SaltStack on Windows: Not Always Smooth — But Still Worth It
Let’s be honest — managing Windows at scale can be painful. Scripts don’t run the same way twice, permissions break for no reason, and remote tools either do too much or not enough. SaltStack? It sits somewhere in the middle. Once it’s working, it really works.
What’s Going On Here?
Salt was born in Linux-land, sure. But it does have a Windows side — and surprisingly, it’s not a second-class citizen. The Windows minion runs fine, talks to the master like any other node, and understands PowerShell, registry tweaks, services, and all the usual Windows chaos.
It’s not plug-and-play, but it’s not rocket science either. Once the pieces connect, you get real remote control. You define what a machine should look like — and Salt tries to keep it there.
Who’s Actually Using It?
– Mid-sized orgs that didn’t want to go all-in on SCCM
– Admins juggling Linux and Windows together (without two toolsets)
– Teams tired of remoting into servers just to restart a service
– Setups where PowerShell is everywhere, but still not enough
And yeah — folks who already use Salt for Linux often extend it to Windows once they see it’s doable.
What It Can Handle
| Feature | How It Feels in Practice |
| Remote Execution | Run PowerShell or cmd commands — one host or 300 at once |
| State Management | Define config files, let Salt keep systems close to that |
| Built-in Windows Modules | Handles registry, services, users, software installs |
| Event System | Trigger stuff when things change (if you want) |
| Works With or Without Agent | Minion mode, or salt-ssh over WinRM — pick your poison |
| Cross-Platform Logic | Reuse logic for Linux and Windows, tweak when needed |
| Grains and Pillars | Group machines based on anything — version, role, tag |
| Easy to Script Around | Toss it into Jenkins or Git — it won’t complain |
What’s Needed to Get Moving
– A Salt Master (on Linux — Ubuntu or CentOS is fine)
– Windows machines (2012 R2 or newer works best)
– Salt Minion installed, or WinRM ready if you’re skipping agents
– Some network access (TCP 4505/4506 for agent mode)
– And maybe a bit of patience while you set things up the first time
Quick Way to Try It
1. Grab the Windows Minion installer from the Salt repo.
2. Install it silently or manually:
Start-Process “Salt-Minion-Setup.exe” -ArgumentList “/S /master=192.168.1.100”
3. On the master, accept the key:
salt-key -A
4. Run a test:
salt ‘winhost01’ test.ping
5. Apply something simple:
enable_telnet:
win_feature.installed:
– name: TelnetClient
salt ‘winhost01’ state.apply
From the People Who Use It
“Yeah, it took a couple tries to get the Minion to register, but now it just works.”
“We pushed Chocolatey packages to 80 Windows servers in one go — no issues.”
“Not the prettiest setup, but it saved us from writing 50 different scripts.”
Not a Silver Bullet, But Close Enough
Salt on Windows isn’t a full replacement for everything. It’s not going to magically make GPOs obsolete. But for tasks that keep coming back — local users, scheduled tasks, firewall tweaks — it’s solid.
If you’re already deep in PowerShell, Salt won’t replace it. It’ll just give you a better way to run it — predictably, across every box.
