How to Configure Chocolatey for Package Management on Windows Server 2012 R2

How to Configure Chocolatey for Package Management on Windows Server 2012 R2

Chocolatey is the de facto package manager for Windows, providing a command-line interface for installing, updating, and removing software packages in a repeatable, scriptable, and auditable way. On Windows Server 2012 R2, Chocolatey works extremely well and is one of the most effective tools for automating software provisioning during server builds, CI/CD pipelines, and configuration management workflows. This guide covers the complete Chocolatey setup: installation, security configuration, creating a custom internal repository feed, automating system provisioning with package lists, and integrating Chocolatey with PowerShell DSC and automated deployment pipelines.

Prerequisites

• Windows Server 2012 R2 with administrator access
• PowerShell 4.0
• Outbound HTTPS access to chocolatey.org, or an internal NuGet feed mirror
• .NET Framework 4.5.2 (included with WS2012 R2)

Step 1: Install Chocolatey

The official Chocolatey installation script downloads and installs the Chocolatey CLI from chocolatey.org. Run this in an elevated PowerShell session:

Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

For air-gapped environments, download the Chocolatey nupkg file from a connected machine, transfer it to the server, and bootstrap from the local file:

# On air-gapped server, after copying chocolatey.x.y.z.nupkg to C:Temp
$env:ChocolateyInstall = "C:ProgramDatachocolatey"
New-Item -ItemType Directory -Path $env:ChocolateyInstall -Force

$LocalNupkg = "C:Tempchocolatey.2.3.0.nupkg"
[System.IO.Compression.ZipFile]::ExtractToDirectory($LocalNupkg, "$env:ChocolateyInstall")

# Run the bootstrap script
& "$env:ChocolateyInstalltoolschocolateyInstall.ps1"

Step 2: Verify Installation

choco --version
choco list --local-only

The version output should show 2.x.x or later. The local list will initially show only the chocolatey package itself. Chocolatey installs to C:ProgramDatachocolatey and adds its bin directory to the system PATH.

Step 3: Configure Chocolatey Security Settings

For production environments, configure Chocolatey to enhance security. Disable package scripts from running without explicit confirmation (useful if you want to audit packages before execution), enable virus scanning, and lock down the installation source:

# Require confirmation for script execution
choco feature enable --name="allowGlobalConfirmation"

# Enable checksumming - verify package integrity
choco feature enable --name="checksumFiles"

# Disable telemetry
choco feature disable --name="showNonElevatedWarnings"

# Configure timeout (default is 2700 seconds = 45 minutes)
choco config set --name="commandExecutionTimeoutSeconds" --value="3600"

# Configure cache location
choco config set --name="cacheLocation" --value="C:ProgramDatachocolateycache"

Step 4: Install Core DevOps Packages

Chocolatey excels at installing the standard DevOps toolchain. Install common packages needed on a WS2012 R2 build or admin server:

# Core developer tools
choco install git -y --params '"/GitOnlyOnPath /NoShellIntegration"'
choco install 7zip -y
choco install notepadplusplus -y

# Runtime environments
choco install temurin17 -y
choco install nodejs-lts -y
choco install python -y

# Build and deployment tools
choco install nuget.commandline -y
choco install terraform -y

# Operations tools
choco install curl -y
choco install wget -y
choco install sysinternals -y

Install multiple packages in a single command to reduce install time:

choco install git 7zip notepadplusplus curl wget -y

Step 5: Create a Package Provisioning Script

Maintain a declarative packages.config file to define the software that should be on a server. This enables repeatable, version-pinned provisioning:

$PackagesConfig = @"


  
  
  
  
  
  
  
  

"@

New-Item -ItemType Directory -Path "C:DevOpsChocolatey" -Force
Set-Content -Path "C:DevOpsChocolateypackages.config" -Value $PackagesConfig -Encoding UTF8

# Install all packages from the config file
choco install C:DevOpsChocolateypackages.config -y --no-progress

Step 6: Configure an Internal Chocolatey Source

For environments with restricted internet access or a requirement to vet packages before deployment, set up an internal NuGet feed using a file share or a NuGet server:

# Create a local file share as a simple internal package source
New-Item -ItemType Directory -Path "\fileserverChocolateyPackages" -Force

# Add the internal source to Chocolatey
choco source add --name="internal" --source="\fileserverChocolateyPackages" --priority=1

# Remove the public community feed (for completely air-gapped setups)
# choco source disable --name="chocolatey"

# List configured sources
choco source list

To download a package with all its dependencies for offline use, use the download command on a connected machine (requires Chocolatey Business or the download workaround):

choco download git --output-directory="\fileserverChocolateyPackages" --source="https://community.chocolatey.org/api/v2/"

Step 7: Automate Package Updates

Schedule automatic updates for installed packages to keep software current:

$updateScript = @'
$LogFile = "C:LogsChocolateyUpdate_$(Get-Date -Format 'yyyyMMdd').log"
"Chocolatey update run: $(Get-Date)" | Out-File $LogFile -Append
choco upgrade all -y --no-progress 2>&1 | Out-File $LogFile -Append
"Update complete: $(Get-Date)" | Out-File $LogFile -Append
'@

$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NonInteractive -Command `"$updateScript`""
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Saturday -At "04:00AM"
Register-ScheduledTask -TaskName "ChocolateyAutoUpdate" -Action $action -Trigger $trigger -RunLevel Highest

Step 8: Integrate Chocolatey with PowerShell DSC

Use the cChoco DSC module to manage Chocolatey packages declaratively:

# Install the cChoco DSC module
$modulePath = "$env:ProgramFilesWindowsPowerShellModulescChoco"
Invoke-WebRequest -Uri "https://www.powershellgallery.com/api/v2/package/cChoco" -OutFile "C:TempcChoco.nupkg"
Rename-Item "C:TempcChoco.nupkg" "C:TempcChoco.zip"
[System.IO.Compression.ZipFile]::ExtractToDirectory("C:TempcChoco.zip", $modulePath)

Configuration ChocolateyPackages {
    Import-DscResource -ModuleName cChoco

    Node "localhost" {
        cChocoInstaller InstallChocolatey {
            InstallDir = "C:ProgramDatachocolatey"
        }

        cChocoPackageInstaller InstallGit {
            Name        = "git"
            Version     = "2.45.2"
            DependsOn   = "[cChocoInstaller]InstallChocolatey"
        }

        cChocoPackageInstaller InstallJava {
            Name        = "temurin17"
            DependsOn   = "[cChocoInstaller]InstallChocolatey"
        }
    }
}

Step 9: Audit Installed Packages

# List all installed Chocolatey-managed packages with versions
choco list --local-only --id-only

# Export current package state to a config file (for replication)
choco export --output-file-path="C:DevOpsChocolateycurrent-packages.config"

# Check for outdated packages
choco outdated

Summary

Chocolatey is now fully configured on Windows Server 2012 R2 as the primary package management system. The installation includes security hardening, an internal package source for air-gapped environments, a version-pinned packages.config for repeatable provisioning, a scheduled weekly update task, and DSC integration for infrastructure-as-code scenarios. Chocolatey dramatically reduces the time required to provision new servers and ensures that software installations are consistent, auditable, and scriptable across your entire Windows Server fleet.