Anavem
EnglishFrancais
Anavem
Languagefr
How to Install and Configure Chocolatey Package Manager with Microsoft Intune

How to Install and Configure Chocolatey Package Manager with Microsoft Intune

Deploy Chocolatey package manager to Windows devices using Microsoft Intune as a Win32 app with PowerShell scripts, detection rules, and automated package management.

Evan MaelEvan Mael
March 27, 2026 15 min
mediumintune 10 steps 15 min

Why Deploy Chocolatey Package Manager Through Microsoft Intune?

Chocolatey transforms Windows software management by providing a command-line package manager similar to apt-get on Linux or Homebrew on macOS. When deployed through Microsoft Intune, you gain centralized control over software installation across your entire Windows device fleet, eliminating the need for manual software deployment and reducing administrative overhead.

This integration becomes particularly powerful in enterprise environments where you need to maintain consistent software versions, automate updates, and ensure compliance across hundreds or thousands of devices. Rather than manually visiting each machine or relying on users to install software correctly, you can deploy applications with a single command that Intune executes across your managed devices.

What Are the Key Benefits of This Deployment Method?

Deploying Chocolatey via Intune as a Win32 application provides several advantages over traditional software deployment methods. First, it leverages Intune's robust device management capabilities, including targeting specific device groups, scheduling installations, and monitoring deployment success rates in real-time.

The approach also maintains security by running installations in the system context with proper execution policies, ensuring that software installations don't require user intervention or elevated privileges. This is crucial for maintaining security compliance while enabling automated software management.

How Does This Compare to Native Chocolatey Business Integration?

While Chocolatey for Business offers native Intune integration through the Licensed Extension v3.0.0+, this tutorial focuses on the community approach that works with free Chocolatey installations. The Win32 app deployment method provides similar functionality without requiring a Business license, making it accessible to organizations of all sizes.

This method involves packaging Chocolatey itself as an Intune Win32 application, then using it as a foundation for deploying other software packages. Once Chocolatey is installed on devices, you can create additional Win32 apps that use Chocolatey commands to install and manage software, creating a scalable software deployment pipeline.

Implementation Guide

Full Procedure

01

Download and Prepare Required Tools

First, you need to download the Microsoft Win32 Content Prep Tool and create your working directory structure.

Create a new folder on your local machine for this project:

New-Item -ItemType Directory -Path "C:\IntuneApps\Chocolatey" -Force
Set-Location "C:\IntuneApps\Chocolatey"

Download the IntuneWinAppUtil.exe from the Microsoft Download Center and place it in your working directory. You can also download it directly using PowerShell:

Invoke-WebRequest -Uri "https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool/raw/master/IntuneWinAppUtil.exe" -OutFile "IntuneWinAppUtil.exe"
Pro tip: Always verify the hash of downloaded executables from Microsoft to ensure integrity. Use Get-FileHash IntuneWinAppUtil.exe -Algorithm SHA256 and compare with Microsoft's published hash.

Verification: Run dir to confirm IntuneWinAppUtil.exe is present in your working directory.

02

Create the Chocolatey Installation Script

Create the PowerShell script that will install Chocolatey on target devices. This script handles the complete installation process including security protocols and execution policies.

Create a new file called install.ps1 in your Chocolatey folder:

# Chocolatey Installation Script for Intune Deployment
# Set execution policy for this process
Set-ExecutionPolicy Bypass -Scope Process -Force

# Enable TLS 1.2 for secure downloads
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072

# Download and execute Chocolatey installation script
try {
    Write-Output "Starting Chocolatey installation..."
    iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
    Write-Output "Chocolatey installation completed successfully"
    
    # Verify installation
    $chocoPath = "$env:ProgramData\chocolatey\choco.exe"
    if (Test-Path $chocoPath) {
        Write-Output "Chocolatey installed at: $chocoPath"
        & $chocoPath --version
    } else {
        throw "Chocolatey installation failed - executable not found"
    }
} catch {
    Write-Error "Chocolatey installation failed: $($_.Exception.Message)"
    exit 1
}

