diff --git a/.github/actions/build_cli/action.yml b/.github/actions/build_cli/action.yml
index bef9f9e6a..d2e308a36 100644
--- a/.github/actions/build_cli/action.yml
+++ b/.github/actions/build_cli/action.yml
@@ -49,7 +49,7 @@ runs:
       env:
         TARGET_GOOS: ${{ inputs.targetOS }}
         TARGET_GOARCH: ${{ inputs.targetArch }}
-        OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
+        OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}${{ inputs.targetOS == 'windows' && '.exe' || '' }}
       run: |
         echo "::group::Build CLI"
         mkdir -p "$(dirname "${OUTPUT_PATH}")"
@@ -100,7 +100,7 @@ runs:
         COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
         COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
-        OUTPUT_PATH: ${{ github.workspace }}/${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
+        OUTPUT_PATH: ${{ github.workspace }}/${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}${{ inputs.targetOS == 'windows' && '.exe' || '' }}
       run: |
         echo "$COSIGN_PUBLIC_KEY" > cosign.pub
         # Enabling experimental mode also publishes signature to Rekor
diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
index 0f35c7358..948122017 100644
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@@ -46,8 +46,21 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: [amd64, arm64]
-        os: [linux, darwin]
+        include:
+          - arch: amd64
+            os: linux
+
+          - arch: amd64
+            os: darwin
+
+          - arch: amd64
+            os: windows
+
+          - arch: arm64
+            os: linux
+
+          - arch: arm64
+            os: darwin
     steps:
       - name: Checkout
         id: checkout
@@ -70,14 +83,24 @@ jobs:
           cosignPrivateKey: ${{ inputs.key == 'release' && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
           cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
 
-      - name: Upload CLI as artifact
+      - name: Upload CLI as artifact (unix)
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        if : ${{ matrix.os != 'windows' }}
         with:
           name: constellation-${{ matrix.os }}-${{ matrix.arch }}
           path: |
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}
             build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
 
+      - name: Upload CLI as artifact (windows)
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        if : ${{ matrix.os == 'windows' }}
+        with:
+          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
+          path: |
+            build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
+            build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
+
   push-containers:
     runs-on: ubuntu-22.04
     if: inputs.pushContainers
@@ -137,6 +160,11 @@ jobs:
         with:
           name: constellation-linux-arm64
 
+      - name: Download CLI binaries windows-amd64
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: constellation-windows-amd64
+
       - name: Download CLI SBOM
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -150,6 +178,7 @@ jobs:
             constellation-darwin-arm64 \
             constellation-linux-amd64 \
             constellation-linux-arm64 \
+            constellation-windows-amd64.exe \
             constellation.spdx.sbom)
           HASHESB64=$(echo "${HASHES}" | base64 -w0)
           echo "${HASHES}"
@@ -253,6 +282,11 @@ jobs:
         with:
           name: constellation-linux-arm64
 
+      - name: Download CLI binaries windows-amd64
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: constellation-windows-amd64
+
       - name: Download CLI SBOM
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -282,6 +316,9 @@ jobs:
           slsa-verifier verify-artifact constellation-linux-arm64 \
             --provenance-path ${{ needs.provenance.outputs.provenance-name }} \
             --source-uri github.com/edgelesssys/constellation
+          slsa-verifier verify-artifact constellation-windows-amd64.exe \
+            --provenance-path ${{ needs.provenance.outputs.provenance-name }} \
+            --source-uri github.com/edgelesssys/constellation
           slsa-verifier verify-artifact constellation.spdx.sbom \
             --provenance-path ${{ needs.provenance.outputs.provenance-name }} \
             --source-uri github.com/edgelesssys/constellation
@@ -320,6 +357,11 @@ jobs:
         with:
           name: constellation-linux-arm64
 
+      - name: Download CLI binaries windows-amd64
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: constellation-windows-amd64
+
       - name: Download Constellation CLI SBOM
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with: