Chocolatey Community Coffee Break

Join the Chocolatey Team on our regular monthly stream where we discuss all things Community, what we do, how you can get involved and answer your Chocolatey questions.

Learn More
Chocolatey Product Spotlight

Join the Chocolatey Team on our regular monthly stream where we put a spotlight on the most recent Chocolatey product releases. You'll have a chance to have your questions answered in a live Ask Me Anything format.

Learn More
Announcing Chocolatey Central Management 0.10.0

Livestream from
Thursday, 06 October 2022

We recently released our largest update to Chocolatey Central Management so far. Join Gary and Steph to find out more about Chocolatey Central Management and the new features and fixes we've added to this release.

Watch On-Demand
Chocolatey and Intune Overview

Webinar Replay from
Wednesday, 30 March 2022

At Chocolatey Software we strive for simple, and teaching others. Let us teach you just how simple it could be to keep your 3rd party applications updated across your devices, all with Intune!

Watch On-Demand
Chocolatey For Business. In Azure. In One Click.

Livestream from
Thursday, 9 June 2022

Join James and Josh to show you how you can get the Chocolatey For Business recommended infrastructure and workflow, created, in Azure, in around 20 minutes.

Watch On-Demand
The Future of Chocolatey CLI

Livestream from
Thursday, 04 August 2022

Join Paul and Gary to hear more about the plans for the Chocolatey CLI in the not so distant future. We'll talk about some cool new features, long term asks from Customers and Community and how you can get involved!

Watch On-Demand
Hacktoberfest Tuesdays 2022

Livestreams from
October 2022

For Hacktoberfest, Chocolatey ran a livestream every Tuesday! Re-watch Cory, James, Gary, and Rain as they share knowledge on how to contribute to open-source projects such as Chocolatey CLI.

Watch On-Demand
Chocolatey Product Spotlight: Chocolatey 1.2.0 and Chocolatey Licensed Extension 5.0.0

Livestream from
Thursday, 03 November 2022

Join Paul and Gary for this months Chocolatey product livestream where we look at the latest release of Chocolatey 1.2.0, Chocolatey Licensed Extension 5.0.0 and shine a spotlight on the new hook scripts functionality. This opens up so many possibilities for Chocolatey CLI users!

Watch On-Demand
Chocolatey Coding Livestream

Livestream from
Tuesday, 29 November 2022

Join Josh as he adds the ability to manage Chocolatey GUI config and features with the Chocolatey Ansible Collection.

Watch On-Demand
Introduction into Chocolatey with Veeam

Webinar from
Tuesday, 13 December 2022

Join Gary, Paul, and Maurice as they introduce and demonstrate how to use Chocolatey! Questions will be answered live in an Ask Me Anything format.

Watch On-Demand

Secure Offline Deployments

How to Manage Windows Software with an Offline Deployments Solution

Chocolatey for Business customers are some of the largest and most secure organizations in the world.

With these customers, we have created a best practice solution called Offline Deployments based on their complex IT landscape and security constraints.

This Solution Brief describes the Offline Deployments solution and offers a choice of three patterns. The pattern you choose depends on the constraints you have, and those constraints are often security constraints.

Offline Deployments Are Driven by Security Needs

People working on a whiteboard
"How do we use Chocolatey for Business to automate our Windows software management inline with industry-standard security practices?"

Protect Your Software

Create an internal software repository with curated packages and restrict access to uploads and downloads.

Read National Cyber Security Center advice

Isolate Your Endpoints

Use network architectures and air-gap techniques to isolate locations and individual endpoints.

Read about air gap architectures

Four Ways These Security Constraints Can Impact System Administrators

1. Architecture

Where do you deploy your repository and Chocolatey for Business in relation to your endpoints?

2. Installation

How do you configure the software and endpoints in multiple locations and on air-gapped systems?

3. Operation

The day in the life of a SysAdmin, getting the software to the repository and managing Chocolatey for Business.

4. Optimization

Using the virtual appliance approach with Chocolatey Quick Deployment Environment.

Applying this Offline Deployments solution with Chocolatey for Business is a real-world, in-production answer that meets the most common security requirements in software management.

In This Guide

Introducing the Quick Development Environment
1
Pattern 1 - Internal Deployment
2
Pattern 2 - Remote Deployment
3
Pattern 3 - Isolated Deployment

Introducing the Quick Deployment Environment

All of the patterns described in this solution use the Chocolatey for Business virtual appliance called the Quick Deployment Environment, or QDE.

