/image%2F8357444%2F20250531%2Fob_e5372f_safitexpers.jpeg)
2025 Comparison — Microsoft Windows CLI Tools
Best practices, and Linux analogies (apt, dnf, pacman, zypper).
Actions: install / upgrade / downgrade / pin
How repositories and their security work
To test: in a safe environment: PowerShell scripts
🧭 Why package managers on Windows?
On Linux, using package managers like apt, dnf, zypper, or pacman has become a reflex to install, update, and manage your software. On Windows, the pleasure of launching executables (.exe, .msi) with a simple click relieved users.
Today, SafeITExperts reveals: Windows also has command-line tools: winget, Chocolatey, and Scoop. Let's discover them together.
On Linux, package managers are central:
| Distribution | Tool | Command examples |
|---|---|---|
| Debian / Ubuntu | apt | apt update, apt install, apt upgrade, apt remove |
| Fedora / RHEL | dnf | dnf install, dnf upgrade, dnf downgrade |
| Arch | pacman | pacman -S, pacman -Syu, pacman -Rns |
| openSUSE | zypper | zypper refresh, zypper install, zypper update |
Windows bridges the gap with winget (official), Chocolatey (DevOps veteran), and Scoop (minimalist, no admin). 🎯
💻 Access the shell: PowerShell, CMD & Terminal
Which shell to use?
- PowerShell (recommended): modern shell with a powerful scripting language.
- CMD: old command interpreter (works, but less comfortable).
- Windows Terminal: the application that can host PowerShell, CMD, WSL/Bash, etc.
- PowerShell 7 (Core): cross-platform version (parallel to PowerShell 5.x "Windows PowerShell").
How to open PowerShell
- Via the Start menu: type "PowerShell", then "Run as administrator" for an elevated session.
- Shortcut: Win + X → "Windows Terminal (Admin)" or "Windows PowerShell (Admin)".
- Run: Win + R → powershell → Enter (non-elevated).
Admin rights, password, and UAC
On Windows, you don't type sudo. System actions trigger UAC (User Account Control):
- If your session has admin rights, you'll see a dialog box to validate
- If your session is standard, you'll be asked for admin credentials
winget/choco may require an elevated session for "machine-wide" installations. Scoop works by default without admin (in the user profile), but can also install globally with admin.
To install Chocolatey or Scoop via script, PowerShell may require a more permissive execution policy:
# Check & relax for the current user Get-ExecutionPolicy Set-ExecutionPolicy -Scope CurrentUser RemoteSigned🐧 WSL — complete Linux environment under Windows
Overview
Windows Subsystem for Linux (WSL) was created by Microsoft and introduced in 2016 to bring Windows and Linux closer together in the same environment. WSL allows running a full GNU/Linux distribution (Ubuntu, Debian, Fedora, openSUSE, Kali…) directly under Windows, without needing a heavy virtual machine or dual-boot.
- Concept: real Linux kernel embedded in a lightweight Hyper-V VM
- Native access to Linux commands and packages (bash, apt, yum, pacman…)
- Transparent interoperability Windows ↔ Linux files (/mnt/c)
- Distributions: available via Microsoft Store or WSL CLI (Ubuntu, Debian, Fedora…)
- Security:
- Linux kernel provided and updated by Microsoft
- Lightweight Hyper-V isolation
- Admin rights only for initial installation
⚙️ WSL installation
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart wsl --set-default-version 2 wsl --install -d Ubuntu wsl --list --online wsl --list --verbose🛠️ Alternative installation via managers
# With winget winget install --id Microsoft.WSL -e --source winget wsl --install # With Chocolatey choco install wsl -y wsl --install # With Scoop (after installing Scoop) scoop install sudo sudo dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart sudo dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart wsl --install🗣️ Voice installation via Copilot
# Open Windows Terminal, activate Copilot (Win + C), and say: "Install and configure WSL 2 with Ubuntu" # Copilot will execute the necessary commands🔧 Distribution management
wsl --list --verbose wsl --set-version <distro> 2 wsl --terminate <distro>🔎 Integration & interoperability
ls /mnt/c/Users cmd.exe /c dir C:wsl uname -r📦 Linux package management
sudo apt update && sudo apt upgrade sudo apt install <package> sudo apt install <package>=<version>✅ WSL offers a real Linux shell integrated with Windows, Docker/Kubernetes compatible, ideal for web development, data science, and bash scripts.
🪟 winget — Windows Package Manager (Microsoft) official
Overview
winget is the official Windows package manager (Windows Package Manager), introduced by Microsoft. It allows installing, updating, configuring, and uninstalling software directly from the command line, much like apt on Linux or brew on macOS.
