Rubix

View Original

Intune and Package Managers - Part 1: Chocolatey

Deploying applications to Windows 10 devices from Intune has certainly come a long way.  We went from single file .MSI installers only, to using PowerShell scripts to bring down install bits from blob storage to run locally, all the way to full application support with .Intunewin packages.

Following in the footsteps of modern management, we can use package managers to deploy software so that IT doesn’t need to maintain a repository of applications anymore.  There are two, very friendly package managers for Windows that we’ll be talking about today: Chocolatey and Winget.  Both of these allow us to install, update and remove applications via a simple PowerShell script.

I’m going to deep dive on how to leverage these platforms with Intune to make applications management that much easier, with this write-up focusing on Chocolatey and a future post talking about Winget.  And while you may not want to use this method for all of your applications, it will absolutely take the sting out of the ones that have caused you grief for years (I’m looking at you, Adobe Acrobat!)

Getting started with Chocolatey

*All information on Chocolatey is found directly on https://chocolatey.org

Chocolatey is installed via a simple expression delivered via PowerShell:

iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

Once Chocolatey is installed on the system, applications can be installed easily by finding the package name:

choco install PackageName -y

PackageName can be substituted with whichever application you choose- those package names can be found here.

If you are trying to quickly install an app on your PC, then you can stop here.  But for deployment via Intune, a bit more work is required.  Here is the flow we’ll be following:

  1. Deploy Chocolatey as stand-alone (optional)

  2. Create PowerShell install and uninstall scripts

  3. Package scripts for deployment (with Microsoft Win32 Content-prep tool)

  4. Upload and configure application for Intune

  5. Assign and enjoy

Let’s break down what’s involved in each of these pieces.

1. Deploy Chocolatey as stand-alone (optional)

Wait- this part is optional? I know, that seems weird.  Obviously, we need Chocolatey installed before we can use it to install applications.  But there are two ways to go about this.  First, we can deploy Chocolatey to the machine during Autopilot provisioning so we know it’s installed before subsequent apps are deployed.  It’s probably smart to then set Chocolatey as a dependency for said apps.

Alternatively, because it only takes one line, we can include the line to install Chocolatey in the beginning of each install script.  The logic would check for the existence of Chocolatey first, and if not found, install before deploying the intended application package.  I personally prefer this method as it keeps with the theme of packages being lightweight and streamlined.

If you decide to push Chocolatey stand-alone, simply use the Microsoft Win32 Content-prep-tool to wrap a PowerShell script containing the following:

There are two changes here to the standard Chocolatey one line installer.  First, we’re explicitly calling ‘Invoke-Expression’ as opposed to the ‘iex’ shortcut.  Secondly, we’re piping the command to ‘Out-Null’.  As covered in a previous post , Fighting the Enrollment Status Page, we want the installation to finish before the Intune Management Extension looks for the detection rule.

Use the following parameters to configure the Chocolatey .INTUNEWIN file:

2. Create PowerShell install and uninstall scripts

Start by creating a directory to place your PowerShell scripts in.  For this example I’ll be deploying Notepad++.  I’ve created two scripts; InstallNotepad.ps1 and UninstallNotepad.ps1, and have placed them both in the install directory.  Be sure to get the package name from https://chocolatey.org/packages.

If you’ve decided to package and deploy Chocolatey stand alone, the install script will look like this:

As you can see, we’re again adjusting the standard “choco install” commands.  Besides adding the Start-Process -Wait component, we’re explicitly calling the full path to choco.exe.  Again, while it may not be required, I have found that the more explicit you are with install scripts, the better the results.

If Chocolatey stand alone is not being deployed first, we will add that logic into the beginning of the script:

There’s no harm in using this as a template for all Chocolatey apps, since if Chocolatey is detected, the install will simply be skipped.  In fact, as a template, I’ve marked the only component that needs to be changed depending on the package being deployed.

My uninstall script contains the following:

3. Package scripts for deployment

After the scripts are complete, create the .INTUNEWIN file.  If you haven’t already, download the Microsoft Win32 Content-Prep-Tool here. The command line to wrap will look as follows:

Before we upload to Intune, obtain all the required information you will need to configure the application; app description, icon, requirements and detection rule.

4. Upload and configure application for Intune

Here are the parameters I’ve set in Intune for my Notepad++ installation:

5. Assign and enjoy

Simple enough, right?  I’ve made Notepad++ available in my Intune Company Portal as an available application.  All I have to do is click ‘Install’ and the app will deploy silently as with any Intune deployment. 

Next up, we’ll be exploring Microsoft’s own package manager.