Deploying the Windows Server integration using Team API Keys and secure automation scripts.
This guide provides instructions for deploying the Windows Server integration at scale in an enterprise environment using Team API Keys for enhanced security and automated deployment workflows.
Important: API keys are encrypted using the Windows Data Protection API and cannot be set directly in configuration files. This guide shows proper methods for enterprise API key deployment.
For enterprise deployments, Veza recommends one of these workflows:
Option A: MSI with APIKEY Parameter (Recommended)
Option B: Two-Step Deployment
Deploy the MSI to target machines using your preferred orchestration tool (SCCM, PDQ Deploy, etc.)
Deploy a standardized configuration file (without API key)
Execute a script to securely store the Veza API key:
Both approaches encrypt API keys using LocalMachine credentials via the Windows Data Protection API.
have a narrower scope than standard API keys and can be used to push Windows Server metadata to the Veza platform while limiting the access granted to the deployed keys.
Team API Keys do not allow for creating new Integration Providers on the Veza platform. To ensure that Windows servers can push metadata once configured, create the required providers on the Veza platform before deploying the application.
Execute the following commands with a to ensure the providers are created.
This script creates two custom providers in your Veza tenant: "Windows Server" for local account metadata and "Windows Files" for file share permissions. These providers must exist before Team API Keys can be used to push data to them.
With the Providers created, create a new in Veza that is scoped to only the Windows Server and Windows Files providers.
Click Administration in the left-hand navigation pane.
Click Team Managment in the tab list in the main pane.
Click Add Team.
Provide a Name and Description for the new Team.
Team API Keys can be generated programmatically, allowing for flexible deployment options. A single Team API key can be shared to all deployed Windows Servers, or a unique key can be generated for each installation.
To generate a for Windows Server, construct a POST request to https://<tenant>.vezacloud.com/api/preview/teamkeys with the following payload:
Example:
The response body will include the generated API key:
Record the access_key value for use with the Veza for Windows integration.
Using Powershell to create and print a Team API key:
This script generates a Team API Key and prints its value to the console. The key is associated with the specified team ID and given a name (typically the server name) for tracking and management purposes.
An example installation Powershell script that generates a unique Team API Key per installation and employs a shared configuration file follows:
Detect the server's fully qualified domain name (FQDN)
Create a unique Team API Key named after the server
Install the Veza application silently with a shared configuration file and the newly-generated API key
Follow the steps in the Create Providers and Create Team sections before deploying an install script that follows this pattern.
In The Select Providers dropdown, check both Windows Server and Windows Files
Click Create Team.
In the Team Management view, click the name of the newly-created Team and record the Team ID at the end of the url (ex: https://example.vezacloud.com/app/teams/613df02b-9a40-4331-947c-5c327b54b228).
# Single command deployment with API key encryption during installation
msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config" APIKEY="<team_api_key>"# Store API key (this encrypts the key using Windows Data Protection API)
Start-Process -FilePath "C:\Program Files\Veza\VezaWindowsTray.exe" -ArgumentList "--api_key=<team_api_key>" -NoNewWindow -Wait# Set Veza tenant URL and API key
$vezaUrl = "https://<yourtenant>.vezacloud.com"
$vezaAPIKey = "your-personal-api-key"
$body = @{
"name"="Windows Server"
"custom_template"="application"
} | ConvertTo-Json
$header = @{
"Accept"="application/json"
"Authorization"="Bearer $vezaAPIKey"
"Content-Type"="application/json"
}
Invoke-RestMethod -Uri "https://$vezaUrl/api/v1/providers/custom" -Method 'Post' -Body $body -Headers $header
$body = @{
"name"="Windows Files"
"custom_template"="application"
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://$vezaUrl/api/v1/providers/custom" -Method 'Post' -Body $body -Headers $header{
"team_id": "<team_id>",
"name": "<key_name>"
}{
"team_id": "613df02b-9a40-4331-947c-5c327b54b228",
"name": "server01.example.com"
}{
"value": {
"id": "01968c1b-85b7-71eb-8876-843ef2463a8e",
"access_key": "k1TzyiA…NiBuwP0Wzw",
"name": "server01.example.com",
"created_at": "2025-01-01T15:35:58.647121782Z",
"last_access_at": "2025-01-01T15:35:58.647121782Z",
"status": "ACTIVE",
"team_id": "613df02b-9a40-4331-947c-5c327b54b228",
"team_name": ""
}
}# Set Veza tenant URL and API key
$vezaUrl = "https://<yourtenant>.vezacloud.com"
$vezaAPIKey = "your-personal-api-key"
