WinRM fix against https://github.com/saltstack/salt/tree/v2016.11.4 - see https://github.com/saltstack/salt/issues/34783#issuecomment-311938639

winrm.patch

diff --git a/salt/cloud/clouds/ec2.py b/salt/cloud/clouds/ec2.py
index 2b2e258231..9a534d97d2 100644
--- a/salt/cloud/clouds/ec2.py
+++ b/salt/cloud/clouds/ec2.py
@@ -2224,6 +2224,9 @@ def wait_for_instance(
         use_winrm = config.get_cloud_config_value(
             'use_winrm', vm_, __opts__, default=False
         )
+        winrm_verify_ssl = config.get_cloud_config_value(
+            'winrm_verify_ssl', vm_, __opts__, default=True
+        )

         if win_passwd and win_passwd == 'auto':
             log.debug('Waiting for auto-generated Windows EC2 password')
@@ -2295,7 +2298,8 @@ def wait_for_instance(
                                                           winrm_port,
                                                           username,
                                                           win_passwd,
-                                                          timeout=ssh_connect_timeout):
+                                                          timeout=ssh_connect_timeout,
+                                                          verify=winrm_verify_ssl):
                 raise SaltCloudSystemExit(
                     'Failed to authenticate against remote windows host'
                 )
diff --git a/salt/utils/cloud.py b/salt/utils/cloud.py
index 0485a7476a..886dbcdd28 100644
--- a/salt/utils/cloud.py
+++ b/salt/utils/cloud.py
@@ -499,6 +499,9 @@ def bootstrap(vm_, opts):
         deploy_kwargs['winrm_port'] = salt.config.get_cloud_config_value(
             'winrm_port', vm_, opts, default=5986
         )
+        deploy_kwargs['winrm_verify_ssl'] = salt.config.get_cloud_config_value(
+            'winrm_verify_ssl', vm_, opts, default=True
+        )

     # Store what was used to the deploy the VM
     event_kwargs = copy.deepcopy(deploy_kwargs)
@@ -823,7 +826,7 @@ def wait_for_winexesvc(host, port, username, password, timeout=900):
             )


-def wait_for_winrm(host, port, username, password, timeout=900):
+def wait_for_winrm(host, port, username, password, timeout=900, verify=True):
     '''
     Wait until WinRM connection can be established.
     '''
@@ -834,10 +837,13 @@ def wait_for_winrm(host, port, username, password, timeout=900):
         )
     )
     trycount = 0
+    if not verify:
+        log.warn("SSL validation for WinRM disabled.")
     while True:
         trycount += 1
         try:
-            s = winrm.Session(host, auth=(username, password), transport='ssl')
+            s = winrm.Session(host, auth=(username, password), transport='ssl',
+                              server_cert_validation=((verify and 'validate') or 'ignore'))
             if hasattr(s.protocol, 'set_timeout'):
                 s.protocol.set_timeout(15)
             log.trace('WinRM endpoint url: {0}'.format(s.url))
@@ -984,6 +990,7 @@ def deploy_windows(host,
                    master_sign_pub_file=None,
                    use_winrm=False,
                    winrm_port=5986,
+                   winrm_verify_ssl=True,
                    **kwargs):
     '''
     Copy the install files to a remote Windows box, and execute them
@@ -1009,8 +1016,10 @@ def deploy_windows(host,

     if HAS_WINRM and use_winrm:
         winrm_session = wait_for_winrm(host=host, port=winrm_port,
-                                           username=username, password=password,
-                                           timeout=port_timeout * 60)
+                                       username=username, password=password,
+                                       timeout=port_timeout * 60,
+                                       verify=winrm_verify_ssl
+                                       )
         if winrm_session is not None:
             service_available = True
     else: