winget with remote access

Question

Hello,

We can use our remote maintenance program (NinjaOne) to run Powershell or CMD as a system or with another user. We would like to use Winget to update the programs on the clients in silent mode. However, winget requires a logged-in user who also has administrative rights.

The rule is that users only have user rights. Is there a way that I can now log in the domain administrator in the background via Powershell and execute the Winget command "upgrade -h -r" there? Alternatively, that the Powershell command runs in the background for the logged-in user, but with elevated rights?

I am also open to alternatives.

Answer 1

"Is there a way that I can now log in the domain administrator in the background via Powershell..."

I hope you're not referring to an actual Domain Admin account (i,e. a domain account in the Domain Admins Security Group). That should be locked down so it can only be used with Domain Controllers.

In regards to your question, I just worked through this myself. WinGet still isn't exactly designed to be ran as a System account. NinjaOne is likely trying to perform actions as System, so the WinGet verb isn't recognized, as it's only on the PATH of a logged-in User.

There are a couple different ways to get this to work. I'm personally using the below (thanks to /u/u/naps1saps on Reddit).

This would install vlc as System (i,e. with NinjaOne. or any RMM). For your purpose you could modify it to do winget upgrade --all --silent, but the $path variable and second half of the script is how it is able to run as System.

$app = 'vlc';
$path = Resolve-Path -Path 'c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\winget.exe';
$args = "install $app --source msstore --scope machine --accept-package-agreements --accept-source-agreements";

If (Test-Path $path -PathType Leaf) {
    $p = Start-Process -FilePath $path -WindowStyle Hidden -PassThru -ArgumentList $args;
    $p.WaitForExit();
} else {
    Write-Output 'Winget path invalid';
}