# Set the Team ID from the previous step
$teamId = "your-team-id"
$body = @{
"team_id"=$teamId
"name"="server01.example.com"
} | ConvertTo-Json
$header = @{
"Accept"="application/json"
"Authorization"="Bearer $vezaAPIKey"
"Content-Type"="application/json"
}
$resp = Invoke-RestMethod -Uri "https://$vezaUrl/api/preview/teamkeys" -Method 'Post' -Body $body -Headers $header
$resp.value.access_key$vezaUrl="https://<yourtenant>.vezacloud.com"
$vezaAPIKey="<veza-personal-api-key>"
$teamId="<veza-team-id>"
$fqdn=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
$vezaRequestHeader = @{
"Accept"="application/json"
"Authorization"="Bearer $vezaAPIKey"
"Content-Type"="application/json"
}
$keyRequestBody = @{
"team_id"=$teamId
"name"=$fqdn
} | ConvertTo-Json
$keyResponse = Invoke-RestMethod -Uri "$vezaUrl/api/preview/teamkeys" -Method 'Post' -Body $keyRequestBody -Headers $vezaRequestHeader
$apiKey = $keyResponse.value.access_key
msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config" APIKEY=$apiKeyDeployment Guide for Veza Windows Server Integration
The Veza integration for Windows Server comprises an OAA package and a collection of .NET 8.0 applications. These tools discover metadata from a Windows Server host and forward it to a Veza instance. The application package comes as an MSI installer for deployment on Windows Server.
For automated deployment at scale with per-machine unique Team API Keys, see the Enterprise Deployment guide.
The Veza Windows OAA application includes:
A service that discovers local groups, user accounts, services, and scheduled tasks within the Windows Server OS.
A service to detect Active Directory filesystem permissions on SMB file shares.
A GUI application for configuring discovery services and setting up the Veza connection.
Windows Server 2012 R2 or newer
.NET 8.0 Runtime (included in the installer)
You will need the installation program from Veza, available
The Veza Windows integration is engineered to operate with minimal resource utilization across enterprise environments:
CPU Utilization: Typically insignificant during standard metadata collection operations
Memory Consumption: <50MB RAM during normal operational cycles
Network Bandwidth: Optimized data transmission with lightweight payloads transmitted at configurable intervals (default: 60 minutes)
Storage I/O: Negligible impact on storage subsystems outside of scheduled log maintenance or diagnostic activities
By default, the application collects and sends metadata to Veza every 60 minutes
This interval can be configured between 1 hour and 1 day to suit your organizational requirements by modifying the configuration file or in the application settings.
For file share discovery, a minimum interval of 120 minutes is recommended
GUI Configuration:
Open Veza for Windows from the Start menu
Go to the Local Accounts tab and modify the Discovery Interval (minutes) field (minimum 60 minutes) to change the local accounts discovery interval.
For file share intervals, go to the Folders tab and modify the Discovery Interval (minutes) field (minimum 120 minutes)
Configuration File:
To manage these settings in the configuration file at C:\Program Files\Veza\Veza.config:
Set windows_local_accounts-interval for local accounts discovery interval (recommended minimum 60 minutes)
Set windows_files-interval for file share discovery interval (recommended minimum 120 minutes)
Both values should be specified in minutes as quoted integers (e.g., "120"). See the for complete details
The application stores 14 days of logging information
Logs are automatically purged as they age out
At the standard Info level, log storage is negligible
At Debug level, logs may consume up to 1GB of disk space
The Veza Windows integration supports both manual and automated deployment methods:
Manual Installation
Run the Veza.msi installation program and follow the on-screen prompts. By default, the application installs in C:\Program Files\Veza.
Silent Installation (for automated deployment)
The MSI package supports standard silent installation parameters for enterprise deployment:
Important: API keys are encrypted using the Windows Data Protection API and cannot be set directly in configuration files.
Method 1: MSI Installation with APIKEY Parameter (Recommended)
This method encrypts the API key during installation:
Method 2: Post-Installation API Key Configuration
If you cannot include the API key in the MSI command:
Example Configuration File
Below is a standard configuration template that can be customized for your environment:
Required configuration parameters are listed and described in the table below:
Post-installation, open Veza for Windows from the Start menu.
Under the Veza API tab, input your Veza instance URL into Veza URL.
Paste the previously created API key into Veza API Key.
Optionally provide the URL for the Insight Point Proxy.
To verify the successful connection, log in to Veza and open the Integrations page. You should see Windows Server enabled on the list of all integrations.
Note: The installed service needs to run with Administrative privileges.
