Intune and Chocolatey, Dream Team for Deployment

In this blog series we look at how you can use a combination of Intune, Chocolatey and some tools (which can also be operated via the command line) to act very quickly and productively with the deployment of software packages.

With Chocolatey and Intune you are lightning fast in package deployment, especially if you manage several different Intune customer environments that require the same software packages.opensight.ch – roman hüsler

This first part of the blog series is more about the theoretical part – showing why we think the combination of Intune and Chocolatey works well together and what Chocolatey is (in case you don’t already know it).

Contents

Part 1 – Intune and Chocolatey, Dream Team for Deployment

Part 2 – Fast Chocolatey Package Creation

  • Chocolatey Packaging
  • Intunewin Packages

Part 3 – Private Package Repository

  • Setting up a private package repository
  • Configurations
  • Agent Configuration for use with private package repository

Benefits of Chocolatey

Chocolatey has become a very popular package manager for Windows. If you don’t know Chocolatey yet, here are a few advantages from our point of view

  • Uniform command line for installation / uninstallation
    Installation packages come in many formats and with many different parameters (setup.exe, installshield, msi, bare files, …). With a Chocolatey package (nupkg) you have a unified command line for installing and uninstalling packages. (“choco install “)
  • Transportable
    You can install Chocolatey packages (nupkg) either from a directory (“choco install -s c:\temp”) or from a package repository on the Internet with TLS encryption (choco source add -n mysource -s https:/ /myrepo.com/repository/public/). There is also the public package repository with hundreds of packages.
  • package repository
    You can also create a private package repository on the internet using a NUPKG repository server (e.g. Sonatype Nexus). More on that later in this blog series.
  • Just-in-time deployment
    If you distribute a package with Intune, this always involves waiting times. If, on the other hand, you use a combination of Intune and Chocolatey, you have the option of testing your packages manually on the client just in time. The interaction with the Intune Client Management Service works very well – as you will see later in this blog series (package detection script).

Interplay of Chocolatey and Intune

Image – Interplay of Chocolatey and Intune

As an example, we take a device that is managed by Intune. A Chocolatey Agent is installed on the device. This is a passive agent – so it doesn’t do anything as long as it is not explicitly called. If we now want to install a software package with Intune, the Intune Service executes the installation command from the Intunewin package: “choco install -y”. The Chocolatey Agent now becomes active and downloads the installation package from the configured repository (if necessary via https). Then the installation package will be executed.

This is also a key advantage when managing different customer environments. You can use the synergies and connect the same package repository here. This saves you a lot of time.opensight.ch – roman hüsler

Intune Package Detection Script and Compliance

Chocolatey saves the installation files of the package under “c:\programdata\chocolatey\lib\” after successful installation. Based on the existence of this folder, you can also easily determine whether a package is installed on the computer.

For each Microsoft Intune package you also have to configure “detection rules”. These determine whether a package may already be installed on the computer. You can guess: We simply check the existence of the folder: “c:\programdata\chocolatey\lib\”. This means that even if you manually interact with the Chocolatey Agent (e.g. install packages), the Intune Service will determine that the package is already installed and will not run the installation again.

You can also make the Chocolatey Package Compliance / Detection / Intune Detection Script even more sophisticated. For example, if you want to determine whether at least package version “3.4.0” is installed, you can use a script based on the “choco list -lo” command. (This command lists all locally installed packages).

What we found out by the way – the detection scripts may (and must) generate exactly one line of standard output and then return a return code. Return code 0 in the detection script means that the device is compliant or the package is correctly installed.

# =======================================
# functions
# =======================================
function packageVersion($packageName) {
    $result = (c:\programdata\chocolatey\bin\choco.exe list -lo | Where-object { $_.ToLower().StartsWith($packageName.ToLower()) })

    if($result -ne $null){
        $parts = $result.Split(' ');
        $installedVersion = [version]$parts[1]

        write-host Installed Version is $installedVersion

	    return $installedVersion
    }else{
        return $null
    }
}


# =======================================
# MAIN
# =======================================
$packageName = "<my_chocolatey_package_name>"
$installedVersion = packageVersion -packageName $packageName

if($installedVersion -ge [version]"3.4.0") {
    # write-host $packageName version check => ok
    exit 0
}else{
    # write-host $packageName version check => not ok
    exit 1
}

Chocolatey Jump Start

Would you like to try Chocolatey for yourself?
Set up a Windows VM and run this lab (10min).

Chocolatey Installation

Open a powershell as administrator and run the installation command according to the Chocolatey Documentation. The command installs the passive agent under “c:\programdata\chocolatey” and creates an entry in the “PATH” variable.

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Image – Chocolatey Source list. Community Repository

Repository Configuration

You can see that the public community repository has been configured by default:

# list source repositories
choco source list

# list available packages
choco list

Package Installation

Now let’s install a package from the public repository

choco install cutepdf -y

After a short wait, the software is already installed. You will also see under “c:\programdata\chocolatey\lib” that there is a folder called “cutePDF” with the installation files.

This contains the package “CutePDF.nupkg” in packed form. This can easily be unzipped with 7zip…

Chocolatey Package Structure

Image – Chocolatey package structure

Also included is the already unpacked package. So you can see what a Chocolatey package consists of:

cutepdf.nuspec
The Nuspec file contains the metadata of the package (version, package name, etc.).

tools\chocolateyInstall.ps1
A powershell script that is executed when installing the Chocolatey package.

tools\chocolateyUninstall.ps1
A powershell script that is executed when the Chocolatey package is uninstalled.

The setup files (MSI, EXE, etc.) can often also be found in the tools directory. In the case of CutePDF, however, you can see in the chocolateyInstall.ps1 script that the installation files are downloaded from the Internet directly during installation.

Wrap Up – Intune and Chocolatey

So much for the theoretical part. In the next parts of this blog series we will go into the technical details, create Chocolatey and Intunewin packages and create a private package repository with authentication and TLS encryption.