(docs) Clarify how to manage backgroundServiceDisallowedOptions #1253
Conversation
Add a new "Common Configuration Options" section explaining how to manage the backgroundServiceDisallowedOptions setting for the Background Service. Provide guidance for three common tasks: unsetting the key, explicitly resetting it to the recommended default restricted options, and appending additional restricted options. Include PowerShell examples for each action and a note explaining that appending requires an existing value (i.e., get will return empty after an unset), so an explicit set is necessary in that case. This improves documentation clarity so administrators can safely revert or extend the restricted options used by the Background Service.
AdmiringWorm
requested review from
gep13 and
pauby
and removed request for
Copilot
| ### Common Configuration Options | ||
|
|
||
| <Callout type="info"> | ||
| While the different options above have been specified using their `--` prefix, only the name of each option should be specified when setting them through `choco config`. |
There was a problem hiding this comment.
There is context here I am missing? Apologies. Without that context, I don't understand this.
There was a problem hiding this comment.
The context is that the easiest/best way that were found to restrict configurable options where to use them without having a prefix. So for instance instead of --source it would end up just be source for the option that is stored.
There is already logic to prevent the options being specified using the -- before the name of the option.
| Normally there is no need to change the default options that are restricted through the Background Service, and the defaults will be sufficient for most. | ||
|
|
||
| If the default options had been overridden at one point, and there is a need to reset these to the default restricted options, this can be done in two different ways. | ||
| We recommend using the below explicit option. |
There was a problem hiding this comment.
| Normally there is no need to change the default options that are restricted through the Background Service, and the defaults will be sufficient for most. | |
| If the default options had been overridden at one point, and there is a need to reset these to the default restricted options, this can be done in two different ways. | |
| We recommend using the below explicit option. | |
| The default value for `backgroundServiceDisallowedOptions` will be sufficient for most organizational needs. | |
| If the configuration has been set, you can reset it to the default value in two different ways. **Note the option we recommend.** |
| choco config unset --name="'backgroundServiceDisallowedOptions'" | ||
| ``` | ||
|
|
||
| **Explicitly set the default restricted options (Recommended)** |
There was a problem hiding this comment.
Why is this the recommended way?
If we change the default values in future, we will have to change the docs to match. Would "unsetting" the configuration value not always reset it back to the current default values (when I say current, I mean whatever the default values for the version being used to run the config command is)?
There was a problem hiding this comment.
I marked this as the recommended way (I don't think it has ever been discussed) due to if someone calls choco config unset then if they in the future do choco config get, the value returned will be empty.
The default values will still be used, it just isn't surfaced to the user if it has been unset.
| choco config set --name="'backgroundServiceDisallowedOptions'" --value="'allowemptychecksum,allowemptychecksums,allow-empty-checksums,allowemptychecksumsecure,allowemptychecksumssecure,allow-empty-checksums-secure,applyargstodependencies,apply-args-to-dependencies,apply-install-arguments-to-dependencies,argsglobal,args-global,cache,cachelocation,cache-location,checksum,checksum64,checksumx64,dir,directory,downloadchecksum,download-checksum,downloadchecksumx64,download-checksum-x64,fromprograms,from-programs,fromprogramsandfeatures,from-programs-and-features,ia,ignorechecksum,ignore-checksum,ignorechecksums,ignore-checksums,ignore-pinned,installargs,install-args,installargsglobal,install-args-global,installarguments,install-arguments,install-arguments-sensitive,installdir,install-dir,installdirectory,install-directory,override,overrideargs,overridearguments,override-arguments,proxy,proxy-bypass-list,proxy-bypass-on-local,s,skipvirus,skip-virus,skipviruscheck,skip-virus-check,source,svc,trace,ua,uninstallargs,uninstallarguments,uninstall-arguments,uninstall-arguments-sensitive,use-system-powershell,viruspositivesmin,virus-positives-minimum'" | ||
| ``` | ||
|
|
||
| **Append new restricted options** |
There was a problem hiding this comment.
Is there precedent to using bold headings like this rather than H headings (ie. H3 / 4)?
There was a problem hiding this comment.
I mainly used bold headings in this PR to be consistent in this file.
The previous PR that I submitted I had also used bold items when there were headers. Mainly because I didn't really consider these headers, but just wanted to emphasize it a bit.
| To be able to add additional restricted options, for instance prohibit the use of the `--force` option, it is needed to include all of the existing restricted options including the options you wish to add to the list. | ||
|
|
||
| It is recommended to get the existing list of restricted options before attempting to set an updated list. | ||
| This can be achieved by using something similar to the below PowerShell example script. |
There was a problem hiding this comment.
| To be able to add additional restricted options, for instance prohibit the use of the `--force` option, it is needed to include all of the existing restricted options including the options you wish to add to the list. | |
| It is recommended to get the existing list of restricted options before attempting to set an updated list. | |
| This can be achieved by using something similar to the below PowerShell example script. | |
| To be able to add additional restricted options, for instance to prohibit the use of the `--force` option, it is needed to include _all_ the existing restricted options and then add the options you wish to. This can be achieved by using the below PowerShell example code. |
| ```powershell | ||
| $existingOptions = & choco config get --name="'backgroundServiceDisallowedOptions'" --limit-output | ||
| $updatedOptions = "$existingOptions,f,force" # Add the -f and --force to the existing restricted options variable. | ||
| choco config set --name="'backgroundServiceDisallowedOptions'" --value="'$updatedOptions'" | ||
| ``` | ||
|
|
||
| <Callout type="info"> | ||
| If the configuration value has previously been `unset`, appending the new options in the suggested approach above is not possible as `choco config get` will return the empty value. | ||
| Instead, you will need to be explicit as shown in the _Explicitly set the default restricted options_ example. | ||
| </Callout> |
There was a problem hiding this comment.
| ```powershell | |
| $existingOptions = & choco config get --name="'backgroundServiceDisallowedOptions'" --limit-output | |
| $updatedOptions = "$existingOptions,f,force" # Add the -f and --force to the existing restricted options variable. | |
| choco config set --name="'backgroundServiceDisallowedOptions'" --value="'$updatedOptions'" | |
| ``` | |
| <Callout type="info"> | |
| If the configuration value has previously been `unset`, appending the new options in the suggested approach above is not possible as `choco config get` will return the empty value. | |
| Instead, you will need to be explicit as shown in the _Explicitly set the default restricted options_ example. | |
| </Callout> | |
| <Callout type="info"> | |
| If the configuration value is empty, appending the new options using the code below will not work `choco config get` will return the empty value. | |
| Instead, you will need to be explicit as shown in the _Explicitly set the default restricted options_ example, above. | |
| </Callout> | |
| ```powershell | |
| $existingOptions = & choco config get --name="'backgroundServiceDisallowedOptions'" --limit-output | |
| $updatedOptions = "$existingOptions,f,force" # Add the -f and --force to the existing restricted options variable. | |
| choco config set --name="'backgroundServiceDisallowedOptions'" --value="'$updatedOptions'" |
There was a problem hiding this comment.
I think we should look at making this code work for either use case (i.e. if get returns nothing or returns something)?
There was a problem hiding this comment.
To have it work when get doesn't return anything, that would just be same same as the previous example that set all of the default options (and then append the new options).
2 participants
Description Of Changes
Motivation and Context
Testing
Change Types Made
Change Checklist
Related Issue
N/A