Chocolatey w/ PsExec for Patch Management

This post covers through deploying Chocolatey to enterprise network devices. The idea is to have a solution for 3rd party product patching that's both free and incredibly efficient. To start you'll need domain admin privileges and just a couple minutes.

First, we'll need psexec installed on one machine within the domain. Download the package from here: and unzip to a location easy to reference. I tend to do C:\psexec since PowerShell starts at C:\WINDOWS\System32\ anyway. PsExec is a utility that allows you to execute scripts using UNC protocol methods. This helps us get choco running on all our machines easily. Once installed, you'll need a simple .txt output of computer names. To do this simply run the following within PowerShell:
$Computers = Get-ADComputer -Filter * | ForEach-Object {$_.Name} | Export-Csv computerList.txt

If we look at the following script for installing choco we see it's a simple bypass with a call to download and run the script using generic, but secure 443.
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString(''))

We'll need to run this command against our computer list to download and install the package manager. Open up cmd prompt and cd to your directory containing PsExec and run the following command:
psexec @C:_\computerList.txt -u Username -p Password PowerShell Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString(''))

We've now installed choco on all hostnames contained within our computerList.txt file. In order to patch these devices you'll need to utilize PsExec. You can choose to do this as a scheduled task to automate the process. To patch the list on hostnames open cmd prompt and go back into where PsExec.exe is located and run:
psexec @C:_\computerList.txt -u Username -p Password PowerShell Set-ExecutionPolicy Bypass choco upgrade all

You've now got a way to automate patching for all domain devices for 3rd party software. To see the full list of what's enabled by default take a look here:

Show Comments