The Capabilities Your Microsoft Stack Is Missing
Policy governance. Security baseline evidence. CVE correlation. Real-time endpoint operations. Third-party app lifecycle. Built-in BI. The intelligence layer that transforms Intune, ConfigMgr, and Azure Update Manager from management tools into a fully auditable endpoint platform.
Who It's For
Patchblox extends your existing Microsoft investment — or works standalone without any Microsoft dependency at all
Intune Admins
Intune gives you point-in-time snapshots. Patchblox gives you the history, the diff, and the audit trail. Every policy change tracked. Every silent script modification captured. Compliance trended over months, not just today's checkbox. And when you need to act on a device right now — not in 8 hours — 200 built-in actions are a click away.
- Policy version control with side-by-side diff and restore
- Silent change detection across all 8 policy types
- Historical compliance trending — 30, 90, 180, 365 days
- Change Timeline with drift detection and actor attribution
- 200 real-time endpoint actions — no sync delays, no waiting
ConfigMgr Admins
Your remote tools depend on WMI, SMB, and Remote Registry — protocols that break for remote workers, VPN users, and untrusted domains. Patchblox gives you 200 built-in endpoint actions over a persistent encrypted channel that works anywhere the device has a connection. Same operational power, no network line-of-sight required.
- 200 built-in actions across Windows, macOS, and Linux
- Works off-network — no WMI, no SMB, no open firewall ports
- ConfigMgr-specific actions — policy cycles, inventory cycles, cache management
- Works alongside ConfigMgr — not a replacement, an extension
- One portal for Intune, ConfigMgr, AUM, and standalone devices
Azure Update Manager Admins
AUM handles Microsoft OS updates. That's it. No third-party apps. No CVE correlation. No approval workflows. No pre/post scripts without wiring up Event Grid and Azure Functions. Patchblox fills every one of those gaps — admin-friendly, no developer work required.
- 600+ third-party apps with signature verification and 24-hour security SLA
- CVE correlation from NVD, MSRC, OVAL, and OSV — per update
- Approval workflows with ring deployment and automated VM testing
- Pre/post scripts with Monaco editor and signature enforcement
- Unified pending updates — AUM native and Patchblox scan results side by side
Security & Compliance Teams
Intune Security Baselines report whether the CSP successfully wrote a setting — through the same channel that applied it. A GPO can override it. A conflicting policy can win. Intune still shows "Succeeded." Patchblox collects the actual value from the endpoint independently and shows you: Expected = 14. Actual = 8.
- 12+ baselines — CIS Benchmarks, Microsoft SCT, and custom
- Per-rule expected vs actual evidence across Windows, macOS, and Linux
- Intune Security Baseline scorecard — real 29-section CSP structure
- Patch latency scoring — months behind with CVE exposure per device
- Exportable to Excel, CSV, and PDF for SOC 2, HIPAA, PCI-DSS, FedRAMP
Standalone & Air-Gapped
No Intune. No AUM. No Azure. Patchblox runs the full platform — inventory, patching, compliance baselines, BI reporting, automation — on its own agent and infrastructure. Self-hosted on your metal or in your private cloud. WhatsSup WSUS replacement for disconnected environments.
- Cross-platform agent — Windows, macOS, Ubuntu, Debian, RHEL, Fedora
- osquery-based inventory with 18 categories per device
- Per-tenant PKI — root CA, intermediate CA, agent and signing certificates
- TPM-based envelope encryption for secrets management
- Authenticode-signed .pbcontent packages — no unsigned content executes
IT Operations & Helpdesk
A user calls with a problem. You need to see what's happening on that device and fix it — not write a script, not wait for a policy sync, not ask the user to open a command prompt. Patchblox gives you 200 built-in actions and 18 categories of device data, refreshable in under a minute. See it, fix it, move on.
- Quick inventory refresh — fresh device data in under a minute
- Restart services, kill processes, repair WU — immediately
- Role-based access control — right actions for the right team members
- Works across Intune, ConfigMgr, AUM, and standalone from one portal
- Script Repository with Monaco editor for anything custom
Pain Points You Recognize
These are the gaps your team works around every day. Patchblox closes them.
"Our auditor wants proof of actual configuration state — not a vendor's pass/fail checkbox."
Patchblox evaluates actual endpoint values independently of the CSP channel and shows expected vs actual for every rule, every device. Export to Excel, CSV, or PDF for SOC 2, HIPAA, PCI-DSS, and FedRAMP.
"A policy changed last Thursday and broke 200 devices. Intune's audit log doesn't show what changed."
Patchblox tracks every policy version across 8 policy types with side-by-side diff, actor attribution, and a full Change Timeline. Silent script changes that Intune's audit log misses are captured automatically.
"We have 600 third-party apps across our fleet with no CVE visibility and no automated patching."
Patchblox curates 600+ enterprise apps with real-time CVE correlation from NVD, MSRC, OVAL, and OSV feeds. Signature-verified, malware-scanned, validated — from vendor release to your fleet in under 24 hours.
"I can see what Intune last reported, but I can't query a device or act on it right now."
Patchblox gives you 200 built-in actions over a persistent SignalR channel — trigger a quick inventory for fresh data in under a minute, then restart services, kill processes, install updates, or run scripts. Immediately or scheduled.
"We need BI reports for endpoint data but don't want to license Power BI and build everything from scratch."
Patchblox includes 3 report designers — Dashboard, Tabular, and Change Timeline — with a Visual Query Builder, Monaco SQL editor, and 500 data views across 3 platforms. Built in, not bolted on.
"We push updates to production and pray. There's no staging, no testing, no rollback."
Patchblox approval workflows use ring-based deployment with automated VM testing, boot verification, event log analysis, health signal validation, and auto rollback. Planning mode shows what would happen without executing.
"I can't see what's actually running on a device without remoting in or writing scripts."
Resource Explorer gives you 18 categories per device — processes with network connections, remote registry, firewall rules, certificates, services, Hyper-V guests, browser extensions, Defender status — all from the console.
"Half our devices are off-network. Our remote tools can't reach them without VPN and open firewall ports."
Patchblox uses a persistent outbound connection — no inbound ports, no WMI, no SMB. If the device has internet access, you can reach it. Home office, coffee shop, hotel WiFi — same actions, same portal.
Deploy Your Way
SaaS or self-hosted — same platform, same features, your choice of infrastructure. For regulated industries and government, the self-hosted option means your data never leaves your network.
Patchblox Cloud
Fully managed on Patchblox infrastructure. We handle the database, the gateway, the updates. You manage your endpoints.
- Zero infrastructure to manage
- Automatic platform updates
- Multi-tenant isolation with per-tenant databases
- Per-tenant PKI hierarchy included
Patchblox On-Premises
Run the full platform on your own infrastructure. Your data stays in your data center. Required for air-gapped, FedRAMP, and classified environments.
- Full data sovereignty — nothing leaves your network
- Run on any Linux host — bare metal, VM, or container
- Optional customer subordinate CA integration
- Air-gapped support with WhatsSup WSUS replacement
By the Numbers
Real capabilities, not marketing percentages
See How Patchblox Completes Your Stack
Schedule a live demo with a Patchblox engineer — we'll show you the gaps in your current environment and how we close them