Schedule Winget Auto Updates for operational usage

Deploying Winget Auto Updates (WAU) gives you a functional update baseline, for full functionality we need to configure more to get ready for production. If servers query the Winget repository at different times you might end up with inconsistent versions and unplanned outages.

Introduction to schedule WinGet Auto Updates

We have learned how to install Winget Auto Updates using a GPO in the last article “Centralized Software Patch Management: Deploying Winget Auto Updates (WAU) via Active Directory GPO”. In the video below from this article we also deployed the ADMX file needed in this article.

By combining WAU with Active Directory Administrative Templates (ADMX) and a centralized inclusion/exclusion lists stored on a file share, you transform this tool into a automated software deployment tool. This approach ensures that essential utilities are always present while preventing sensitive workloads from receiving unapproved or risky updates.

Checking Package Availability in Winget

Before adding software to your baseline, verify that each package exists in the public Winget repository and confirm its exact identifier. Incorrect IDs cause silent failures, stalled update cycles, or repeated error entries in WAU logs.

Examples:

  • AD Account Lockout Tool: Not available in the public Winget repository. Tools like this must be deployed via a traditional GPO software installation.
  • My favorite Event Log viewer from this article “Modern Windows Event Viewer – EventLogExpert” is EventLogExpert and it is not available. So we will use Snake Tails with the identifier: snakefoot.snaketail
  • For tailing use Klogg as recommended here as it is available. Use the identifier: Variar.klogg

Personally I like using https://winget.run/ to verify for new packages as explained in my previous articles “WinGet and IaC – Take Winget to the next level” and “https://hartiga.de/tools/easily-manage-applications-with-winget-v1-x/

Advanced Centralized Configuration via GPO

Romanitho’s WAU ADMX templates allow you to control the entire WAU client configuration through Group Policy with no locally managed config files and per-machine drifts.

Here are our first steps:

  • Open gpmc.msc
  • Create a new GPO: LAB-Computers-Software-WAU-Configuration
  • Link it to your server OU
  • Navigate to: Computer Configuration → Policies → Administrative Templates → Winget-AutoUpdate

Enforce Machine-Wide Installation Scope

By default, Winget may install software into %LocalAppData%, making it invisible to other users and background tasks. In the WAU template, force machine-wide installation to ensure all binaries land in standard system paths such as Program Files. This is essential for predictable server behavior.

The inclusion and exclusion list reality

A common point of confusion when looking at configuration storage folder structures is trying to use both lists simultaneously. In WAU’s architectural design, the application update logic modes are mutually exclusive.

If Use WhiteList instead of BlackList is left Not configured, WAU runs in global Blacklist mode. It scans the server, patches every existing Winget app it finds, and strictly references excluded_apps.txt to see what it must skip.

If you enable the Whitelist setting, the engine shifts entirely, only checking and updating packages explicitly declared in included_apps.txt while ignoring the rest of the machine.

Crucially, neither list mode will perform a fresh installation of a missing tool. WAU is strictly an updater; if Klogg or EventLogExpert is completely missing from a newly provisioned server, WAU will simply bypass them.

To standardize your environment, you must explicitly define if you want to maintain a white or a blacklist. WAU supports this through two centralized list files:

  • included_apps.txt (Acts as your allowlist if you enable the Whitelist policy configuration)
  • excluded_apps.txt (Acts as your blacklist)

Both should be stored on a read-only, highly available UNC path. I will be using the path you should know from previous blog articles around GPO: “\nas-file-2025\Software\WAU-Config”

Example included_apps.txt

snakefoot.snaketail
Variar.klogg

Example excluded_apps.txt

I try to exclude critical components like MS SQL Server, which i manage using WSUS or tools that have their own automatic update configuration, i.e. Google Chrome

Microsoft.SQLServer.* Google.Chrome

Dynamic Scheduling and Service Management to schedule WinGet Auto Updates

WAU installs a scheduled task that runs under NT AUTHORITY\SYSTEM, giving it the required permissions to update software silently in the background.

You can check the settings in the task scheduler. The default settings are below and you can see tzhe active triggers are “At log on of any user” and “at 6:00 am every day.”

