diff --git a/.editorconfig b/.editorconfig
index 85afe37b..69225fc3 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -4,7 +4,7 @@ root = true
 end_of_line = lf
 insert_final_newline = true
 
-[*.cmd]
+[sh.cmd]
 end_of_line = crlf
 
 [*.{sh,bats,bash}]
diff --git a/.gitattributes b/.gitattributes
index efdba876..a26fc101 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,4 @@
 * text=auto
 *.sh text eol=lf
+sh.cmd text eol=crlf
+run.cmd text eol=lf
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c1d0a2b2..dde38995 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -34,6 +34,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     container: ${{ matrix.container }}
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0138a1dc..53b4897d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Added error handling in case `curl` or `wget` is not installed.
+- Enable protocol handling on Windows. Requires the command `helm secrets patch windows` once.
 
 ### Changes
 - Check detection of sops encrypted files
diff --git a/README.md b/README.md
index 64b13a74..b3f571be 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ See [Installation](https://github.com/jkroepke/helm-secrets/wiki/Installation) f
 
 ### Decrypt secrets via protocol handler
 
-Run decrypted command on specific value files. This is method is preferred over the plugin command below.
+Run decrypted command on specific value files. This is method is preferred over the plugin command below. On Windows, the command `helm secrets patch windows` needs to be run first.
 
 ```bash
 helm upgrade name . -f secrets://secrets.yaml
diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 00000000..771774fc
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,13 @@
+version: '3'
+services:
+  helm-secrets:
+    image: ubuntu:20.04
+    working_dir: /opt
+    volumes:
+      - ./:/work/helm-secrets
+      - ./tests/.tmp/.bin/:/usr/local/sbin/
+    command:
+      - bash
+      - -c
+      - apt update && apt install git gnupg ruby -y && cp -r /work/helm-secrets/ /opt && sleep inf
+
diff --git a/docs/Usage.md b/docs/Usage.md
index 260b79a7..d80e697c 100644
--- a/docs/Usage.md
+++ b/docs/Usage.md
@@ -2,12 +2,15 @@
 
 ```
 $ helm secrets help
-GnuPG secrets encryption in Helm Charts
+
+Secrets encryption in Helm Charts
 
 This plugin provides ability to encrypt/decrypt secrets files
 to store in less secure places, before they are installed using
 Helm.
 
+For more information, see the README at github.com/jkroepke/helm-secrets
+
 To decrypt/encrypt/edit you need to initialize/first encrypt secrets with
 sops - https://github.com/mozilla/sops
 