Create an uninstall script called uninstall.ps1:

# Chocolatey Uninstallation Script
try {
    if (Test-Path "$env:ProgramData\chocolatey") {
        Write-Output "Removing Chocolatey..."
        Remove-Item "$env:ProgramData\chocolatey" -Recurse -Force
        Write-Output "Chocolatey removed successfully"
    } else {
        Write-Output "Chocolatey not found - nothing to uninstall"
    }
} catch {
    Write-Error "Uninstallation failed: $($_.Exception.Message)"
    exit 1
}
Warning: The installation script downloads content from the internet. Ensure your target devices have internet access and that chocolatey.org is not blocked by your firewall or proxy settings.

Verification: Run Get-Content install.ps1 to confirm the script content is correct.

03

Package the Application with IntuneWinAppUtil

Now you'll convert your PowerShell scripts into an Intune-compatible .intunewin package using the Microsoft Win32 Content Prep Tool.

Run the IntuneWinAppUtil command to create the package:

IntuneWinAppUtil.exe -c "C:\IntuneApps\Chocolatey" -s "install.ps1" -o "C:\IntuneApps\Output" -q

The parameters explained:

  • -c: Source folder containing your installation files
  • -s: Setup file (your install.ps1 script)
  • -o: Output directory for the .intunewin file
  • -q: Quiet mode (suppresses prompts)

The tool will create a file called install.intunewin in your output directory. This contains your PowerShell script and metadata needed by Intune.

Pro tip: If you need to include additional files (like configuration files or dependencies), place them in the source folder before running IntuneWinAppUtil. All files in the source folder will be included in the package.

Verification: Check that the .intunewin file was created successfully:

Get-ChildItem "C:\IntuneApps\Output" -Filter "*.intunewin"
04

Upload the Application to Microsoft Intune

Access the Microsoft Intune admin center and create a new Win32 app entry for your Chocolatey package.

Navigate to Apps > All apps > Add and select Windows app (Win32) from the dropdown.

In the App package file section, click Select app package file and upload your install.intunewin file. Intune will automatically extract metadata from the package.

Configure the app information:

  • Name: Chocolatey Package Manager
  • Description: Chocolatey is a package manager for Windows that simplifies software installation and management
  • Publisher: Chocolatey Software
  • Category: Developer tools
  • Information URL: https://chocolatey.org
  • Privacy URL: https://chocolatey.org/privacy

For the app icon, you can download the official Chocolatey logo from their website or use this PowerShell command to download it:

Invoke-WebRequest -Uri "https://chocolatey.org/content/images/logo_square.svg" -OutFile "chocolatey-icon.svg"
Warning: Ensure you have the rights to use any logos or icons. The Chocolatey logo is available for use when deploying their software according to their brand guidelines.

Verification: Confirm the app appears in your Intune Apps list with status "Not assigned".

05

Configure Installation and Uninstallation Commands

Set up the commands that Intune will use to install and uninstall Chocolatey on target devices.

In the Program section of your app configuration:

Install command:

powershell.exe -executionpolicy bypass -windowstyle hidden -file install.ps1

Uninstall command:

powershell.exe -executionpolicy bypass -windowstyle hidden -file uninstall.ps1

Configure the installation behavior:

  • Device restart behavior: No specific action
  • Install behavior: System
  • Return codes: Keep the default success (0) and reboot (3010) codes

Set the requirements:

  • Operating system architecture: x64
  • Minimum operating system: Windows 10 1607
  • Disk space required: 100 MB
  • Physical memory required: 1 GB
Pro tip: The -windowstyle hidden parameter prevents PowerShell windows from appearing to end users during installation, providing a cleaner deployment experience.

Verification: Review all command syntax carefully - typos here will cause deployment failures across your entire device fleet.

06

Create Detection Rules for Installation Verification

Configure detection rules that tell Intune how to verify whether Chocolatey is successfully installed on a device.

