v1.0 · Stable release|A Securisoft product|GravityZone-compatible

Patch every Windows endpoint.
In one place.

PatchOne is a Windows update management platform for fleets of 10–500 machines — discovery, deployment, and an immutable audit trail, with no per-seat fee and no manual enrollment.

Quick Start — 5 min Read the docs

500max

Machines per org

5min

Time to first deploy

Per-seat licensing

50titles

Catalog seeded

§ 01 · InstallGet running in five minutes

On-premises mode runs on a single Windows Server. One script handles the setup from start to finish.

cmd · Administrator · install_server.bat

C:\>git clone <repo> patchone

C:\>cd patchone

C:\>copy server\.env.example server\.env

C:\>deploy\install_server.bat

⤷ python venv ...................... ok

⤷ database init .................... ok

⤷ seed catalog (50 titles) ......... ok

⤷ register Windows Service ......... ok

⤷ open firewall rule ............... ok

→Dashboard ready at http://<server-ip>

§ 02 · Choose your pathThree ways in

All three options run the same software. Your choice depends on network constraints and whether you need multi-tenant isolation.

ASelf-hosted

On-premises

Single Windows Server, no internet required after setup. Best for closed networks.

Install on a server →

BSaaS · multi-tenant

Cloud, with Docker

Docker Compose, TLS termination, and multi-tenant isolation. Best for MSPs managing many client orgs.

Run in the cloud →

CEndpoint

Agent deployment

Push the agent via GPO, WinRM, or the included bulk-deploy script. Self-registers on first check-in.

Roll out at scale →

DConsole

Tour the dashboard

Fleet view, deploy console, immutable audit log, daily briefing — the surface your IT team lives in.

See the dashboard →

§ 03 · CapabilitiesWhat you get on day one

Auto-discovery

Agents self-register on first check-in. No CSV imports, no roster to maintain.

Live inventory

Installed software per machine, refreshed on every check-in.

Update detection

Pending updates surfaced as dashboard badges, deduplicated across the fleet.

One-click deploy

Push any catalog title to one machine, a group, or the whole fleet.

Silent install

Updates install in the background. Zero end-user interruption, zero prompts.

Tamper-proof audit

Every deploy, login, and config change logged to an immutable, append-only record.

Offline alerting

Dashboard notification when a machine stops checking in past the timeout.

Daily briefing

Fleet-health snapshot delivered to the notification panel each morning.

Multi-tenant

Cloud mode scopes every request to your org. Cross-tenant access is structurally blocked.

§ 04 · ArchitecturePull-model, always

The agent always initiates the connection — the server never reaches inward. No inbound firewall rules on endpoints, no listening ports, works behind NAT, proxies, and VPNs.

Why pull, not push?The server is a trusted hub, not a remote-command executor. Agents check in on a schedule, pick up pending jobs, and report results. The server cannot initiate arbitrary actions on endpoints.

§ 05 · DeploymentTwo modes, one product

Mode	Description	Setup
On-premises	Single Windows Server on your LAN. No internet dependency after setup.	`install_server.bat`
Cloud / SaaS	Docker-based, TLS-terminated, multi-tenant isolation.	`docker compose up`

Next →Quick Start