SaltStack for Windows updates
Set up WSUS to automatically approve security patches (because it’s the right thing to do),
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$wsus = Get-WSUSServer
$class = $wsus.GetUpdateClassifications() | ? {$_.Title -In ('Critical Updates','Security Updates')}
$rule = $wsus.GetInstallApprovalRules() | Where {$_.Name -eq "Default Automatic Approval Rule"}
$class_coll = New-Object Microsoft.UpdateServices.Administration.UpdateClassificationCollection
$class_coll.AddRange($class); $rule.SetUpdateClassifications($class_coll); $rule.Enabled = $True; $rule.Save()
$config = $wsus.GetConfiguration(); $config.TargetingMode = "Client"; $config.Save()
Configure clients via registry keys (assuming this cannot be pushed via Group Policy); should not require a reboot
init.sls:
{% if grains['os'] == 'RedHat' %}
include:
- updates.linux
{% elif grains['os'] == 'Windows' %}
include:
- updates.windows
{% endif %}
windows.sls:
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer':
reg.present:
- value: 'http://wsus-srv:8530'
- vtype: REG_SZ
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer':
reg.present:
- value: 'http://wsus-srv:8530'
- vtype: REG_SZ
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroupEnabled':
reg.present:
- value: 1
- vtype: REG_DWORD
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\TargetGroup':
reg.present:
- value: 'mytestgroup'
- vtype: REG_SZ
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequencyEnabled':
reg.present:
- value: 1
- vtype: REG_DWORD
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\DetectionFrequency':
reg.present:
- value: 16
- vtype: REG_DWORD
'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer':
reg.present:
- value: 1
- vtype: REG_DWORD