# Enterprise Deployment This guide provides instructions for deploying the [Windows Server](/4yItIzMvkpAvMVFAamTf/integrations/integrations/windows.md) integration at scale in an enterprise environment using Team API Keys for enhanced security and automated deployment workflows. > **Important**: API keys are encrypted using the Windows Data Protection API and **cannot** be set directly in configuration files. This guide shows proper methods for enterprise API key deployment. ### Example Deployment Workflow For enterprise deployments, Veza recommends one of these workflows: **Option A: MSI with APIKEY Parameter (Recommended)** ```powershell # Single command deployment with API key encryption during installation msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config" APIKEY="" ``` **Option B: Two-Step Deployment** 1. Deploy the MSI to target machines using your preferred orchestration tool (SCCM, PDQ Deploy, etc.) 2. Deploy a standardized configuration file (without API key) 3. Execute a script to securely store the Veza API key: ```powershell # Store API key (this encrypts the key using Windows Data Protection API) Start-Process -FilePath "C:\Program Files\Veza\VezaWindowsTray.exe" -ArgumentList "--api_key=" -NoNewWindow -Wait ``` Both approaches encrypt API keys using `LocalMachine` credentials via the Windows Data Protection API. ### Automated Deployment with Team API Keys [Team API Keys](/4yItIzMvkpAvMVFAamTf/developers/api/users-teams/team-api-keys.md) have a narrower scope than standard API keys and can be used to push Windows Server metadata to the Veza platform while limiting the access granted to the deployed keys. #### Create Providers Team API Keys do not allow for creating new Integration Providers on the Veza platform. To ensure that Windows servers can push metadata once configured, create the required providers on the Veza platform before deploying the application. Execute the following commands with a [Personal API Key](/4yItIzMvkpAvMVFAamTf/developers/api/authentication.md) to ensure the providers are created. ```powershell # Set Veza tenant URL and API key $vezaUrl = "https://.vezacloud.com" $vezaAPIKey = "your-personal-api-key" $body = @{ "name"="Windows Server" "custom_template"="application" } | ConvertTo-Json $header = @{ "Accept"="application/json" "Authorization"="Bearer $vezaAPIKey" "Content-Type"="application/json" } Invoke-RestMethod -Uri "https://$vezaUrl/api/v1/providers/custom" -Method 'Post' -Body $body -Headers $header $body = @{ "name"="Windows Files" "custom_template"="application" } | ConvertTo-Json Invoke-RestMethod -Uri "https://$vezaUrl/api/v1/providers/custom" -Method 'Post' -Body $body -Headers $header ``` This script creates two custom providers in your Veza tenant: "Windows Server" for local account metadata and "Windows Files" for file share permissions. These providers must exist before Team API Keys can be used to push data to them. #### Create Team With the Providers created, create a new [Team](/4yItIzMvkpAvMVFAamTf/administration/administration/users/teams.md) in Veza that is scoped to only the Windows Server and Windows Files providers. 1. Click **Administration** in the left-hand navigation pane. 2. Click **Team Managment** in the tab list in the main pane. 3. Click **Add Team**. 4. Provide a Name and Description for the new Team. 5. In The **Select Providers** dropdown, check both `Windows Server` and `Windows Files` 6. Click **Create Team**. 7. In the **Team Management** view, click the name of the newly-created Team and record the Team ID at the end of the url (ex: `https://example.vezacloud.com/app/teams/613df02b-9a40-4331-947c-5c327b54b228`). #### Create Team API Keys Team API Keys can be generated programmatically, allowing for flexible deployment options.\ A single Team API key can be shared to all deployed Windows Servers, or a unique key can be generated for each installation. To generate a [Team API Key](/4yItIzMvkpAvMVFAamTf/developers/api/users-teams/team-api-keys.md) for Windows Server, construct a POST request to `https://.vezacloud.com/api/preview/teamkeys` with the following payload: ```json { "team_id": "", "name": "" } ``` Example: ```json { "team_id": "613df02b-9a40-4331-947c-5c327b54b228", "name": "server01.example.com" } ``` The response body will include the generated API key: ```json { "value": { "id": "01968c1b-85b7-71eb-8876-843ef2463a8e", "access_key": "k1TzyiA…NiBuwP0Wzw", "name": "server01.example.com", "created_at": "2025-01-01T15:35:58.647121782Z", "last_access_at": "2025-01-01T15:35:58.647121782Z", "status": "ACTIVE", "team_id": "613df02b-9a40-4331-947c-5c327b54b228", "team_name": "" } } ``` Record the `access_key` value for use with the Veza for Windows integration. Using Powershell to create and print a Team API key: ```powershell # Set Veza tenant URL and API key $vezaUrl = "https://.vezacloud.com" $vezaAPIKey = "your-personal-api-key" # Set the Team ID from the previous step $teamId = "your-team-id" $body = @{ "team_id"=$teamId "name"="server01.example.com" } | ConvertTo-Json $header = @{ "Accept"="application/json" "Authorization"="Bearer $vezaAPIKey" "Content-Type"="application/json" } $resp = Invoke-RestMethod -Uri "https://$vezaUrl/api/preview/teamkeys" -Method 'Post' -Body $body -Headers $header $resp.value.access_key ``` This script generates a Team API Key and prints its value to the console. The key is associated with the specified team ID and given a name (typically the server name) for tracking and management purposes. ### Install with Per-Machine Team API Keys An example installation Powershell script that generates a unique Team API Key per installation and employs a shared configuration file follows: 1. Detect the server's fully qualified domain name (FQDN) 2. Create a unique Team API Key named after the server 3. Install the Veza application silently with a shared configuration file and the newly-generated API key Follow the steps in the **Create Providers** and **Create Team** sections before deploying an install script that follows this pattern. ```powershell $vezaUrl="https://.vezacloud.com" $vezaAPIKey="" $teamId="" $fqdn=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain $vezaRequestHeader = @{ "Accept"="application/json" "Authorization"="Bearer $vezaAPIKey" "Content-Type"="application/json" } $keyRequestBody = @{ "team_id"=$teamId "name"=$fqdn } | ConvertTo-Json $keyResponse = Invoke-RestMethod -Uri "$vezaUrl/api/preview/teamkeys" -Method 'Post' -Body $keyRequestBody -Headers $vezaRequestHeader $apiKey = $keyResponse.value.access_key msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config" APIKEY=$apiKey ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/windows/enterprise-deployment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.