5 min read

This idea came to me when I was configuring Puppet Server to manage our Windows VMs. One thing that annoyed me for the longest time was having Notepad++ installed everywhere, and getting that popup that an update is available. Disabling the update check is not the solution. I realized that our server deployments are good. We build containers and automate installation of programs with package managers like Chocolatey on Windows and Yum on CentOS, and fully orchestrate servers and services. We can do something similar to keep our own personal computers’ software up-to-date using chocolatey, and without all the orchestration tech we usually needed. Basically just a scheduled task that runs a chocolatey script to keep our stuff up-to-date.

Install Chocolatey

Chocolatey is the most popular package manager for windows. The simplest way to install it is to run the following in an elevated powershell, it’s a one-step install

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

https://chocolatey.org/install

Script Your Environment

Create a script to keep track of all the software you have installed that has an up-to-date chocolatey package, most popular software is already there. Create a new powershell script C:\Software\Chocolatey.ps1 and add the line

choco upgrade all -y

Putting this first will ensure both chocolatey and all packages that are already installed. More info on the upgrade command: https://chocolatey.org/docs/commandsupgrade

* Chocolatey Pro / Business¬†automatically synchronizes with Programs and Features, ensuring automatically updating apps’ versions, so you can skip the next part if you’re using one of those.

Add All Your software

Open Add or Remove Programs / Apps and Features, and go through the list of installed programs and try to find the matching package on Chocolatey’s repository for each https://chocolatey.org/packages. Adding all your programs to this script also lets you have it handy in the future if you get a new computer or reinstall Windows.

For example a full script might look like this:

choco upgrade all -y

choco install notepadplusplus -y
choco install dotnetcore-sdk -y
choco install wireshark -y
choco install docker-desktop -y
choco install filezilla -y
choco install googlechrome -y
choco install git -y
choco install vscode -y
choco install jdk8 -y
choco install glasswire -y
choco install nodejs -y

Schedule the script to run frequently

Now we schedule it in Windows Task Scheduler with a basic task that we’ll make run weekly

And for our Action, we Start a Program with powershell as the script, and the location of our ps1 script in the arguments:

Arguments: -file "C:\Software\Chocolatey.ps1"

Next, open the task’s properties, and check the box Run with Highest Privilages. Since this is a personal computer, I’ll likely be logged in when this is happening, so no need to make it store my password.

Make sure everything else gets updates

Verify that your Virus & threat protection are on, including Real-time protection, cloud-delivered protection, tamper protection and so on.

Make sure Windows Updates are active and you keep up with installing and restarting.

Enable other Microsoft software like MS SQL Server to also receive updates via Windows Update. To check for this, go to Windows Update -> Advanced options and check the box Receive updates for other Microsoft products when you update Windows

Install a free Compliance Monitor

Compliance isn’t just an at work term, might as well use it everywhere we need it to make sure our computers meet our own policy and are secure.

I really like OPSWAT’s MetaAccess for this, they have a lot of great products overall as a company. MetaAccess solves some very real corporate challenges. They offer a free version for up to 50 devices, and you can find it here https://www.opswat.com/free-tools

Once you’ve created a free account and logged in, go to Add devices, and download the client suitable for your computer

Once installed, it will automatically run a scan of your computer, and display the results on your dashboard. It also includes a link to a page with details about all the issued, CVEs discovered. It also includes a remediation page, with detailed explanations on actions to take.

If any issues are present, click for more details. In the case above, a full antivirus scan wasn’t ran recently, so we need to run it.

Click on CVEs next, and examine the list of programs with identified vulnerabilities, and update them as needed. For example, I had an old version of Cisco AnyConnect that isn’t available on Chocolatey, so it needs to be updated manually

Configure your Compliance Policy

Next, go to Policies, and edit the Default policy

Review all the tabs of the policy, and update as needed. It comes with some really great defaults, but worth taking the time to explore all the available options.

Next, under Inventory -> Applications you can get a list of all the detected applications, along with vendors and any identified risks.

You can/should also add your phone, laptop, and any other devices you have around the house such as Raspberri Pi’s. It really helps your security to have a central place to view device status, and security.

Finally, go to Settings -> Reports & Notifications and enter your email and report frequency, and you’ll get a report of your devices emailed to you routinely, so you’re always on top of things.

Was this post helpful?