The Veza Windows integration uses an API key to authenticate with the Veza tenant. Important security considerations include:
Key Generation: API keys are issued from the Veza tenant by users with administrative access
Key Deployment Options:
Deploy a unique key per server for the highest security
Deploy a shared key across all servers for simplified management
See for more about Veza API keys.
The Veza Windows integration requires:
Outbound HTTPS (443) access to the Veza tenant or Insight Point
All data is transmitted using TLS 1.2 or higher
No inbound connectivity is required.
The Veza for Windows application follows a separate release cadence from the Veza platform:
Updates are released only for bug fixes, security bulletins, and feature enhancements
Updates are manually deployed via new MSI packages published by Veza
No automatic updates are performed
Update notifications are sent to tenant administrators
To update existing installations:
Download the latest MSI from Veza
Deploy using the same methods as the initial installation
The installation program will automatically upgrade the existing installation
Configuration settings are preserved during upgrades.
This service identifies local security principals on the Windows Server host. By default, it detects:
Local user accounts
Local groups
(Optional) Installed services
(Optional) Configured scheduled tasks
Properties
Note (*): Local groups on Windows Server can contain both Active Directory subgroups and local user accounts. The
typeproperty distinguishes between the two entities.
This service discovers filesystem permissions for specified paths and subdirectories based on the set depth. It primarily identifies:
Filesystem paths
Active Directory users and groups with permissions on each path
Permission inheritance
Limitations
Designed for SMB file shares utilizing Active Directory permissions
Metadata from security principals that do not correlate to Active Directory users or groups is omitted before sending data to Veza
Enumerating large shares can be more memory-intensive and will increase the RAM requirement during execution
These settings can be configured either through the GUI application (Veza for Windows from the Start menu) or by editing the configuration file at C:\Program Files\Veza\Veza.config. See the for file-based configuration details.
In the Local Accounts tab, adjust settings as desired:
In the Folders tab, customize as needed:
API Key Not Working During MSI Installation:
Problem: API key included directly in configuration file
Solution: API keys cannot be set in configuration files. Use MSI APIKEY parameter or post-installation configuration
Example: msiexec /i Veza.msi /qn CONFIG="C:\path\to\Veza.config" APIKEY="your_key"
Configuration Parameters Not Applied:
Problem: Configuration file path incorrect or MSI cannot access relative paths
Solution: Use full filesystem path for CONFIG parameter, not relative paths
Example: Use CONFIG="C:\Users\Administrator\Desktop\Veza.config" instead of CONFIG="Veza.config"
Connection Failures:
Verify network connectivity to the Veza tenant
Check API key validity in the Veza tenant
Ensure correct URL format (e.g. https://tenant-name.vezacloud.com)
Performance Issues:
If memory usage exceeds 50MB during normal operation, check file share sizes
Reduce the number of discovery threads for file shares
Increase discovery intervals
Log Analysis:
You can adjust the service's log level using the dropdown menu. By default, logs are saved at C:\\Program Files\Veza\Local Accounts\logs\VezaWindows.log and C:\\Program Files\Veza\Folders\logs\VezaFiles.log.
Set log level to Debug temporarily to gather more information for troubleshooting and support requests.
Reduce the logging level after troubleshooting to minimize disk usage
For additional assistance, contact Veza Support at [email protected] or through your account representative.
Permissions
Local Administrator
Required for installation and operation
Log locations:
C:\Program Files\Veza\Local Accounts\logs\VezaWindows.log
C:\Program Files\Veza\Folders\logs\VezaFiles.log
windows_local_accounts-save_json
Save the payload uploaded to Veza to disk into <INSTALL_DIRECTORY>\Local Accounts\
"true" or "false"
veza-api_key
The encrypted API key used to communicate with the Veza tenant
Populated by MSI APIKEY parameter or post-install command
veza-insight_point_proxy
The URL of the local Insight Point for proxying outbound connections to Veza
See for configuration information
veza-url
The URL of the Veza tenant
Veza tenant URL
veza-loglevel
Sets the verbosity of the logs for the Veza service
"Info" or "Debug"
windows_files-enabled
Enables the discovery of Windows File Server folders and permissions
"true" or "false"
windows_files-interval
The execution interval in minutes for Windows File Server discovery
Set to an integer greater than 120 in quotes
windows_files-threads
The number of simultaneous threads used during Windows File Server discoviry
Set to "1" unless instructed to change by Veza support
windows_files-save_json