To enforce a deterministic update window at 3am with no updates at login, we have to configure this:

  • Open your WAU configuration GPO
  • Set Update Interval to Daily
  • Set Execution Time to 03:00
  • Set Updates at Login to disabled
https://youtu.be/FH7wGICU-fY

Important: Winget only updates the registry and scheduled settings daily at 6am. You need to run the task highlighted below manually or execute this script once:

Schedule WinGet Auto Updates - Enforce GPO changes now
Schedule WinGet Auto Updates – Enforce GPO changes now

Why does it matter to schedule WinGet Auto Updates

We want to automate, but control the risk. So we want to prevent updates to critical workloads (exclusion) and maintain a consistent set of tool across our servers during working hours. This combines automation with minimized operational risk with a significantly increased machine configuration standardization.

Common Mistakes and How to Avoid Them

Even well-designed WAU deployments can fail due to small oversights. These are the issues I see most often:

  • Incorrect package identifiers: A single typo in included/excluded lists causes silent failures. Always verify with “winget search” and use copy and paste.
  • Wrong ADMX language folder: If WAU.adml is placed in the wrong locale folder, the GPO settings will not appear. Stick to en-US.
  • UNC paths not reachable at startup: If the file share is unavailable during boot, WAU falls back to defaults.
  • Winget not accessible to SYSTEM: Some security tools block the WindowsApps folder for SYSTEM. WAU cannot run without it and you need to configure exclusions with your IT Security contacts.
  • User-scope installations: Software installed under %LocalAppData% will cause issues. Enforce machine-wide scope.
  • Metered connection false positives: Hybrid cloud routing can trigger metered-connection blocks. Enable the override if needed.

Hint: If used on RDP Sessions by a larger group of people in your organization I would consider disabling the notification UI.

Conclusion

By moving third-party update logic into Group Policy, you turn WAU into a predictable, centrally governed update engine. With fixed package identifiers, controlled inclusion/exclusion lists, and a strict 03:00 execution schedule, your servers follow the same lifecycle every day. No drift, no surprises.

In the next article, we’ll dive into advanced WAU tuning, including notification suppression, custom repository integration, and hardened baseline enforcement.

If you have any questions please don’t hesitate to reach out to me on LinkedIn, Bluesky or check my newly created Adaptive Cloud community on Reddit.

LinkedIn: https://www.linkedin.com/in/andreas-hartig/

Bluesky: https://bsky.app/profile/hartiga.de

Adaptive Cloud community on Reddit: https://www.reddit.com/r/AdaptiveCloud/

My YouTube Channel: https://www.youtube.com/@hartiga

Avatar for Andreas Hartig
Andreas Hartig - MVP - Cloud and Datacenter Management, Microsoft Azure

Related Posts

WAU Happy Dragons about improved security

Centralized Software Patch Management: Deploying Winget Auto Updates (WAU) via Active Directory GPO

Deploying Winget Auto Updates for Software Patch Management for managing third-party software updates across an IT infrastructure typically requires expensive enterprise solutions. This article provides a technical guide on how…

Read more
Stay Hydrated Drink enoughv2

GPO Central Store – Help! My PolicyDefinitions Folder is missing

Your PolicyDefinitions Folder is missing? The GPO Central Store is key for Managing Group Policy Objects (GPOs) across multiple domain controllers can introduce configuration drift if administrative templates are not…

Read more
A single control plane for LAPS using AzureArc

Legacy LAPS vs. Windows LAPS vs. LAPS for Azure Arc

LAPS for Azure Arc is the new shining star, after for years, IT teams relied on the classic, legacy Microsoft LAPS tool. Microsoft then integrated Windows LAPS directly into the…

Read more
Gemini Generated Image 6s2cz6s2cz6s2cz6

Active Directory Planning Tool: Mapping Structures and Delegations with SMAD-X

Using an Active Directory Planning Tool is key for understanding complex Active Directory environments and often requires more than what traditional management consoles can provide. While tools such as Active…

Read more
Dragons looking at AccountLockout Tool

AD Account Lockout (Free Tool)

The AD Account Lockout tool is free and very valuable in troubleshooting account lockouts in Active Directory. This is a task as old as the directory service itself. Even in…

Read more
Windows Server Summit 2026 Day 3 Dragons

Windows Server Summit 2026 Day 3

Introduction to Windows Server Summit 2026 Day 3 The final day of the Windows Server Summit 2026 shifted the spotlight from overarching hybrid control planes toward core infrastructure, protocol modernization,…

Read more