@@ -17,7 +20,17 @@ Available Commands:
   view    Print secrets decrypted
   edit    Edit secrets file and encrypt afterwards
   clean   Remove all decrypted files in specified directory (recursively)
-  <cmd>   wrapper that decrypts secrets[.*].yaml files before running helm <cmd>
+  dir     Get plugin directory
+  patch   Enables windows specific adjustments
+  <cmd>   wrapper that decrypts encrypted yaml files before running helm <cmd>
+
+Available Options:
+  --quiet                    -q  Suppress info messages (env: $HELM_SECRETS_QUIET)
+  --driver                   -d  Secret driver to use for decryption or encryption (env: $HELM_SECRETS_DRIVER)
+  --driver-args              -a  Additional args for secret driver (env: $HELM_SECRETS_DRIVER_ARGS)
+  --help                     -h  Show help
+  --version                  -v  Display version of helm-secrets
+  --output-decrypt-file-path     Output the path of decrypted file
 ```
 
 By convention, files containing secrets are named `secrets.yaml`, or anything beginning with "secrets" and ending with ".yaml". E.g. `secrets.test.yaml`, `secrets.prod.yaml` `secretsCOOL.yaml`.
diff --git a/scripts/commands/enc.sh b/scripts/commands/enc.sh
index 7f278272..6bb58447 100644
--- a/scripts/commands/enc.sh
+++ b/scripts/commands/enc.sh
@@ -32,6 +32,7 @@ encrypt_helper() {
     if [ ! -f "${file}" ]; then
         fatal 'File does not exist: %s' "${dir}/${file}"
     fi
+
     file_dec="$(_file_dec_name "${file}")"
 
     if [ ! -f "${file_dec}" ]; then
diff --git a/scripts/commands/help.sh b/scripts/commands/help.sh
index 22112de2..7be452d1 100644
--- a/scripts/commands/help.sh
+++ b/scripts/commands/help.sh
@@ -22,6 +22,7 @@ Available Commands:
   edit    Edit secrets file and encrypt afterwards
   clean   Remove all decrypted files in specified directory (recursively)
   dir     Get plugin directory
+  patch   Enables windows specific adjustments
   <cmd>   wrapper that decrypts encrypted yaml files before running helm <cmd>
 
 Available Options:
diff --git a/scripts/commands/patch.sh b/scripts/commands/patch.sh
new file mode 100644
index 00000000..28b8d467
--- /dev/null
+++ b/scripts/commands/patch.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env sh
+
+set -euf
+
+patch_usage() {
+    cat <<EOF
+helm secrets patch [unix|windows]
+
+This enables windows specific options to increase the helm-secrets compatibility with windows.
+
+If unix is selected, it reverts the windows specific options.
+
+EOF
+}
+
+patch() {
+    if is_help "$1"; then
+        install_usage
+        return
+    fi
+
+    case "$1" in
+    windows)
+        _sed_i 's!  - command: .*!  - command: "scripts/wrapper/run.cmd scripts/run.sh downloader"!' "${HELM_PLUGIN_DIR}/plugin.yaml"
+        ;;
+    unix)
+        _sed_i 's!  - command: .*!  - command: "scripts/run.sh downloader"!' "${HELM_PLUGIN_DIR}/plugin.yaml"
+        ;;
+    *)
+        fatal 'Unknown enable option %s' "$1"
+        ;;
+    esac
+}
diff --git a/scripts/drivers/sops.sh b/scripts/drivers/sops.sh
index c8db76c2..6b08a043 100644
--- a/scripts/drivers/sops.sh
+++ b/scripts/drivers/sops.sh
@@ -44,11 +44,11 @@ driver_decrypt_file() {
         input="$(_convert_path "${input}")"
     fi
 
-    if _sops_windows_path_required "${output}"; then
-        output="$(_convert_path "${output}")"
-    fi
-
     if [ "${output}" != "" ]; then
+        if _sops_windows_path_required "${output}"; then
+            output="$(_convert_path "${output}")"
+        fi
+
         _sops --decrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
     else
         _sops --decrypt --input-type "${type}" --output-type "${type}" "${input}"
diff --git a/scripts/lib/common.sh b/scripts/lib/common.sh
