Latest posts by Dan Franciscus (see all)
- SolarWinds Server Performance and Configuration Bundle - Tue, Jun 18 2019
- SolarWinds Patch Manager: Updating Windows and third-party software - Tue, Apr 30 2019
- Monitor file changes in Windows with PowerShell and pswatch - Fri, Feb 1 2019
While people frequently use Chocolatey for personal devices, it is also an excellent tool to use for managing software for organizations. One of the great components of Chocolatey is the community software repository, which has over 5,800 unique Windows packages at the moment. For personal use, it is not a terrible idea to install packages from here directly. However, an organization needs to use Chocolatey more in an offline fashion, without depending on the internet to manage their software.
Many tasks in the article take information directly from Chocolatey's guide.
We will go through a few main steps:
- Setting up an internal repository with Chocolatey Server
- Configuring Chocolatey clients
- Internalizing community packages
Setting up an internal repository with Chocolatey Server ^
Chocolatey actually maintains a package that installs and configures an IIS web server. This services packages internally named "Chocolatey Server" or "Chocolatey Simple Server." Personally, this is a great option for getting a repository up and running quickly. While you can install Chocolatey Server via Chocolatey itself, I prefer to do so via Puppet or another configuration management solution. In this article I will do this via Chocolatey for the sake of simplicity.
On the server you would like Chocolatey Server to run on, you have to execute this:
Set-ExecutionPolicy Bypass -Scope Process -Force
choco upgrade chocolatey.server -y --pre
Chocolatey will add the IIS feature, create a site, and do some additional configuring to get it ready to be a feed. It won't do all of the tasks you probably need though. So I recommend you do these tasks as well:
- Change the ApiKey in web.config
- Set up basic authentication to restrict access to the IIS site
- Install an SSL certificate
After completing this, you have your own Chocolatey package feed that you can start populating with packages.
Configuring Chocolatey clients ^
To install the Chocolatey client software, we usually point to Chocolatey itself, which downloads the install script. Since we have Chocolatey Server set up (hostname choco-1), we can actually just point our clients there from PowerShell:
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://choco-1/install.ps1'))
Now that we've installed Chocolatey, there is some additional configuring to do for organizational use. I will illustrate a few examples here.
First, let's remove the Chocolatey community feed as a source. Organizations should never have clients install packages from the community repository:
choco source remove --name="'chocolatey'"
Next, let's add our internal repository as a source:
choco source add --name="'choco-1'" --source="'https://choco-1/chocolatey'" --priority="'1'"
For a licensed version of Chocolatey, you'll have to install your license. You can follow the guide here. It's mainly a matter of installing the license file and the package:
choco upgrade chocolatey.extension -y --pre
To reduce the size of Chocolatey packages after installation, we can also configure this:
choco feature enable --name="'reduceInstalledPackageSpaceUsage'"
You probably want to set your Chocolatey clients to use virus scanning at runtime (VirusTotal or whichever antivirus software you use). Here I will configure my clients to use VirusTotal:
choco config set virusScannerType VirusTotal
choco feature enable -n virusCheck
If you want to configure the minimum positive results of a VirusTotal scan, you can set it here as well. Here I set my client to halt execution of any packages that return one vendor deeming the package as malware.
choco config set virusCheckMinimumPositives 1
Internalizing community packages ^
As I noted above, the Chocolatey community repository has over 5,800 Windows packages available. Organizations will likely want to use these existing packages for their own purposes, and can certainly do so. Licensed versions of Chocolatey offer the ability to internalize community packages automatically for private use. This downloads any installers from their internet distribution points and embeds them into the packages. After this, clients won't be reaching to the internet for any installers or resources.
Here, I internalize Google Chrome from the community repository:
Notice Chocolatey also attempts to internalize any dependencies of the package as well, in this case the chocolatey-core.extension.
You can also internalize multiple packages at once. For instance, if I want to internalize Chrome, Java, and FileZilla, I can do so with this command:
choco download googlechrome jre8 filezilla –y --internalize
This will create the Chocolatey packages and allow you to push them to your internal Chocolatey Server with choco push:
choco push .\GoogleChrome.66.0.3359.13900.nupkg --source=https://choco-1/chocolatey --api-key='myapikey'
While there are certainly other tasks organizations may execute for using Chocolatey internally, these show that setting up Chocolatey is not very difficult. Chocolatey is extremely agile with many great features. The open source version of Chocolatey is perfectly suitable for organizational use. However, licensed versions provide additional features that help further automate package management tasks such as creating and internalizing software.