Patch Management

Patches that install. Not "queue and pray".

MSI-first software delivery with a Chocolatey bootstrap. Approve, schedule, and report on every patch — across OS and third-party — with predictable SYSTEM-context behavior.

Book a demo Start free trial

The shape of it

Three principles that make this work.

MSI-first, by design

Vendor MSIs install reliably under SYSTEM. We default to them and fall back to Chocolatey for everything else.

A library that does not break under SYSTEM

Our agent kicks off Chocolatey from a Go-side bootstrap that knows how to handle non-interactive PowerShell. Hand-rolled payloads crash; ours does not.

Approve, schedule, report

Per-customer, per-group approval workflows. Maintenance windows, deferral policies, and compliance reports built in.

Capabilities

Limitless capabilities, one product.

OS + third-party patching

Windows, macOS, Linux OS patches plus a curated catalog of third-party apps — all from one approval workflow.

Approval workflows

Per-customer, per-policy approval rules with maintenance windows and emergency-deploy paths.

Compliance reports

Patch posture, age, and exceptions reported per customer, per asset, per CVE.

Deferral & override policies

Defer business-critical patches per host or per asset class without breaking the cadence.

Auto-tickets for failures

Failed installs open tickets with the agent log attached so techs have the diagnosis ready.

Pre/post scripts

Run scripts before or after a patch (database shutdown, app restart, etc.) without bolting on another tool.

In numbers

MSI-first

Delivery preference

Choco

Bootstrap, the right way

Per-tenant

Approval policies

Auto

Tickets for failures

Better together

What pairs well.

Endpoint monitoring across every OS.

One Go-native agent for Windows, macOS, and Linux. Zero dependencies, signed, runs as SYSTEM.

See RMM

One trigger. Every device. Zero spreadsheets.

Smart groups, scheduled jobs, event-triggered automations, and run-on-many script execution.

See Automation

Find every device. Including the ones nobody told you about.

Continuous LAN scans with SNMP, port scans, and CVE detection.

See Network Discovery

FAQ

Questions about Patch Management.

Why MSI-first?

Vendor MSIs install predictably under NT AUTHORITY\SYSTEM. Chocolatey is reliable when bootstrapped correctly; winget has known SYSTEM-context issues with its per-user package cache.

Can I bring my own Chocolatey package?

Yes. Tenant-custom packages live in your catalog alongside the builtins.

How are failed patches handled?

Failures open a ticket with the agent log attached, so techs can diagnose without RDPing in.

Ready to try Patch Management?

See Patch Management in your environment.

Deploy your first agent in minutes. See the platform in action — book a walkthrough or kick the tires on a free trial.

Book a demo30-minute walkthrough. No sales pressure.