[New Feature]: Autoupdate as part of Windows 11

[drweb86]

Description of the new feature/enhancement

Feature Request: Native Automatic Update System with Policy Controls and Version Pinning

Summary

Winget currently requires manual invocation to update packages (winget upgrade). This proposal requests a native automatic update system comparable to what Microsoft Store already provide — but with enterprise-grade policy controls, version pinning, and flexible trigger mechanisms that make it safe for both consumer and corporate environments.

---

Motivation

The current update experience has significant gaps:

• End users rarely run winget upgrade --all proactively, leaving software outdated and vulnerable
• Corporate environments have no native way to control or schedule winget updates via Group Policy
• Developers cannot pin major versions to prevent breaking changes in CI/CD pipelines
• There is no equivalent to apt's unattended-upgrades or the Microsoft Store's background update service
• Applications currently must implement their own update checkers (Squirrel, Velopack, Sparkle)

---

Proposed Solution

1. Windows Service for Background Updates

Introduce an opt-in winget-update Windows Service that runs with appropriate privileges and performs background updates on a configurable schedule:

# Enable automatic updates globally
winget settings --auto-update enable

# Set update schedule
winget settings --auto-update-schedule daily|weekly|onlogin

# Check status
winget autoupdate status

The service should:

• Run as a low-privilege background task by default
• Respect system idle state before updating
• Log all update activity to Windows Event Log
• Show toast notifications when updates are applied
• Support both system-wide and per-user installation scopes

---

2. Version Pinning and Major Version Locks

This is critical for developer tools. Automatic updates must never silently upgrade across major versions where breaking changes are expected.

# Pin to current major version only (allow 2.x -> 2.9, block 2.x -> 3.0)
winget pin add NodeJS --major-only

# Pin to exact version
winget pin add Python --version 3.11.*

# Pin below a specific version
winget pin add JDK --below 21.0.0

# List all pins
winget pin list

Example scenarios this solves:

• Node.js 18 → 20 is a major version jump that breaks native modules — developers need to control this explicitly
• Python 3.11 → 3.12 can break virtual environments and dependencies
• .NET SDK major versions affect build targets across entire teams
• Java LTS versions are often contractually fixed in enterprise projects

Package manifests should also allow publishers to declare AutoUpdateSafe: minor-only as a hint to the update service.

---

3. Group Policy Integration (ADMX Templates)

Provide official ADMX Group Policy templates so IT administrators can centrally control winget update behavior across managed fleets via Intune, SCCM, or on-premise GPO:

Proposed policies:

Policy	Options
AutoUpdateEnabled	Enabled / Disabled / User controlled
AutoUpdateScope	Security patches only / Minor versions / All
AutoUpdateSchedule	Daily / Weekly / Custom cron-like expression
MajorVersionUpgradePolicy	Block / Prompt user / Allow
AllowUserInstallAutoUpdate	Yes / No
AutoUpdateBlacklist	List of package IDs to never auto-update
AutoUpdateWhitelist	Only auto-update these package IDs
RequireAdminApprovalForMajor	Yes / No
UpdateNotificationPolicy	Silent / Toast / Require acknowledgement
MaintenanceWindow	Time range when updates are permitted

This allows corporate IT to:

• Permit security-only automatic updates while blocking feature updates
• Enforce maintenance windows so updates don't interrupt business hours
• Whitelist specific packages for auto-update while locking down developer tools
• Delegate update approval to local admins without full IT involvement

---

4. Per-User Installation Auto-Update

Users who installed packages without admin rights (user scope) should be able to auto-update their own packages without requiring elevation:

# Install in user scope
winget install MyApp --scope user

# Auto-update user-scope packages without UAC prompt
winget autoupdate --scope user

This is particularly important for corporate environments where users lack admin rights but need to keep personal productivity tools current without IT involvement for every update.

---

5. Manual Trigger with UI Integration

Beyond the background service, provide first-class manual trigger options:

# Check for updates without installing
winget upgrade --check-only

# Update with changelog preview
winget upgrade MyApp --show-changelog

# Defer update until next maintenance window
winget upgrade MyApp --defer

Additionally, integrate with Windows Update or Settings > Windows Update > Advanced Options so users can see and trigger winget updates from the familiar Settings UI — not just the terminal. This bridges the gap between power users and mainstream users who never open a command prompt.

---

6. Rollback Support

Auto-updates should be reversible, especially for packages that affect development environments:

# Roll back to previous version
winget rollback MyApp

# List available rollback points
winget history MyApp

The update service should retain the previous version's installer for a configurable retention period before cleanup. Also if version became vulnerable or explicitely deleted from win-get, its supposed to disappear from the list.

7. Intune (etc) and antivirus integration

Have a possibility to control what user can or cant install and have possibility to request new package

8. Vulnerabilities control for NUGet integration, NPM integration.

If package there marked as vulnerable, during update check, check directories of installed applications and if any supply chain package of app is vulnerable, report to Intune, user itself, prioritize update.

9. Paid particular versions of software.

Some software allow to use indefinitely particular versions after subscription ends. Those should clearly exclude it from autoupdate.

---

Why This Matters

Every major OS package ecosystem already solves this:

• apt/unattended-upgrades — silent security updates, configurable scope, widely trusted
• Homebrew — background update checks, major version warnings
• Microsoft Store — fully automatic, no user interaction
• npm/cargo — semver-aware, explicit major version consent

Winget is the only major package manager without a coherent answer to this. The result is that application developers are forced to ship their own update mechanisms (adding complexity, AV false positives, and inconsistent UX), corporate IT has no policy surface to work with, and end users run outdated software.

A native, policy-aware, version-pinning-capable auto-update system would make winget competitive with Linux package managers for enterprise adoption and remove the last major gap compared to the Microsoft Store experience.

---

Affected Scenarios

• Home users who want set-and-forget updates like the Microsoft Store
• Corporate IT managing hundreds of machines via Intune/SCCM
• Developers who need major version control for Node, Python, Java, .NET SDK
• Users on locked-down machines who can self-update user-scoped installs
• Independent software vendors who want to retire their custom update mechanisms

---

References

• apt unattended-upgrades documentation
• Microsoft Store automatic update behavior
• Homebrew autoupdate implementation
• Related winget issues: Create Mega Sync Installer winget-pkgs#986 (pinning), Leokhoa winget-pkgs#223 (auto-update discussion)

Proposed technical implementation details (optional)

No response

[denelon]

This has been requested before, and at that time we weren't planning on building or supporting a service like this. It's been a few years since the original request. There are other products / services that could potentially address these concerns.

I'll bring this request up with them to see if it's a good fit, and it's something we want to look more deeply into.