a single command or scheduled job. (learn.microsoft.com)
• Protect chosen apps from disruptive updates with pinning. (learn.microsoft.com)
• Automate maintenance safely if best practices around privileges and file security are followed. (woshub.com)

Limitations remain: elevated vs. user install behavior, source coverage, and occasional package manifest inconsistencies. These are real operational trade-offs that require testing and governance. For PowerToys Run integration, community plugins and PowerToys’ DSC support exist, but verify your environment and prefer vendor-supported features when possible. (github.com, tenforums.com)
If you adopt WinGet-based automation, the single biggest defensive move is to treat configuration files and scheduled scripts like code: version them, code-review them, secure them, and test them in a staging ring before broad application.

---

Quick reference: essential commands​

• Export installed apps: winget export -o .\apps.json --include-versions. (learn.microsoft.com)
• Import/replicate apps: winget import .\apps.json --accept-package-agreements --accept-source-agreements. (learn.microsoft.com)
• Apply configuration: winget configure -f .\mysetup.dsc.yaml. (learn.microsoft.com)
• Upgrade everything: winget upgrade --all --include-unknown --accept-package-agreements --accept-source-agreements. (learn.microsoft.com)
• Pin a package: winget pin add --id Microsoft.PowerToys. (learn.microsoft.com)

---

WinGet has matured from a niche CLI curiosity to an essential automation tool for Windows power users and administrators. The simple WinGet workflows highlighted in the MakeUseOf guide are effective starting points, but production use requires the same discipline applied to any automation: auditing, testing, access control, and logging. When those guardrails are in place, WinGet can transform hours of repetitive setup and maintenance into minutes, with the repeatability and control that modern IT operations demand. (learn.microsoft.com, woshub.com)

---

Source: MakeUseOf These Winget hacks transformed how I use Windows 11