In the Detection rules section, click Add and select File as the rule type.

Configure the file detection rule:

  • Path: C:\ProgramData\chocolatey
  • File or folder: choco.exe
  • Detection method: File or folder exists
  • Associated with a 32-bit app on 64-bit clients: No

For more robust detection, you can add a second rule using PowerShell script detection. Create a detection script:

# Chocolatey Detection Script
$chocoPath = "$env:ProgramData\chocolatey\choco.exe"

if (Test-Path $chocoPath) {
    try {
        $version = & $chocoPath --version --limit-output
        if ($version -match "^\d+\.\d+\.\d+") {
            Write-Output "Chocolatey version $version detected"
            exit 0
        }
    } catch {
        Write-Output "Chocolatey executable found but not functional"
        exit 1
    }
} else {
    Write-Output "Chocolatey not detected"
    exit 1
}

If using the PowerShell detection method:

  • Script type: PowerShell
  • Run script as 32-bit process: No
  • Run this script using the logged on credentials: No
Warning: Detection rules are critical for proper app management. If detection fails, Intune will continuously try to reinstall the application, potentially causing conflicts.

Verification: Test your detection logic manually on a test machine by running the PowerShell detection script.

07

Configure Dependencies and Supersedence

Set up any dependencies that Chocolatey requires and configure supersedence relationships if you're updating from a previous version.

For Chocolatey, the main dependency is ensuring PowerShell 5.1 or higher is installed. Since this is included in Windows 10/11 by default, you typically don't need additional dependencies.

If you have an existing Chocolatey deployment, configure supersedence:

  • Click Add in the Supersedence section
  • Select your previous Chocolatey app
  • Choose Uninstall to remove the old version before installing the new one

For organizations that want to ensure specific PowerShell modules are available, you can create a dependency script:

# PowerShell Prerequisites Check
$psVersion = $PSVersionTable.PSVersion.Major
if ($psVersion -lt 5) {
    Write-Error "PowerShell 5.1 or higher required. Current version: $psVersion"
    exit 1
}

# Check if execution policy allows script execution
$executionPolicy = Get-ExecutionPolicy
if ($executionPolicy -eq "Restricted") {
    Write-Output "Execution policy is Restricted - will be bypassed during installation"
}

Write-Output "Prerequisites check passed"
exit 0
Pro tip: Use dependencies to create a logical installation order. For example, if you plan to deploy applications via Chocolatey, make those apps dependent on this Chocolatey installation.

Verification: Review the dependency chain in the Intune console to ensure proper installation order.

08

Assign the Application to Device Groups

Configure which devices or users will receive the Chocolatey installation by setting up assignments.

In the Assignments section, click Add group to create assignment rules.

Configure assignment settings:

  • Assignment type: Required (for automatic installation) or Available (for self-service)
  • Included groups: Select your target device groups or user groups
  • Excluded groups: Optionally exclude specific groups (like test devices)

Set the assignment schedule:

{
  "startDateTime": "2026-03-26T09:00:00Z",
  "useLocalTime": true,
  "deadlineDateTime": "2026-03-27T17:00:00Z",
  "restartSettings": {
    "restartNotificationSnoozeDurationInMinutes": 60,
    "restartCountDownDisplayDurationInMinutes": 15
  }
}

For pilot deployments, start with a small test group:

  1. Create a test group with 5-10 devices
  2. Assign the app as "Required" to this group
  3. Monitor deployment success before expanding
Warning: Always test with a small group first. A faulty installation script deployed to thousands of devices can cause significant disruption to your organization.

Configure notification settings if you want users to be informed about the installation:

  • Show all toast notifications: Yes
  • Show restart dialog: Yes (if restart required)
  • Allow user to restart: Yes

Verification: Check the assignment status shows "Pending" for your target devices in the Device install status section.

09

Monitor Deployment and Troubleshoot Issues

Monitor the deployment progress and resolve any installation issues that arise during the rollout.