index 5b3c5986..86d6118d 100644
--- a/scripts/lib/common.sh
+++ b/scripts/lib/common.sh
@@ -96,15 +96,20 @@ _convert_path() {
 
 # MacOS syntax is different for in-place
 # https://unix.stackexchange.com/a/92907/433641
-case $(sed --help 2>&1) in
-*BusyBox* | *GNU*) _sed_i() { sed -i "$@"; } ;;
-*) _sed_i() { sed -i '' "$@"; } ;;
-esac
+_sed_i() { sed -i "$@"; }
 
 on_cygwin() { false; }
 
 case "$(uname -s)" in
-CYGWIN*) on_cygwin() { true; } ;;
+CYGWIN*)
+    on_cygwin() { true; }
+    ;;
+Darwin)
+    case $(sed --help 2>&1) in
+    *BusyBox* | *GNU*) ;;
+    *) _sed_i() { sed -i '' "$@"; } ;;
+    esac
+    ;;
 esac
 
 if [ -f /proc/version ] && grep -qi microsoft /proc/version; then
diff --git a/scripts/lib/file/custom.sh b/scripts/lib/file/custom.sh
index 078d0bd3..5a5a148f 100644
--- a/scripts/lib/file/custom.sh
+++ b/scripts/lib/file/custom.sh
@@ -9,7 +9,13 @@ _file_custom_exists() {
 _file_custom_get() {
     _tmp_file=$(_mktemp)
 
-    if ! "${HELM_BIN}" template "${SCRIPT_DIR}/lib/file/helm-values-getter" -f "${1}" >"${_tmp_file}"; then
+    GETTER_CHART_PATH="${SCRIPT_DIR}/lib/file/helm-values-getter"
+
+    if on_wsl; then
+        GETTER_CHART_PATH="$(_convert_path "${GETTER_CHART_PATH}")"
+    fi
+
+    if ! "${HELM_BIN}" template "${GETTER_CHART_PATH}" -f "${1}" >"${_tmp_file}"; then
         exit 1
     fi
 
diff --git a/scripts/run.sh b/scripts/run.sh
index 7f38b1e4..10ea2332 100755
--- a/scripts/run.sh
+++ b/scripts/run.sh
@@ -2,7 +2,7 @@
 
 set -euf
 
-if [ -n "${HELM_SECRETS_DEBUG+x}" ]; then
+if [ -n "${HELM_DEBUG+x}" ] && [ "${HELM_DEBUG}" = "1" ] || [ -n "${HELM_SECRETS_DEBUG+x}" ]; then
     set -x
 fi
 
@@ -139,6 +139,13 @@ while true; do
         downloader "$2" "$3" "$4" "$5"
         break
         ;;
+    patch)
+        # shellcheck source=scripts/commands/patch.sh
+        . "${SCRIPT_DIR}/commands/patch.sh"
+
+        patch "$2"
+        break
+        ;;
     terraform)
         # shellcheck source=scripts/commands/downloader.sh
         . "${SCRIPT_DIR}/commands/terraform.sh"
diff --git a/scripts/wrapper/run.cmd b/scripts/wrapper/run.cmd
old mode 100755
new mode 100644
index a1c23abe..5b4196f2
--- a/scripts/wrapper/run.cmd
+++ b/scripts/wrapper/run.cmd
@@ -1,9 +1,13 @@
-:; exec "$@" #
-:; exit $? #
+:<<BATCH
+    @echo off
+    "%~dp0\sh.cmd" "%HELM_PLUGIN_DIR%"/%*
+    exit /b %errorlevel%
+BATCH
 
-:: .bat bash hybrid script
-:: https://stackoverflow.com/a/17623721
+cmd="$1"
+shift
+"$HELM_PLUGIN_DIR/$cmd" "$@"
+exit $?
 
-@echo off
-%HELM_PLUGIN_DIR%\scripts\wrapper\sh.cmd %*
-exit /b %errorlevel%
+:: .bat bash hybrid script
+:: https://stackoverflow.com/a/17510832/8087167
diff --git a/scripts/wrapper/sh.cmd b/scripts/wrapper/sh.cmd
index f15db3b1..07450bf8 100755
--- a/scripts/wrapper/sh.cmd
+++ b/scripts/wrapper/sh.cmd
@@ -1,5 +1,10 @@
 @setlocal enableextensions enabledelayedexpansion
 @echo off
+IF DEFINED HELM_DEBUG (
+    IF HELM_DEBUG EQU 1 (
+        @echo on
+    )
+)
 
 :: If HELM_SECRETS_WINDOWS_SHELL is provided, use it.
 if not [%HELM_SECRETS_WINDOWS_SHELL%]==[] GOTO :ENVSH
@@ -98,11 +103,11 @@ if "%1"=="" goto ENDLOOP
 SET STR1="%1"
 if not "x%STR1:\=%"=="x%STR1%" (
     :: CMD output to variable - https://stackoverflow.com/a/6362922/8087167
-    FOR /F "tokens=* USEBACKQ" %%F IN (`wsl wslpath "%1"`) DO (
+    FOR /F "tokens=* USEBACKQ" %%F IN (`wsl wslpath "%STR1:\=/%"`) DO (
       SET WSLPATH="%%F"
     )
 ) else (
-    SET WSLPATH=%1
+    SET WSLPATH=%STR1%
 )
 SET ARGS=%ARGS% %WSLPATH%
 
@@ -133,7 +138,7 @@ IF NOT DEFINED HELM_SECRETS_CURL_PATH (
 )
 
 :: https://devblogs.microsoft.com/commandline/share-environment-vars-between-wsl-and-windows/
-SET WSLENV=TEMP:%WSLENV%