- Origin: Microsoft (integrated into Windows 11, available on Windows 10 via "App Installer")
- Repositories (sources):
- winget: community repository maintained by Microsoft (manifests on GitHub)
- msstore: Microsoft Store (packaged and signed apps via the Store)
- Private sources possible (enterprise)
- Security: YAML manifests reviewed (automatic + human), SHA256 of installers, downloads from publisher sources
🔎 Search & display
winget --version winget search vscode winget search --id Microsoft.VisualStudioCode -e winget show Microsoft.VisualStudioCode📦 Install
winget install --id Microsoft.VisualStudioCode -e winget install --id Microsoft.VisualStudioCode -e --version 1.80.0 winget install --id Microsoft.VisualStudioCode --scope user winget install --id Microsoft.VisualStudioCode --silent winget install --id Microsoft.VisualStudioCode --override "/VERYSILENT /NORESTART" winget install --id 9NBLGGH4NNS1 --source msstore⬆️ Updates
winget upgrade winget upgrade <name> winget upgrade --all winget upgrade --include-unknown🧹 List / uninstall / export
winget list winget uninstall --id Microsoft.VisualStudioCode -e winget export -o apps.json --include-versions winget import -i apps.json📌 Pin (lock), sources & configuration
winget pin add --id Microsoft.VisualStudioCode --version 1.80.* winget pin list winget pin remove --id Microsoft.VisualStudioCode winget source list winget source update winget source reset winget settings winget features🍫 Chocolatey — the DevOps/Enterprise veteran
Overview
Chocolatey is one of the oldest Windows package managers (2011). It is inspired by apt-get, focused on automation/DevOps, and widely used in enterprise environments.
- Origin: 2011, community + enterprise offering (C4B)
- Public repository: community.chocolatey.org/packages (NuGet)
- Private repositories: heavily used in enterprise (Artifactory, Nexus, UNC share, etc.)
- Security:
- Packages submitted by the community
- Human and automatic review before publication
- Some scripts execute downloads from external sources (less strict than winget)
- Chocolatey for Business version offers private repositories + enhanced verification
⚙️ Chocolatey installation
Set-ExecutionPolicy Bypass -Scope Process -Force [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 iex ((New-Object Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')) choco --version🔎 Search, list, outdated
choco search vscode choco list --localonly choco outdated📦 Install / upgrade / uninstall
choco install vscode -y choco install vscode --version=1.80.0 -y choco install nodejs-lts --pre -y choco upgrade vscode -y choco upgrade all -y choco uninstall vscode -y⬇️ Downgrade & Pin
choco install vscode --version=1.79.0 -y choco pin add -n=vscode -v=1.79.0 choco pin list choco pin remove -n=vscode✅ Advantage: supports downgrade (rollback possible if the version is available).
🧩 Sources, config, features, maintenance
choco source list choco source add -n=myfeed -s "https://my.nexus/nuget/choco" choco source disable -n=chocolatey choco config get cacheLocation choco config set cacheLocation "D:\ChocoCache" choco feature list choco feature enable -n=allowGlobalConfirmation choco clean -y choco upgrade all --noop🗂️ Scoop — minimalist, no admin by default
Overview
Scoop was created by Luke Sampson in 2013. It adopts a minimalist philosophy, close to the brew experience on macOS. Everything is installed in the user folder without requiring administrator rights.
- Concept: installs apps in the user profile (no UAC, no admin)
- Repositories: buckets (Git repositories):
- Main repository: main
- Additional buckets: extras, versions, nerd-fonts, Games, etc.
- User can add their own buckets (custom repositories)
- Security:
- Buckets on GitHub, open contributions
- SHA256 verification to ensure binaries haven't been modified
- More community-driven than winget, heavily depends on maintainers' rigor
⚙️ Scoop installation
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser iwr -useb get.scoop.sh | iex scoop --version🪣 Buckets
scoop bucket list scoop bucket known scoop bucket add extras scoop bucket add versions scoop bucket rm extras🔎 Search & info
scoop search vscode scoop info vscode scoop list📦 Install / versions / global
scoop install vscode scoop install vscode@1.80.0 scoop install -g 7zip⬆️ Update / status
scoop update scoop update vscode scoop update * scoop status🔁 Change/freeze version & maintenance
scoop reset vscode@1.79.0 scoop hold vscode scoop unhold vscode scoop cleanup vscode scoop cleanup * scoop checkup scoop cache show scoop cache rm * scoop which codescoop install aria2 scoop config aria2-enabled true🤖 Copilot — AI Assistant for PowerShell and CLI tools
Overview
Windows Copilot, integrated into Windows 11, revolutionizes the use of CLI tools by acting as an intelligent voice and text assistant. It translates your natural language queries into precise PowerShell commands to interact with winget, Chocolatey, and Scoop.