Save the payload uploaded to Veza to disk into <INSTALL_DIRECTORY>\Folders\
"true" or "false"
Apply.Deploy keys by department or region for balanced security and management
Key Storage:
The API key is encrypted using Windows Data Protection API
Stored in the configuration file at C:\Program Files\Veza\Veza.config
Key Rotation:
Keys are not automatically rotated
Keys can be manually deleted and replaced with new ones via the Veza tenant
Key Compromise:
A compromised key would grant access to the endpoints listed in Veza APIs
Immediately delete and replace any compromised keys
home_directory
User home directory path
Root Cause: MSI executes in different user context than current directory
Memory
< 50MB RAM
During normal operation
Disk Space
~300MB
For application installation
Additional Disk Space
Varies
Up to 1GB for logs when using Debug level
Network
Outbound HTTPS (443)
windows_local_accounts-enabled
Enables the discovery of local accounts, services, and scheduled tasks
"true" or "false"
windows_local_accounts-interval
The execution interval in minutes for local accounts discovery
Set to an integer greater than 60 in quotes
windows_local_accounts-services_enabled
Include local service metadata in Veza
"true" or "false"
windows_local_accounts-tasks_enabled
Include Scheduled Tasks metadata in Veza
last_login_at
Time of user last login
cannot_change_password
Indicates if the user's password can't be changed (boolean)
locked_out
Shows if the user account is locked out (boolean)
password_never_expires
Checks if the user's password is set to never expire (boolean)
password_not_required
Checks if the user doesn't need a password (boolean)
type*
Differentiates between local or active directory user accounts (string)
type*
Specifies if the group is local or associated with active directory (string)
path
Full path of the scheduled task (string)
state
Current state: Ready, Running, Disabled, etc. (string)
service_account_name
Account used to run the service (string)
start_type
Start type: Automatic, Manual, etc. (string)
status
Current status: Running, Stopped, etc. (string)
Enabled
Toggles discovery (check mark to enable discovery)
Discovery Interval (minutes)
Sets interval between discovery runs (minimum 60 minutes)
Include Services
Enables service discovery (optional)
Include Scheduled Tasks
Activates scheduled task data discovery (optional)
Save Payload
Saves the payload uploaded to Veza to disk (optional)
Enabled
Toggles discovery
Discovery Interval (minutes)
Time gap between discoveries (minimum 120 minutes)
Discovery Threads
Sets concurrent discovery threads
Save Payload
Saves the payload uploaded to Veza to disk (optional)
Paths
Use Add Path to specify discovery paths
To Veza tenant
"true" or "false"
# Basic silent install
msiexec /i Veza.msi /qn
# Install with specific log file
msiexec /i Veza.msi /qn /l*v install.log
# Install to custom directory
msiexec /i Veza.msi /qn INSTALLDIR="D:\Applications\Veza"
# Install with an existing configuration file
msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config"
# Install with an existing API key (recommended for automated deployment)
msiexec /i Veza.msi /qn APIKEY="<api_key>"
# Install with existing configuration file and API key
msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config" APIKEY="<api_key>"msiexec /i Veza.msi /qn CONFIG="\\deployment-share\Veza\Veza.config" APIKEY="<api_key>"# Install without API key (use full path for CONFIG)
msiexec /i Veza.msi /qn CONFIG="C:\path\to\Veza.config" /l*v install.log
# Configure API key post-installation
Start-Process -FilePath "C:\Program Files\Veza\VezaWindowsTray.exe" -ArgumentList "--api_key=<api_key>" -NoNewWindow -Wait<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<section name="PathConfigurationSection" type="Veza.Integrations.PathConfigurationDataSection, PathConfiguration, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</configSections>
<PathConfigurationSection>
<PathConfigurations>
</clear>
<add path=”\\fileserver01.example.com\Finance” depth=”1” />
<add path=”\\fileserver02.example.com\Human Resources\Benefits” depth=”1” />
</PathConfigurations>
</PathConfigurationSection>
<appSettings>
<!-- Local Account Collection Settings -->
<add key="windows_local_accounts-enabled" value="true" />
<add key="windows_local_accounts-interval" value="60" />
<add key="windows_local_accounts-services_enabled" value="true" />
<add key="windows_local_accounts-tasks_enabled" value="true" />
<add key="windows_local_accounts-save_json" value="false"/>
<!-- Veza API Connection Settings -->
<!-- WARNING: Do not set veza-api_key here - use MSI APIKEY parameter or post-install command -->
<add key="veza-url" value="https://YOUR_TENANT.vezacloud.com" />
<add key="veza-insight_point_proxy" value="http://INSIGHT_POINT_IP:8080">
<add key="veza-loglevel" value="Info" />
<!-- File Share Discovery Settings -->
<add key="windows_files-enabled" value="true" />
<add key="windows_files-interval" value="120" />
<add key="windows_files-threads" value="1" />
<add key="windows_files-save_json" value="false"/>
</appSettings>
</configuration>