Windows

Dev Machine Guard ships as a signed Windows Installer (.msi) for fleet deployment to Windows endpoints. The MSI is published on GitHub Releases for both Intel/AMD (x64) and ARM64 architectures, and integrates natively with Windows-based endpoint management tools.

Why MSI

Many enterprise environments block PowerShell from making outbound network calls via EDR. The Dev Machine Guard MSI install, upgrade, and uninstall flows never spawn PowerShell. The execution chain is:

MDM → msiexec.exe → stepsecurity-dev-machine-guard.exe → schtasks.exe

This makes the MSI the preferred path for environments with strict PowerShell egress controls. The MSI also exposes a standard ProductCode and UpgradeCode, so detection rules, supersedence, and uninstall commands can be auto-derived by your MDM without any custom scripting.

Each MSI release ships with a Sigstore (cosign) bundle alongside it for supply chain verification.

Supported deployment tools

Two ways to pass tenant credentials

Regardless of which MDM tool you use, you have two options for getting tenant credentials onto each endpoint:

Inline MSI properties

Pre-staged bootstrap file

Set up

One step (MSI deploy)

Two steps (drop config, then MSI deploy)

API key in logs

Appears in MDM install logs if verbose logging is on

Never on command line, safe under any logging

Multi-tenant

One application per tenant

One application, per-tenant config via config distribution

Recommended

OK for small or lab deployments

Yes for production

Each tool-specific guide below shows how to apply both options in that tool's deployment UI.

PreviousMDM Deployment NextMicrosoft Configuration Manager (SCCM)

Last updated 6 days ago

Was this helpful?