> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/developer-machines/installation-script/mdm-deployment/windows.md). # Windows Dev Machine Guard ships as a **signed Windows Installer (`.msi`)** for fleet deployment to Windows endpoints. The MSI is published on [GitHub Releases](https://github.com/step-security/dev-machine-guard/releases) for both Intel/AMD (x64) and ARM64 architectures, and integrates natively with Windows-based endpoint management tools. ### Why MSI Many enterprise environments block PowerShell from making outbound network calls via EDR. The Dev Machine Guard MSI install, upgrade, and uninstall flows **never spawn PowerShell**. The execution chain is: ``` MDM → msiexec.exe → stepsecurity-dev-machine-guard.exe → schtasks.exe ``` This makes the MSI the preferred path for environments with strict PowerShell egress controls. The MSI also exposes a standard `ProductCode` and `UpgradeCode`, so detection rules, supersedence, and uninstall commands can be auto-derived by your MDM without any custom scripting. Each MSI release ships with a [Sigstore (cosign) bundle](https://github.com/step-security/dev-machine-guard/blob/main/docs/deploying-via-sccm.md#signature-verification) alongside it for supply chain verification. ### Supported deployment tools * [**Microsoft Configuration Manager (SCCM / MEMCM)**](/developer-machines/installation-script/mdm-deployment/windows/microsoft-configuration-manager-sccm.md) * [**Microsoft Intune**](/developer-machines/installation-script/mdm-deployment/windows/microsoft-intune.md) ### Two ways to pass tenant credentials Regardless of which MDM tool you use, you have two options for getting tenant credentials onto each endpoint: | | **Inline MSI properties** | **Pre-staged bootstrap file** | | ------------------- | ---------------------------------------------------- | ---------------------------------------------------------- | | **Set up** | One step (MSI deploy) | Two steps (drop config, then MSI deploy) | | **API key in logs** | Appears in MDM install logs if verbose logging is on | Never on command line, safe under any logging | | **Multi-tenant** | One application per tenant | One application, per-tenant config via config distribution | | **Recommended** | OK for small or lab deployments | **Yes for production** | Each tool-specific guide below shows how to apply both options in that tool's deployment UI. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/developer-machines/installation-script/mdm-deployment/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.