Navigate to Apps > All apps > Chocolatey Package Manager > Device install status to view real-time deployment status.

Common status indicators:

  • Installed: Successful deployment
  • Failed: Installation encountered an error
  • Pending: Waiting for device check-in or user action
  • Not applicable: Device doesn't meet requirements

For failed installations, check the device logs. On the target device, run:

# Check Intune Management Extension logs
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational" | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-2)} | Format-Table TimeCreated, LevelDisplayName, Message -Wrap

Common troubleshooting steps:

  1. Execution Policy Issues: Ensure the install command includes -executionpolicy bypass
  2. Network Connectivity: Verify devices can reach chocolatey.org
  3. Permissions: Confirm the app is set to install in System context
  4. Detection Rule Failures: Test detection logic manually on affected devices

Create a troubleshooting script for quick diagnosis:

# Chocolatey Deployment Troubleshooting Script
Write-Output "=== Chocolatey Deployment Diagnostics ==="

# Check if Chocolatey is installed
$chocoPath = "$env:ProgramData\chocolatey\choco.exe"
if (Test-Path $chocoPath) {
    Write-Output "✓ Chocolatey executable found at: $chocoPath"
    try {
        $version = & $chocoPath --version
        Write-Output "✓ Chocolatey version: $version"
    } catch {
        Write-Output "✗ Chocolatey executable not functional: $($_.Exception.Message)"
    }
} else {
    Write-Output "✗ Chocolatey not found at expected location"
}

# Check PowerShell version
Write-Output "PowerShell version: $($PSVersionTable.PSVersion)"

# Check execution policy
Write-Output "Execution policy: $(Get-ExecutionPolicy)"

# Check internet connectivity
try {
    $response = Invoke-WebRequest -Uri "https://chocolatey.org" -UseBasicParsing -TimeoutSec 10
    Write-Output "✓ Internet connectivity to chocolatey.org: OK"
} catch {
    Write-Output "✗ Internet connectivity issue: $($_.Exception.Message)"
}

Write-Output "=== End Diagnostics ==="
Pro tip: Set up automated reporting by creating a scheduled task that runs the troubleshooting script and emails results to your IT team for proactive monitoring.

Verification: Confirm successful deployment by checking that devices show "Installed" status and can execute choco --version successfully.

10

Configure Automatic Updates and Maintenance

Set up automated maintenance tasks to keep Chocolatey updated and ensure optimal performance across your device fleet.

Create a scheduled task script for automatic Chocolatey updates:

# Chocolatey Auto-Update Script
# Save as: ChocolateyMaintenance.ps1

Start-Transcript -Path "$env:ProgramData\chocolatey\logs\maintenance.log" -Append

try {
    Write-Output "Starting Chocolatey maintenance - $(Get-Date)"
    
    # Update Chocolatey itself
    Write-Output "Updating Chocolatey..."
    & choco upgrade chocolatey -y
    
    # Update all installed packages
    Write-Output "Updating all packages..."
    & choco upgrade all -y
    
    # Clean up temporary files
    Write-Output "Cleaning temporary files..."
    & choco cache clean
    
    Write-Output "Maintenance completed successfully - $(Get-Date)"
} catch {
    Write-Error "Maintenance failed: $($_.Exception.Message)"
} finally {
    Stop-Transcript
}

Deploy this maintenance script as another Win32 app with these settings:

  • Install command: powershell.exe -executionpolicy bypass -file ChocolateyMaintenance.ps1
  • Detection rule: Script-based detection checking last run timestamp
  • Assignment: Required, recurring every 7 days

Create a detection script for the maintenance task:

# Maintenance Detection Script
$logPath = "$env:ProgramData\chocolatey\logs\maintenance.log"
$maxAge = (Get-Date).AddDays(-7)

if (Test-Path $logPath) {
    $lastWrite = (Get-Item $logPath).LastWriteTime
    if ($lastWrite -gt $maxAge) {
        Write-Output "Maintenance completed within 7 days"
        exit 0
    }
}