+SET WSLENV=SOPS_AGE_KEY:SOPS_AGE_KEY_FILE:TEMP:%WSLENV%
 IF DEFINED HELM_SECRETS_DEC_SUFFIX (
     SET WSLENV=HELM_SECRETS_DEC_SUFFIX:%WSLENV%
 )
@@ -155,6 +160,18 @@ IF DEFINED HELM_SECRETS_DEC_DIR (
 IF DEFINED HELM_SECRETS_OUTPUT_DECRYPTED_FILE_PATH (
     SET WSLENV=HELM_SECRETS_OUTPUT_DECRYPTED_FILE_PATH:%WSLENV%
 )
+IF DEFINED HELM_SECRETS_URL_VARIABLE_EXPANSION (
+    SET WSLENV=HELM_SECRETS_URL_VARIABLE_EXPANSION:%WSLENV%
+)
+IF DEFINED HELM_DEBUG (
+    SET WSLENV=HELM_DEBUG:%WSLENV%
+)
+
+if not "x%HELM_PLUGIN_DIR:\=%"=="x%HELM_PLUGIN_DIR%" (
+    SET WSLENV=HELM_PLUGIN_DIR/p:%WSLENV%
+) else (
+    SET WSLENV=HELM_PLUGIN_DIR:%WSLENV%
+)
 
 if not "x%HELM_SECRETS_HELM_PATH:\=%"=="x%HELM_SECRETS_HELM_PATH%" (
     SET WSLENV=HELM_SECRETS_HELM_PATH/p:%WSLENV%
diff --git a/tests/lib/helper.bash b/tests/lib/helper.bash
index 26de69d0..324bdc00 100644
--- a/tests/lib/helper.bash
+++ b/tests/lib/helper.bash
@@ -87,6 +87,12 @@ initiate() {
         if [[ "${BATS_TEST_FILENAME}" = *"/it/"* ]]; then
             helm_plugin_install "diff" --version 3.1.3
         fi
+
+        if on_windows || on_wsl; then
+            "${HELM_BIN}" secrets patch windows
+        else
+            "${HELM_BIN}" secrets patch unix
+        fi
     } >&2
 }
 
@@ -153,7 +159,7 @@ setup() {
     cp -a "${TEST_DIR}/assets" "${TEST_TEMP_DIR}/"
     if ! on_windows; then
         # shellcheck disable=SC2016
-        SPECIAL_CHAR_DIR="${TEST_TEMP_DIR}/$(printf '%s' 'a@b§c!d\$e\f(g)h=i^j😀')"
+        SPECIAL_CHAR_DIR="${TEST_TEMP_DIR}/$(printf '%s' 'a@b§c!d\$e \f(g)h=i^j😀')"
         mkdir "${SPECIAL_CHAR_DIR}"
         cp -a "${TEST_DIR}/assets" "${SPECIAL_CHAR_DIR}/"
     fi
diff --git a/tests/unit/template.bats b/tests/unit/template.bats
index c47f7802..3ce418b7 100755
--- a/tests/unit/template.bats
+++ b/tests/unit/template.bats
@@ -307,10 +307,6 @@ load '../bats/extensions/bats-file/load'
 
 
 @test "template: helm template w/ chart + secrets.yaml + sops://" {
-    if on_windows ; then
-        skip
-    fi
-
     FILE="${TEST_TEMP_DIR}/assets/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
 
     create_chart "${TEST_TEMP_DIR}"
@@ -321,10 +317,6 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "template: helm template w/ chart + secrets.yaml + secret://" {
-    if on_windows ; then
-        skip
-    fi
-
     FILE="${TEST_TEMP_DIR}/assets/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
 
     create_chart "${TEST_TEMP_DIR}"
@@ -335,10 +327,6 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "template: helm template w/ chart + secrets.yaml + secrets://" {
-    if on_windows ; then
-        skip
-    fi
-
     FILE="${TEST_TEMP_DIR}/assets/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
 
     create_chart "${TEST_TEMP_DIR}"
@@ -349,7 +337,7 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "template: helm template w/ chart + secrets.yaml + secrets://http://" {
-    if on_windows || ! is_driver "sops"; then
+    if ! is_driver "sops"; then
         # For vault its pretty hard to have a committed files with temporary seed of this test run
         skip
     fi
@@ -371,13 +359,16 @@ load '../bats/extensions/bats-file/load'
 
     create_chart "${TEST_TEMP_DIR}"
 
-    run env HELM_SECRETS_URL_VARIABLE_EXPANSION=true GH_OWNER=jkroepke GH_REPO=helm-secrets helm template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    # shellcheck disable=SC2030 disable=SC2031
+    export WSLENV="HELM_SECRETS_URL_VARIABLE_EXPANSION:GH_OWNER:GH_REPO:${WSLENV}"
+
+    run env HELM_SECRETS_URL_VARIABLE_EXPANSION=true GH_OWNER=jkroepke GH_REPO=helm-secrets "${HELM_BIN}" template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
     assert_success
     assert_output --partial "port: 81"
