DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

SaltStack for Windows Patching: Master, Minions and Updates

— ny_wk

SaltStack for Windows Patching: Master, Minions and Updates

Patching Windows by hand across dozens of servers is tedious and error-prone. SaltStack automates it: define what you want once on a master, and every Windows minion applies it. Here's how Salt is configured and how it handles Windows updates.

The master-minion model

Salt uses a master that issues commands and minions (the managed machines, including Windows) that execute them. Configuration is refreshingly simple: the default master config works for most setups, and a minion only really needs to know where its master is.

Config files live in /etc/salt and are named after their component — /etc/salt/master and /etc/salt/minion.

Master configuration

By default the master listens on ports 4505 and 4506 on all interfaces (0.0.0.0). To bind it to a specific IP, set the interface directive in /etc/salt/master:

interface: 10.0.0.1

Restart the master after changing it. Make sure 4505/4506 are open between master and minions.

Minion configuration

On each Windows minion, install the Salt minion and point it at the master in the minion config by setting the master: value to the master's IP or hostname. Start the minion; it connects and sends a key for the master to accept.

Accept the minion key

On the master, list and accept pending keys (salt-key -A accepts all pending). Until accepted, the master won't command the minion — this is Salt's trust step.

Patching Windows with Salt

Salt ships Windows-specific modules. The win_update / win_wua functions manage Windows Update directly. From the master you can:

  • List available updates on minions.
  • Install all (or only security) updates across a group of Windows servers in one command.
  • Target specific machines with Salt's targeting (by name, grain, or group) so you patch in waves, not all at once.

Because it's one command to many minions, a patch cycle that took hours of remoting becomes minutes.

Key takeaways

  • Salt = a master commanding minions (Windows included); config in /etc/salt.
  • Master listens on 4505/4506 — open those ports; bind with the interface directive.
  • Point each minion at the master, then accept its key on the master.
  • Use the win_update/win_wua modules to list and install Windows patches across many minions at once, with targeting for staged rollouts.

Frequently asked questions

What ports does Salt need?

4505 (publish) and 4506 (request) on the master, reachable from minions.

How does the master trust a minion?

The minion sends a key on first contact; you accept it on the master with salt-key. Only then can the master command it.

Can Salt install only security updates?

Yes — the Windows update modules let you filter by category (e.g., security) and install selectively.

Can I patch servers in waves?

Yes — use Salt targeting (by name, grain, or node group) to patch subsets, so you don't reboot everything simultaneously.

Set the master IP, point the minions at it, accept the keys, and Windows patching turns into a single, targeted command across your whole fleet.