- Activation: Copilot button in the taskbar or Win+C
- Key features: Voice translation, script generation, error diagnosis
- Security: Confirmation before execution (unless silent mode), command history
🎙️ Voice commands with Copilot
# Install Docker with Winget silently "Copilot, install Docker with winget without confirmation" → winget install Docker.DockerDesktop --silent # Migrate my applications from Chocolatey to Winget "Copilot, migrate my Chocolatey apps to winget" → Automatic migration script # Diagnose an installation error "Copilot, why did the Node.js installation fail?" → Log analysis and fix suggestions⚡ Advanced automation
Copilot generates scripts combining multiple tools:
# Multi-tool batch installation "Copilot, install Git, Python, and VS Code with the optimal tool" → winget install Git.Git Python.Python Microsoft.VisualStudioCode # Cross-tools cleanup "Copilot, clean up unused packages on all managers" → scoop cleanup * & choco remove --all-versions & winget uninstall --orphaned # Custom script "Copilot, create a script that installs Java, clones my repo, and launches the build" → Generation of a complete PowerShell script🔧 Integration with Windows tools
| Tool | What Copilot can do |
|---|---|
| Winget | Silent installations, version management, export/import configurations |
| Chocolatey | Migration between versions, package creation, private repository management |
| Scoop | Bucket management, installations without admin, multi-versions |
| WSL | Translation of Linux commands (apt → winget, etc.) |
| Terminal | Automatic configuration of dedicated profiles and tabs |
💡 Innovative use cases
# Compare installation performance "Copilot, which tool is fastest to install 20 apps?" → Benchmark winget vs choco vs scoop # Secure an installation "Copilot, check if this Scoop script is safe before execution" → Risk analysis # Manage complex dependencies "Copilot, install Node.js with npm and configure PATH" → Installation + environmental configuration📊 Quick comparison
| Criterion | winget | Chocolatey | Scoop |
|---|---|---|---|
| Origin | Microsoft (official) | Community + enterprise offering | Community |
| Repositories | winget + msstore + private | community + private (NuGet) | Git buckets (main, extras, …) + private |
| Security | Manifest + SHA256, signed Store | Review + checksums (scripts) | SHA256, depends on buckets |
| Admin rights | Often required (machine-wide) | Recommended (global) | Not by default (user), -g for global |
| Downgrade | Via --version if available | Yes (--version) | Yes (@version / reset) |
| Ideal for | Windows users & Store integration | Enterprise, CI/CD, DevOps | Devs & power-users, user sandbox |
🔒 Repositories & security: how do these tools compare to Linux?
| Aspect | Linux (apt/dnf/pacman/zypper) | winget | Chocolatey | Scoop |
|---|---|---|---|---|
| Package origin | Official distro repositories (signed builds) | Publisher installers referenced via manifests; also Microsoft Store | Community packages (scripts) + enterprise (private repositories) | Community buckets (Git) + private buckets |
| Verification | GPG/RPM signatures; trust chains | SHA256 hash in manifests; CI validation; signed Store apps | Review + recommended checksums; scripts may call external URLs | SHA256 in manifests; depends on bucket maintainer |
| Sandbox/Integration | Strong integration with package system | Uses native Windows installers (MSI/EXE/MSIX) | Install scripts (PowerShell/MSI/EXE) | Archives/zip and shim; isolated in user profile |
| Downgrade | Often natively supported | Possible if versions available (no dedicated command) | Yes, simple via --version | Yes, via @version/reset |
| Admin rights | sudo with password | Often required for machine-wide (UAC) | Elevated recommended for global | Not by default; -g = admin |
Key takeaways
- Linux: integrated, signed, reproducible packages in distro-managed repositories.
- Windows: these managers orchestrate publisher installers; the trust chain relies on manifests, checksums, and provenance of binaries (official site, Store).
- In enterprise: prefer private repositories (winget private source, Chocolatey feed, private Scoop buckets) and a validation process.
