Windows
Dev Machine Guard ships as a signed Windows Installer (.msi) for fleet deployment to Windows endpoints. The MSI is published on GitHub Releases for both Intel/AMD (x64) and ARM64 architectures, and integrates natively with Windows-based endpoint management tools.
Why MSI
Many enterprise environments block PowerShell from making outbound network calls via EDR. The Dev Machine Guard MSI install, upgrade, and uninstall flows never spawn PowerShell. The execution chain is:
MDM → msiexec.exe → stepsecurity-dev-machine-guard.exe → schtasks.exeThis makes the MSI the preferred path for environments with strict PowerShell egress controls. The MSI also exposes a standard ProductCode and UpgradeCode, so detection rules, supersedence, and uninstall commands can be auto-derived by your MDM without any custom scripting.
Each MSI release ships with a Sigstore (cosign) bundle alongside it for supply chain verification.
Supported deployment tools
Two ways to pass tenant credentials
Regardless of which MDM tool you use, you have two options for getting tenant credentials onto each endpoint:
Inline MSI properties
Pre-staged bootstrap file
Set up
One step (MSI deploy)
Two steps (drop config, then MSI deploy)
API key in logs
Appears in MDM install logs if verbose logging is on
Never on command line, safe under any logging
Multi-tenant
One application per tenant
One application, per-tenant config via config distribution
Recommended
OK for small or lab deployments
Yes for production
Each tool-specific guide below shows how to apply both options in that tool's deployment UI.
Last updated
Was this helpful?