I used to have and recommend a tool for updating all your third party software on Windows machines. Unfortunately that tool went end of life several years ago. But Microsoft, of all people, has a tool that works suitably. Usage is similar to apt or yum on Linux. It’s called App Installer, and at the command line, it takes the form of the command winget.

App Installer is a free tool that updates what Windows Update won’t. That means open source apps, but also some third party apps, and even some difficult-to-update Microsoft apps, like the Visual C++ runtime. It is capable of updating more than 3,000 apps.

Installing App Installer

To install App Installer, launch the Microsoft Store and search for App Installer. Assuming you don’t already have it (something else you installed may have required it), install it.

If you can’t find the install button, you probably already have it. All my Windows 10 machines did. So if you can’t figure out how to install it, skip to the next step.

Using winget

Open an administrative command prompt and issue the command winget upgrade to get a list of tools App Installer can upgrade for you. The first time you run it, you have to agree to the license agreement. And then it does a quick analysis.

I was very surprised at what was on my list:

You mean this thing can upgrade Libre Office for me? This machine has 13 packages to update, which doesn’t surprise me.

Run winget upgrade –all to update everything. Or to upgrade individual packages if you’re squeamish, run winget upgrade [name]. Such as winget upgrade 7-Zip. Caution: winget will reboot your system automatically, without prompting, if the app needs to reboot to finish updating.

This won’t catch everything and won’t update everything optimally. Note I have Python 2.7 on this system, which is end of life. I should have Python 3-something. Don’t let perfection get in the way of improvement. Use this to get as far as you can with low effort–it’s what I call caveman patching. Closing the gap to A-plus comes later.

winget upgrade –all in practice

When I ran App Installer through mine, some apps just installed silently. Those with GUI installers showed a GUI, but didn’t ask any questions. They just ripped through the installation, so the GUI was just an indicator.

Run this every month, either before or after pushing Microsoft updates. Your security will improve immensely. Keeping Wireshark up to date is a problem for everyone. This will take care of that for you, along with dozens of other things that fly under the radar.

As I said above, it didn’t update Python optimally and it also didn’t update Nmap at all, and it’s unclear what it did with 4 of them. Still, 8 out of 13 isn’t bad. And it took 15 minutes. The majority of that was Libre Office, that little and dainty 323-megabyte behemoth.

That’s a really good result in return for running two commands and waiting 15 minutes. Maybe it’s an A- or B+ effort, but B+ is a huge improvement over the state of third party applications on Windows I’m used to seeing.

To close the gap to A-plus, scan the machine with a vulnerability scanner you trust. Either Qualys or Tenable should be OK, though Tenable does a slightly better job of finding open source software on Windows, in my experience. You may find a flubbed installation or two to clean up, but most of what you find will probably be due to end of life software, like my case of Python 2.7. In my case I know I just need to install Python 3. But for things you don’t know offhand, find the best still-supported alternative. Then check compatibility, and deploy it once you are reasonably confident you won’t break stuff with it.

Running winget upgrade –all automatically

I haven’t been able to successfully schedule winget upgrade –all to run automatically, and since it can reboot the system without warning, running it automatically has caveats. There seems to be a user story for that in progress at the time I’m writing. But for quick one-offs, this is an option.

And if you have another way to automate running this at scale, across multiple machines, go for it. Just make sure you’re prepared for the system to reboot when it finishes.

Upgrading single apps with winget

From a practical standpoint, you’ll be using it to update single applications more often than updating everything, at least in enterprise environments. To do that, first type winget search followed by the name of what you’re interested in. When I checked, it could update more than 3,000 software packages. So you may be surprised what all you can update. winget search nvidia turns up lots of Nvidia utilities it can update for you, for example.

To update a single piece of software, just enter a command like winget upgrade wireshark or winget upgrade libreoffice and substitute the tool you want to update at the end. Yes, it updates Wireshark.

It saves you having to click through the GUI to run the upgrades, and it automates the digital signature checks for authenticity.

I’m really glad Microsoft built this tool and I found out about it.