Intune and Chocolatey, Dream Team for Deployment
In this blog series we look at how you can use a combination of Intune, Chocolatey and some tools (which can also be operated via the command line) to act very quickly and productively with the deployment of software packages.
With Chocolatey and Intune you are lightning fast in package deployment, especially if you manage several different Intune customer environments that require the same software packages.opensight.ch – roman hüsler
This first part of the blog series is more about the theoretical part – showing why we think the combination of Intune and Chocolatey works well together and what Chocolatey is (in case you don’t already know it).
Contents
Part 1 – Intune and Chocolatey, Dream Team for Deployment
- Benefits of Chocolatey
- Interplay of Chocolatey and Intune
- Package Detection and Compliance
- Chocolatey Jump Start
- Wrap up
Part 2 – Fast Chocolatey Package Creation
- Chocolatey Packaging
- Intunewin Packages
Part 3 – Private Package Repository
- Setting up a private package repository
- Configurations
- Agent Configuration for use with private package repository
Benefits of Chocolatey
Chocolatey has become a very popular package manager for Windows. If you don’t know Chocolatey yet, here are a few advantages from our point of view
- Uniform command line for installation / uninstallation
Installation packages come in many formats and with many different parameters (setup.exe, installshield, msi, bare files, …). With a Chocolatey package (nupkg) you have a unified command line for installing and uninstalling packages. (“choco install “) - Transportable
You can install Chocolatey packages (nupkg) either from a directory (“choco install -s c:\temp”) or from a package repository on the Internet with TLS encryption (choco source add -n mysource -s https:/ /myrepo.com/repository/public/). There is also the public package repository with hundreds of packages. - package repository
You can also create a private package repository on the internet using a NUPKG repository server (e.g. Sonatype Nexus). More on that later in this blog series. - Just-in-time deployment
If you distribute a package with Intune, this always involves waiting times. If, on the other hand, you use a combination of Intune and Chocolatey, you have the option of testing your packages manually on the client just in time. The interaction with the Intune Client Management Service works very well – as you will see later in this blog series (package detection script).
Interplay of Chocolatey and Intune
As an example, we take a device that is managed by Intune. A Chocolatey Agent is installed on the device. This is a passive agent – so it doesn’t do anything as long as it is not explicitly called. If we now want to install a software package with Intune, the Intune Service executes the installation command from the Intunewin package: “choco install -y”. The Chocolatey Agent now becomes active and downloads the installation package from the configured repository (if necessary via https). Then the installation package will be executed.
This is also a key advantage when managing different customer environments. You can use the synergies and connect the same package repository here. This saves you a lot of time.opensight.ch – roman hüsler
Intune Package Detection Script and Compliance
Chocolatey saves the installation files of the package under “c:\programdata\chocolatey\lib\” after successful installation. Based on the existence of this folder, you can also easily determine whether a package is installed on the computer.
For each Microsoft Intune package you also have to configure “detection rules”. These determine whether a package may already be installed on the computer. You can guess: We simply check the existence of the folder: “c:\programdata\chocolatey\lib\”. This means that even if you manually interact with the Chocolatey Agent (e.g. install packages), the Intune Service will determine that the package is already installed and will not run the installation again.
You can also make the Chocolatey Package Compliance / Detection / Intune Detection Script even more sophisticated. For example, if you want to determine whether at least package version “3.4.0” is installed, you can use a script based on the “choco list -lo” command. (This command lists all locally installed packages).
What we found out by the way – the detection scripts may (and must) generate exactly one line of standard output and then return a return code. Return code 0 in the detection script means that the device is compliant or the package is correctly installed.
# =======================================
# functions
# =======================================
function packageVersion($packageName) {
$result = (c:\programdata\chocolatey\bin\choco.exe list -lo | Where-object { $_.ToLower().StartsWith($packageName.ToLower()) })
if($result -ne $null){
$parts = $result.Split(' ');
$installedVersion = [version]$parts[1]
write-host Installed Version is $installedVersion
return $installedVersion
}else{
return $null
}
}
# =======================================
# MAIN
# =======================================
$packageName = "<my_chocolatey_package_name>"
$installedVersion = packageVersion -packageName $packageName
if($installedVersion -ge [version]"3.4.0") {
# write-host $packageName version check => ok
exit 0
}else{
# write-host $packageName version check => not ok
exit 1
}
Chocolatey Jump Start
Would you like to try Chocolatey for yourself?
Set up a Windows VM and run this lab (10min).
Chocolatey Installation
Open a powershell as administrator and run the installation command according to the Chocolatey Documentation. The command installs the passive agent under “c:\programdata\chocolatey” and creates an entry in the “PATH” variable.
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Repository Configuration
You can see that the public community repository has been configured by default:
# list source repositories
choco source list
# list available packages
choco list
Package Installation
Now let’s install a package from the public repository
choco install cutepdf -y
After a short wait, the software is already installed. You will also see under “c:\programdata\chocolatey\lib” that there is a folder called “cutePDF” with the installation files.
This contains the package “CutePDF.nupkg” in packed form. This can easily be unzipped with 7zip…
Chocolatey Package Structure
Also included is the already unpacked package. So you can see what a Chocolatey package consists of:
cutepdf.nuspec
The Nuspec file contains the metadata of the package (version, package name, etc.).
tools\chocolateyInstall.ps1
A powershell script that is executed when installing the Chocolatey package.
tools\chocolateyUninstall.ps1
A powershell script that is executed when the Chocolatey package is uninstalled.
The setup files (MSI, EXE, etc.) can often also be found in the tools directory. In the case of CutePDF, however, you can see in the chocolateyInstall.ps1 script that the installation files are downloaded from the Internet directly during installation.
Wrap Up – Intune and Chocolatey
So much for the theoretical part. In the next parts of this blog series we will go into the technical details, create Chocolatey and Intunewin packages and create a private package repository with authentication and TLS encryption.