 }
 
 @test "template: helm template w/ chart + secrets.yaml + secrets://http:// + HELM_SECRETS_URL_VARIABLE_EXPANSION=false" {
-    if on_windows || ! is_driver "sops"; then
+    if ! is_driver "sops"; then
         # For vault its pretty hard to have a committed files with temporary seed of this test run
         skip
     fi
@@ -385,12 +376,15 @@ load '../bats/extensions/bats-file/load'
 
     create_chart "${TEST_TEMP_DIR}"
 
-    run env HELM_SECRETS_URL_VARIABLE_EXPANSION=false helm template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    # shellcheck disable=SC2030 disable=SC2031
+    export WSLENV="HELM_SECRETS_URL_VARIABLE_EXPANSION:GH_OWNER:GH_REPO:${WSLENV}"
+
+    run env HELM_SECRETS_URL_VARIABLE_EXPANSION=false "${HELM_BIN}" template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
     assert_failure
 }
 
 @test "template: helm template w/ chart + secrets.yaml + secrets://http://example.com/404.yaml" {
-    if on_windows || ! is_driver "sops"; then
+    if ! is_driver "sops"; then
         # For vault its pretty hard to have a committed files with temporary seed of this test run
         skip
     fi
@@ -463,7 +457,7 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "template: helm template w/ chart + secrets.gpg_key.yaml + secrets+gpg-import:// + HELM_SECRETS_ALLOW_GPG_IMPORT" {
-    if on_windows || ! is_driver "sops"; then
+    if on_windows ||  ! is_driver "sops"; then
         skip
     fi
 
@@ -471,7 +465,7 @@ load '../bats/extensions/bats-file/load'
 
     create_chart "${TEST_TEMP_DIR}"
 
-    run env HELM_SECRETS_ALLOW_GPG_IMPORT=false helm template "${TEST_TEMP_DIR}/chart" -f "secrets+gpg-import://${TEST_TEMP_DIR}/assets/gpg/private2.gpg?${FILE}" 2>&1
+    run env HELM_SECRETS_ALLOW_GPG_IMPORT=false "${HELM_BIN}" template "${TEST_TEMP_DIR}/chart" -f "secrets+gpg-import://${TEST_TEMP_DIR}/assets/gpg/private2.gpg?${FILE}" 2>&1
     assert_failure
     assert_output --partial "[helm-secrets] secrets+gpg-import:// is not allowed in this context!"
 }
@@ -521,7 +515,7 @@ load '../bats/extensions/bats-file/load'
 
     create_chart "${TEST_TEMP_DIR}"
 
-    run env HELM_SECRETS_ALLOW_AGE_IMPORT=false helm template "${TEST_TEMP_DIR}/chart" -f "secrets+age-import://${TEST_TEMP_DIR}/assets/age/key.txt?${FILE}" 2>&1
+    run env HELM_SECRETS_ALLOW_AGE_IMPORT=false "${HELM_BIN}" template "${TEST_TEMP_DIR}/chart" -f "secrets+age-import://${TEST_TEMP_DIR}/assets/age/key.txt?${FILE}" 2>&1
     assert_failure
     assert_output --partial "[helm-secrets] secrets+age-import:// is not allowed in this context!"
 }
@@ -585,6 +579,8 @@ load '../bats/extensions/bats-file/load'
 
     HELM_SECRETS_DRIVER_ARGS=--verbose
     export HELM_SECRETS_DRIVER_ARGS
+
+    # shellcheck disable=SC2031 disable=SC2030
     export WSLENV="HELM_SECRETS_DRIVER_ARGS:${WSLENV}"
 
     run "${HELM_BIN}" secrets template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
@@ -645,6 +641,7 @@ load '../bats/extensions/bats-file/load'
     HELM_SECRETS_DRIVER_ARGS="--verbose --output-type \"yaml\""
     # shellcheck disable=SC2090
     export HELM_SECRETS_DRIVER_ARGS
+    # shellcheck disable=SC2031
     export WSLENV="HELM_SECRETS_DRIVER_ARGS:${WSLENV}"
 
     run "${HELM_BIN}" secrets template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
@@ -704,9 +701,9 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "template: helm template w/ chart + secrets.yaml + HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true" {
-   if on_windows || ! is_driver "sops"; then
-       skip
-   fi
+    if on_windows || ! is_driver "sops"; then
+        skip
+    fi
 
     FILE="${TEST_TEMP_DIR}/assets/values/${HELM_SECRETS_DRIVER}/secrets.yaml"