Intune allows to automatically have software installed on target devices. I found a nice write-up on using this in conjunction with Chocolatey, but realized it could be made much easier. First we’ll prepare the files locally which needs to be done only once, instead of for each application.
Prepare Chocolatey
The following steps depend on Chocolatey, so first follow the previously mentioned write-up on how to install that through Intune.
The one .intunewin to install them all
Save the script below as install.ps1 in an empty directory, and download
IntuneWinAppUtil.exe
into that directory as well.
param(
[string]$package = "",
[switch]$uninstall = $false
)
if ($uninstall) {
choco uninstall $package -y
} else {
choco upgrade $package -y
}
upgradewill install the package if it isn’t yet installed. Two fish.
You can use this script directly by running
./install.ps1 <package name> [-uninstall]. We’ll use Intune to automate
installation of packages.
Now let’s create a generic .intunewin file for all our Chocolatey apps. In the
directory run the following in Powershell:
.\IntuneWinAppUtil.exe -c .\ -s install.ps1 -o .\
This creates an .intunewin file which we can re-use in Intune for each
application we wish to install using Chocolatey.
Creating an Intune app
When creating an Intune app, set it as a Windows app (Win32) and during the
wizard set the install command to
powershell.exe -executionpolicy bypass .\install.ps1 <package name>
And the uninstall command to
powershell.exe -executionpolicy bypass .\install.ps1 <package name> -uninstall
Detection
We can also use Chocolatey to detect our package. For this we check using
choco if the app exists locally. For that, create the following script:
choco feature enable --name="'useEnhancedExitCodes'" -y
$PackageName = "PACKAGENAME"
choco list -e $PackageName
exit $LastExitCode
Be sure to replace PACKAGENAME with the name of the package, as used by Chocolatey.
Set the detection rules format to Use a custom detection script, and upload the just created script. Make sure Enforce script signature check and run script silently is set to No.
The above script does some fancy things:
- It enables the
useEnhancedExitCodesfeature, which ensures the exit code is 2 when the package doesn’t exist. Else it will return 0 because it had no issues checking that the package didn’t exist. This setting just needs to be set once, but we place it here to always be sure it is enabled. - Explicitly exit using the chocolatey given exit code, as powershell may not properly pass this to InTune.
Dependencies
Finally, make sure to set Chocolatey as a dependency.
Sources
- https://www.thelazyadministrator.com/2020/02/05/intune-chocolatey-a-match-made-in-heaven/
- Chris in the comments for his additions to the detection script