diff --git a/CMakeLists.txt b/CMakeLists.txt
index e586dec2891..9cdfab8ea5d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -812,13 +812,15 @@ endif()
 
 # AWS MSK IAM detection (must come after Kafka section)
 if(FLB_AWS AND FLB_KAFKA)
-  # Check if Kafka SASL support was detected
-  if(DEFINED FLB_SASL_ENABLED AND FLB_SASL_ENABLED)
+  # Check if Kafka OAuth Bearer support was detected
+  # On Windows: uses SSPI (no Cyrus SASL needed, just SSL)
+  # On Linux/macOS: uses Cyrus SASL (libsasl2)
+  if(DEFINED FLB_KAFKA_MSK_IAM_ENABLED AND FLB_KAFKA_MSK_IAM_ENABLED)
     set(FLB_HAVE_AWS_MSK_IAM ON)  # Set CMake variable
     FLB_DEFINITION(FLB_HAVE_AWS_MSK_IAM)  # Set preprocessor definition
     message(STATUS "AWS MSK IAM authentication: ENABLED")
   else()
-    message(STATUS "AWS MSK IAM authentication: DISABLED (requires Kafka with libsasl2)")
+    message(STATUS "AWS MSK IAM authentication: DISABLED (requires Kafka with OAuth Bearer support)")
   endif()
 else()
   if(FLB_AWS AND NOT FLB_KAFKA)
diff --git a/cmake/kafka.cmake b/cmake/kafka.cmake
index 09e98dd9228..6e9c111ecb8 100644
--- a/cmake/kafka.cmake
+++ b/cmake/kafka.cmake
@@ -28,14 +28,31 @@ else()
   endif()
 endif()
 
-# OAuth Bearer is built into librdkafka when SASL is available
-set(FLB_SASL_OAUTHBEARER_ENABLED ${FLB_SASL_ENABLED})
+# OAuth Bearer support:
+# - Windows: Built-in SASL, only needs SSL (no Cyrus SASL required)
+# - Linux/macOS: Needs both SSL and Cyrus SASL
+if(FLB_SYSTEM_WINDOWS)
+  if(FLB_TLS)
+    set(FLB_SASL_OAUTHBEARER_ENABLED ON)
+  else()
+    set(FLB_SASL_OAUTHBEARER_ENABLED OFF)
+  endif()
+else()
+  # Non-Windows platforms: require Cyrus SASL
+  set(FLB_SASL_OAUTHBEARER_ENABLED ${FLB_SASL_ENABLED})
+endif()
 
 # MSK IAM requires OAuth Bearer support
 set(FLB_KAFKA_MSK_IAM_ENABLED ${FLB_SASL_OAUTHBEARER_ENABLED})
 
 # Configure librdkafka options
-FLB_OPTION(WITH_SASL ${FLB_SASL_ENABLED})
+# On Windows, enable WITH_SASL for SSPI support (built-in, no Cyrus needed)
+# On other platforms, WITH_SASL depends on Cyrus SASL availability
+if(FLB_SYSTEM_WINDOWS)
+  FLB_OPTION(WITH_SASL ON)
+else()
+  FLB_OPTION(WITH_SASL ${FLB_SASL_ENABLED})
+endif()
 FLB_OPTION(WITH_SSL On)
 FLB_OPTION(WITH_SASL_OAUTHBEARER ${FLB_SASL_OAUTHBEARER_ENABLED})
 FLB_OPTION(WITH_SASL_CYRUS ${FLB_SASL_ENABLED})