📚 Cookbook — common tasks (with Linux analogies)
| Task | Linux | winget | choco | scoop |
|---|---|---|---|---|
| Update index | apt update / zypper refresh | winget source update | — | scoop update |
| See updates | apt list --upgradable | winget upgrade | choco outdated | scoop status |
| Update all | apt upgrade / pacman -Syu | winget upgrade --all | choco upgrade all -y | scoop update * |
| List installed | dpkg -l, dnf list installed | winget list | choco list --localonly | scoop list |
| Install | apt install pkg | winget install --id <ID> -e | choco install pkg -y | scoop install app |
| Specific version | apt install pkg=ver | --version if available | --version | @version |
| Downgrade | dnf downgrade | depending on versions | yes | yes |
| Uninstall | apt remove | winget uninstall | choco uninstall | scoop uninstall |
| Lock | apt-mark hold | winget pin add | choco pin add | scoop hold |
| Linux environment | Native | wsl --install then manage via apt/dnf | ||
🛡️ Security & best practices
- Reliable sources: Microsoft Store for winget when possible, official publisher URL.
- Checksums: essential for Chocolatey; manifests with SHA256 for winget and Scoop.
- Least privilege: user scope (--scope user / Scoop by default).
- Private repositories in enterprise + validation pipeline (internal mirror).
- Export / backup of your stack (winget export; Scoop list; Choco via scripts).
- WSL: keep the kernel updated via Windows Update.
🎯 Practical scenarios
1) Personal PC, simple and safe
- winget by default (integrated, reliable msstore source)
- Use --id and -e (exact) to avoid name collisions
- Export your selection:
winget export -o apps.json --include-versions
2) Dev workstation (flexible, no admin)
- Scoop for CLI tools, multiple versions, and easy cleanup
- WSL for complete Linux environment
- Enable aria2 to speed up downloads:
scoop install aria2 scoop config aria2-enabled true
3) Enterprise / CI/CD
- Chocolatey + private repository (NuGet, Nexus, Artifactory)
- Require checksums, disable public repository, internal creation/review pipelines
- Simulation before deployment:
choco upgrade all --noop
❓ Frequently Asked Questions (FAQ)
Do I need a password to use these commands?
Not on the command line. If an action requires admin rights, Windows displays a UAC prompt: you validate (admin session) or enter admin credentials if you are in a standard account.
Can I do everything from CMD?
Yes for winget and choco. Scoop mainly targets PowerShell. Windows Terminal is the most comfortable.
Is it as "secure" as Linux?
The model is different. Linux compiles and signs packages within official repositories. On Windows, these tools orchestrate publisher installers; security relies on manifests, hashes, publisher signatures (Store), and your policies (private repositories in enterprise).
Can I use multiple managers on the same machine?
Yes, it's possible and sometimes recommended. For example: winget for main applications, Scoop for dev tools without admin rights. Just avoid installing the same software via multiple managers.
How to verify package integrity before installation?
- Winget: uses SHA256 hashes in official manifests
- Chocolatey: ensure the package has valid checksums (avoid --allow-empty-checksums)
- Scoop: manifests include SHA256 hashes for each downloaded file
What is the best solution for automating deployments?
Chocolatey is best suited for enterprise environments with its private repositories, approval functions, and integration with SCCM/Intune. Winget is also becoming a strong option with its export/import features.
Does WSL replace Windows package managers?
No, WSL is complementary. It allows running complete Linux environments (with apt, dnf, etc.) while winget/choco/scoop manage Windows applications. You can use both together.
🎯 Conclusion
- winget: default choice, integrated and reliable (especially with msstore source)
- Chocolatey: very rich for automation and enterprise (downgrade, pin, private repositories)
- Scoop: lightweight and flexible, perfect without admin rights, multi-versions, easy cleanup
- Copilot: revolutionary AI assistant to automate your CLI workflows
- WSL: essential solution to run a complete Linux environment under Windows
For a "classic" Windows user, start with winget.
For machine management and DevOps, Chocolatey shines.
For devs/power-users, Scoop and WSL are essential.
For everyone, Copilot transforms your CLI experience.
/image%2F7127247%2F20250909%2Fob_d07085_actualitetech.png)
/image%2F7127247%2F20250923%2Fob_9fb6df_par-de-marche.png)
/image%2F7127247%2F20250926%2Fob_3e5df6_prevention-securite-os.jpg)
/image%2F7127247%2F20250922%2Fob_eb212e_b132f11f-950c-494b-a85a-b4d3f81ff580.jpg)
/image%2F7127247%2F20251113%2Fob_117401_architecture-systemd.jpg)
/image%2F7127247%2F20251113%2Fob_6d25b2_architecture-systemd-1.png)
/image%2F7127247%2F20251109%2Fob_621f28_analyse-security.jpg)
/image%2F7127247%2F20251109%2Fob_e1f91c_analyse-security.jpg)