Back to blog
Product Updates · March 5, 2026

Lunixar Simplifies Windows Deployment with a Single MSI and Embedded Token

If you manage endpoints as an MSP or internal IT, there’s one thing you already know:

Agent onboarding should be fast, clear, and frictionless.

You can have great dashboards, alerts, and automations…

but if installing the agent is confusing, you’re already losing time (and creating tickets that shouldn’t exist).

In recent Lunixar updates, we focused on the most painful part of Windows deployments:

A single MSI per deployment with the enrollment token embedded—plus expiration, usage limits, and instant revocation.

And yes: it’s EV code-signed under Lunixar SAS de CV.

On top of that, for teams that prefer pure speed (or remote hands), Lunixar also shows:

A recommended command you can copy, paste into a terminal, and you’re done (requires administrator permissions).

I’m not going to dump a cold changelog.

Instead, here’s what changed, why it matters, and how it helps day-to-day.

1) The real problem: tokens were fine… the workflow wasn’t

The token approach (internally ENROLL_TOKEN) gives you control.

The operational problem was everything around it:

  • Techs asking “just send me the token”
  • Customers asking “put the token inside the installer”
  • GPO deployments where nobody wants MST transforms or extra parameters
  • Manual installs where commands get copied wrong

In short: the control was right, the friction was not.

2) New Windows approach: one MSI with the token embedded

With this change, Lunixar can generate:

A single Windows MSI that already contains the embedded enrollment token.

So the real workflow becomes:

  1. Download the MSI
  2. Run it (double-click or silent deployment)
  3. The agent enrolls automatically—no extra steps

The practical payoff

In daily operations, this means:

  • No copy/paste commands for the common case
  • No typos, missing quotes, or “wrong token” mistakes
  • Fewer installation tickets
  • Easier mass deployment (GPO, RMM push, software distribution tools)

Same token-based control—packaged in the workflow people actually use.

3) The fast alternative: recommended command (copy → paste → done)

Sometimes you don’t want to “hand over an installer.” You want speed:

  • You’re connected via RDP / remote access
  • You’re doing live support and need it installed right now
  • You want a standard runbook command for your team
  • You’re deploying via scripting where a single instruction is ideal

That’s why Lunixar also provides a recommended command that:

  • You copy with one click
  • Paste into a terminal
  • And it deploys without extra steps

One requirement: it must be run with administrator permissions.

Why admin is required

Installing an agent as a service, registering components, and ensuring a consistent system integration requires elevation.

This prevents “half-installed” agents that later turn into cleanup and rework.

4) Operational security: default expiration… and you can revoke anytime

This is important: this MSI is not a forever-installer.

By default, the embedded token includes:

  • 30-day validity

And for real-world ops control:

  • You can revoke the installer/token at any moment

Why this matters

Because “someone forwarded an installer” is a real risk.

And because real life happens:

  • A token was shared too widely
  • A tech should no longer have access
  • A project ended and you want to stop new enrollments
  • You see suspicious activity and want an immediate cutoff

With expiration + revocation you get:

  • Preventive control (it expires automatically)
  • Reactive control (you shut it off instantly)

That’s practical security—without adding bureaucracy.

5) Scope control: limit how many devices can enroll with that MSI

Beyond expiration and revocation, you can also configure:

  • A device limit (number of enrollments/uses)

What this enables

  • A “1-device MSI” for a one-off support job
  • A “10-device MSI” for a small site rollout
  • A “X-device MSI” for a controlled customer deployment

Result: less risk, more order, without slowing the team down.

6) Trust at install time: EV code signing (Lunixar SAS de CV)

This change is backed by something that isn’t “nice to have” on Windows—it’s credibility:

The MSI is EV code-signed under Lunixar SAS de CV.

In practice, that helps with:

  • Less friction with SmartScreen and warnings
  • More trust for IT and compliance teams
  • Better acceptance in corporate environments
  • A more professional installation experience from the first click

When you deploy to hundreds (or thousands) of endpoints, this matters.

Closing

This Lunixar change is built for the way MSPs and internal IT actually work:

  • One MSI per Windows deployment with an embedded token
  • 30-day default validity
  • Instant revocation whenever you decide
  • Configurable device limits
  • A recommended copy-paste command (admin required)
  • EV-signed installer (Lunixar SAS de CV)

Because agent onboarding shouldn’t feel like a project.

It should feel like what it is:

A quick, controlled, frictionless task.