Intune allows to automatically have software installed on target devices. I found a nice write-up on using this in conjunction with Chocolatey, but realized it could be made much easier. First we’ll prepare the files locally which needs to be done only once, instead of for each application.

## Prepare Chocolatey

The following steps depend on Chocolatey, so first follow the previously mentioned write-up on how to install that through Intune.

## The one .intunewin to install them all

Save the script below as install.ps1 in an empty directory, and download IntuneWinAppUtil.exe into that directory as well.

param(
[string]$package = "", [switch]$uninstall = $false ) if ($uninstall) {
choco uninstall $package -y } else { choco upgrade$package -y
}


upgrade will install the package if it isn’t yet installed. Two fish.

You can use this script directly by running ./install.ps1 <package name> [-uninstall]. We’ll use Intune to automate installation of packages.

Now let’s create a generic .intunewin file for all our Chocolatey apps. In the directory run the following in Powershell:

.\IntuneWinAppUtil.exe -c .\ -s install.ps1 -o .\


This creates an .intunewin file which we can re-use in Intune for each application we wish to install using Chocolatey.

## Creating an Intune app

When creating an Intune app, set it as a Windows app (Win32) and during the wizard set the install command to

powershell.exe -executionpolicy bypass .\install.ps1 <package name>


And the uninstall command to

powershell.exe -executionpolicy bypass .\install.ps1 <package name> -uninstall


### Detection

We can also use Chocolatey to detect our package. For this we check using choco if the app exists locally. For that, create the following script:

choco feature enable --name="'useEnhancedExitCodes'" -y
$PackageName = "PACKAGENAME" choco list -e$PackageName --local-only
exit \$LastExitCode


Be sure to replace PACKAGENAME with the name of the package, as used by Chocolatey.

Set the detection rules format to Use a custom detection script, and upload the just created script. Make sure Enforce script signature check and run script silently is set to No.

The above script does some fancy things:

• It enables the useEnhancedExitCodes feature, which ensures the exit code is 2 when the package doesn’t exist. Else it will return 0 because it had no issues checking that the package didn’t exist. This setting just needs to be set once, but we place it here to always be sure it is enabled.
• --local-only ensures it uses the local index of apps, else it will always return true because the package exists in the Chocolatey repository.
• Explicitly exit using the chocolatey given exit code, as powershell may not properly pass this to InTune.

### Dependencies

Finally, make sure to set Chocolatey as a dependency.