Write-Output "Maintenance required"
exit 1

Configure Chocolatey global settings for enterprise use:

# Enterprise Configuration Script
choco config set cacheLocation "$env:ProgramData\chocolatey\cache"
choco config set commandExecutionTimeoutSeconds 14400
choco config set containsLegacyPackageInstalls true
choco config set maxDownloadRateBitsPerSecond 10485760
choco feature enable -n allowGlobalConfirmation
choco feature enable -n logEnvironmentValues
choco feature disable -n showNonElevatedWarnings
Warning: Automatic updates can potentially break applications if package updates introduce breaking changes. Consider testing updates in a pilot group before deploying to production devices.

Set up monitoring for the maintenance tasks by creating a simple reporting script:

# Maintenance Reporting Script
$devices = Get-Content "devices.txt"  # List of device names
$report = @()

foreach ($device in $devices) {
    try {
        $logPath = "\\$device\c$\ProgramData\chocolatey\logs\maintenance.log"
        if (Test-Path $logPath) {
            $lastRun = (Get-Item $logPath).LastWriteTime
            $status = if ($lastRun -gt (Get-Date).AddDays(-7)) { "OK" } else { "Overdue" }
        } else {
            $status = "No Log"
            $lastRun = "Never"
        }
        
        $report += [PSCustomObject]@{
            Device = $device
            LastMaintenance = $lastRun
            Status = $status
        }
    } catch {
        $report += [PSCustomObject]@{
            Device = $device
            LastMaintenance = "Error"
            Status = "Unreachable"
        }
    }
}

$report | Export-Csv "ChocolateyMaintenanceReport.csv" -NoTypeInformation
$report | Format-Table -AutoSize

Verification: Check that the maintenance script runs successfully and creates log entries in $env:ProgramData\chocolatey\logs\maintenance.log.

Frequently Asked Questions

Can I deploy Chocolatey through Intune without a Business license?+
Yes, you can deploy Chocolatey as a Win32 app through Intune using the community version without requiring a Chocolatey Business license. This method involves packaging the PowerShell installation script using IntuneWinAppUtil and deploying it like any other Win32 application. While you won't get the native API integration available with Business licenses, you can still achieve automated software deployment across your device fleet.
What detection rules work best for Chocolatey Intune deployments?+
The most reliable detection rule is checking for the existence of the choco.exe file at C:\ProgramData\chocolatey\choco.exe. You can also use a PowerShell script detection that not only checks for the file's existence but also verifies it's functional by running 'choco --version'. This dual approach ensures Chocolatey is both installed and operational, preventing false positives from incomplete installations.
How do I troubleshoot failed Chocolatey installations through Intune?+
Check the Intune Management Extension logs on affected devices using Get-WinEvent with the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational log. Common issues include execution policy restrictions (ensure your install command uses -executionpolicy bypass), network connectivity problems reaching chocolatey.org, and insufficient permissions (verify the app installs in System context). Create a diagnostic script to test these conditions automatically.
Can I automatically update Chocolatey and installed packages through Intune?+
Yes, create a separate Win32 app containing a PowerShell maintenance script that runs 'choco upgrade all -y' and 'choco upgrade chocolatey -y'. Deploy this as a recurring required assignment with a detection rule based on the last execution timestamp. This approach provides automated updates while maintaining Intune's deployment tracking and reporting capabilities for compliance and monitoring purposes.
What are the system requirements for deploying Chocolatey via Intune?+
Target devices need Windows 10 version 1607 or higher (64-bit), PowerShell 5.1 or later, and internet connectivity to reach chocolatey.org. The deployment requires at least 100MB free disk space and 1GB RAM. Your Intune tenant needs the Win32 app management capability enabled, and you'll need the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe) to package the installation scripts.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#intune#chocolatey#windows

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Configure Suspicious File Blocking in Microsoft Defender Using Intune
tutorial
Cybersecurity

How to Configure Suspicious File Blocking in Microsoft Defender Using Intune

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account