QDE is a production-ready, all-in-one virtual appliance and scales to manage a thousand endpoints.

It contains Chocolatey for Business, Jenkins and a Sonatype Nexus repository out of the box.

Learn more about the QDE here.
Quick Deployment Environment Architecture

Which offline deployment solution do you need?

There are three slightly varied patterns to solve the same solution, depending on the constraints you have.

1. Internal

Internal Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint

2. Remote

Remote Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint

3. Isolated

Isolated Deployment Pattern
  • Private repository
  • Offline location
  • Air-gapped endpoint
Internal Deployment Pattern Internal Deployment Pattern

1. Internal Deployment

It is the default for most Chocolatey for Business customers to secure their software deployments by using an internal (private, secure and self-curated) software repository.

This pattern reduces the risk of malware by forcing endpoints to use a secure internal repository as their software source instead of public community repositories. It also protects against malicious internal actors.

An Internal Deployment is not limited to one location. If you have the right network infrastructure you could extend this to remote locations/branches in a "hub-and-spoke" model with HQ as the hub, where the Quick Deployment Environment (QDE) is deployed, and QDE-client endpoints in remote branch offices “calling home” for software.

Steps Required to Implement the Internal Deployment Pattern
  1. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  2. Add packages and a Chocolatey for Business license to the repository.
  3. Use Package Internalizer to curate selected community packages to the internal repository.
  4. Connect the endpoints and configure them to use the QDE repository.
  5. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.
Remote Deployment Pattern Remote Deployment Pattern

2. Remote Deployment

Some organizations need to do a little more than the Internal Deployment pattern because they have an additional constraint: they need to deploy Chocolatey for Business to secure remote locations where no internet connectivity is limited or not available.

The added complications arise during initial deployment and continued operation:

  • How do we get software into the disconnected remote location?
  • How do we then manage the software and endpoints in the remote location using Chocolatey for Business?

The answer to this is to split the previous Internal pattern into two parts:

  • Prepare the QDE in a “normal” connected environment onto removable media (or maybe you have a VPN or DMZ and can use that).
  • Take the removable media preparation to the remote location (or copy over the VPN) and deploy the solution.

This also requires a different ongoing remote operating model:

  • The endpoints at the remote location will access their local QDE repository across their local shared network that is not connected to the internet.
  • The remote endpoints will not “call HQ” for software. If they call HQ then that is a “branch-to-HQ” or “hub-and-spoke” model, not a disconnected remote location.
  • To update the remote repository and therefore the endpoints will require an administrator to visit the remote location with the software on removable media.
Steps Required to Implement the Remote Deployment Pattern
  1. Start the preparation in an internet-connected location.
  2. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  3. Add packages and a Chocolatey for Business license to the repository.
  4. Use Package Internalizer to curate selected community packages to the internal repository.
  5. Store the prepared QDE environment on removable media if there is no secure connection (VPN or DMZ) to the remote location.
  6. Deploy the QDE on a networked server in the remote location so clients can access it.
  7. Connect the endpoints and configure them to use the QDE repository.
  8. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.
Isolated Deployment Pattern Isolated Deployment Pattern

3. Isolated Deployment

In the most secure organizations, not only a secure remote locations not connected to the internet, but each individual endpoint is air-gapped from the network and each other.

It is still possible and beneficial to use Chocolatey for Business in this locked-down scenario because of all of the ease-of-use features you get in C4B. If you decided to use Chocolatey Open Source you would have to build these features yourself.

Similar to the Remote Deployment, the to-be-implemented solution is first prepared at a site with internet connectivity then transferred to each air-gapped endpoint on removable media.

Steps Required to Implement the Isolated Deployment Pattern
  1. Start the preparation in an internet-connected location.
  2. Use the Chocolatey Quick Deployment Environment so you don’t need to hand-install the repository and Chocolatey components.
  3. Add packages and a Chocolatey for Business license to the repository.
  4. Use Package Internalizer to curate selected community packages to the internal repository.
  5. Store the prepared QDE environment on removable media.
  6. Deploy the QDE appliance from the removable media onto each air-gapped endpoint.
  7. Configure the endpoint to use the QDE repository.
  8. Use Package Synchronizer to curate existing, deployed but unmanaged software from endpoints to the internal repository.