NEW Endpoint360 1.0 ships Vanguard Autopilot: patch governance at machine speed, with the human reduced to one decision.
AIR-GAP NATIVE NO CLOUD DEPENDENCY KERBEROS SSO · ZERO NEW AUTH NIST 800-53 EVIDENCE CISA KEV / BOD 22-01 CLOCKS AUDITABLE PS1 INSTALLER
// From feed to proof

Turn a vulnerability feed into
closed, documented remediation

Most consoles show you the problem. Endpoint360 runs the whole loop, and writes the evidence trail your assessor asks for, while it happens.

A KEV lands at 02:00

The feed ingests (connected fetch or offline bundle, your posture decides), reconciles IAVA → CVE → KB, and measures exactly who is exposed. Live, against your site database.

CRIT CVE-2026-31184 → KB5054321 KEV
CRIT 2026-A-0114 → CVE-2026-31184 KEV
HIGH CVE-2026-30977 → KB5054290
HIGH exposure:  1,412 of 18,240 devices require the fix

A campaign closes with proof

By the time your team sits down, Vanguard has already done everything except decide.

02:00 · CAMPAIGN OPENEDBoth SLA clocks running. Gap snapshot attached.
RA-5CM-4
02:01 · SCORED 92 · GOSix live telemetry checks. Weakest component named.
07:40 · ONE HUMAN DECISIONThe approver gets the brief by email, clicks once.
CM-3AC-5
07:41 · RINGS DEPLOY ON EVIDENCEPilot first; promotion when success is measured, halt if errors spike.
SI-2
CLOSED AT 96.2% · MEASUREDClosure is a measurement, never an assertion.
CA-7
STEP 01 · DISCOVER

See what your tools won't agree on

AdminService, direct SQL, CMPivot and the fast channel: one console over all of ConfigMgr. Vulnerability reconciliation maps IAVA → CVE → KB → deployment gap in seconds, a chain DoD admins have walked by hand for twenty years.

STEP 02 · DECIDE

One decision, fully briefed

The GO / SLOW / NO-GO confidence score is computed from your own live telemetry: catalog readiness, update hygiene, deployment conflicts, client-estate health, and pilot results, with an honest denominator that discloses what it couldn't measure.

STEP 03 · DEPLOY & PROVE

Evidence writes itself

Every gate stamps the NIST 800-53 controls it satisfies into an assessor-readable trail: who approved, what the exposure was, when each ring promoted, and the measured compliance that closed it. Audit questions become database queries.

72hKEV response clock, so exploited-in-wild items never sit in a queue
0internet dependencies in core operations; feeds ingest as offline bundles
1human decision per campaign with Vanguard Autopilot; everything else is machine
700+Configuration Manager classes reachable through one governed web console
// Flagship · Enterprise edition

Vanguard Autopilot

Patch governance built from the regulations backward (BOD 22-01, NIST 800-53, the DISA IAVM process) and run at the speed the AI threat era demands. Do less. Ship faster. Carry less risk. That is the whole design.

SCORE ≥ 85GO
60 – 84SLOW
< 60NO-GO

A NO-GO blocks execution until a named human accepts the risk in writing. Approval is always human. That line is never crossed.

01
KEV lands → campaign opens itselfBoth clocks start before anyone is awake. Unmapped KEVs raise incidents instead of waiting silently.
02
Self-scoring, self-submittingGO-verdict campaigns enter the approval queue with the evidence pre-assembled.
03
The decision comes to the deciderApprovers get an email brief (severity, deadlines, score, exposure) and a one-click link to sign.
04
Rings promote on evidence, not schedulesPilot success promotes the next ring; an error spike halts every deployment and raises the incident itself.
05
Dual authorization, distinct humansTechnical + Authorizing signatures enforced server-side: separation of duties an assessor can verify.
// Editions

Start with the console.
Grow into the governance.

Core

Every ConfigMgr shop
  • Modern web console: dashboard, Device 360, 24-hour change digest
  • CMPivot & Run Scripts web consoles
  • Patch Command Center & Software Catalog
  • Infrastructure & client-estate health
  • Collection Watchdog with governed deletion
  • Knowledge Chat & anomaly agents (AI optional, off by default)
Talk to us

Professional

Operations at scale
  • Everything in Core
  • Supersedence Guardian: catalog hygiene with one-click remediation
  • Deployment SLA tracking with governed breach incidents
  • Deployment outlier analysis: failure-signature clustering
  • NLP report builder with a fail-closed SQL safety layer
Talk to us
GOVERNANCE & SECURITY

Enterprise

Regulated & government estates
  • Everything in Professional
  • Vulnerability Reconciliation: IAVA → CVE → KB → gap, air-gap feeds
  • Vanguard Autopilot: governed campaigns, NIST evidence, dual-auth
  • App Packaging Pipeline: drop-folder to ring promotion
  • OSD Deployment Tracker
  • ACAS/Tenable & Axonius integration adapters
Talk to us
// A guided tour

Every module, and why it matters in 2026

One console over your whole Configuration Manager estate. Step through the modules: what each one is, and why an AI-era operations team needs it.

Universal Core

Operations Dashboard

24-hour change digest

The morning briefing for your estate: what changed in the last 24 hours, error trends, infrastructure status, and what needs attention. The whole picture before your coffee is cold.

Why now: WinForms makes you open five nodes to learn if last night went well. One glance replaces the ritual.
Operations dashboard
Enterprise

Vulnerability Intelligence

IAVA → CVE → KB → deployment gap

Reconcile threat feeds against what ConfigMgr has actually deployed. See every exposed device for a CVE or IAVA in seconds, with KEV due dates and CVSS front and center.

Why now: the chain DoD admins walk by hand every Patch Tuesday, automated. The single most-requested feature in every ConfigMgr shop.
Vulnerability Intelligence
Enterprise

Vanguard Autopilot

Governed remediation campaigns

A campaign board that scores, deploys, promotes on evidence, and closes on measured compliance, with dual-authorization and a NIST 800-53 evidence trail written as it happens.

Why now: exploits move in hours; change boards meet on Thursdays. Machine-speed remediation with the human reduced to one decision.
Vanguard campaign board
Universal Core

Patch Command Center

SUGs, rings, blast-radius preview

Compliance by software update group and collection, deployment rings at a glance, and a blast-radius preview that shows exactly what a deployment will touch, recorded as evidence before you commit.

Why now: "deploy and hope" is how outages happen. See the blast radius, then approve it.
Patch Command Center
Enterprise

App Packaging Pipeline

Drop-folder to ring promotion

Drop a package in a folder; it validates, creates the app, distributes, deploys to a pilot ring, and auto-promotes on success, with an approval gate for the rings that need a human.

Why now: packaging is where deployment errors are born. A pipeline with evidence beats a checklist and a prayer.
Packaging pipeline board
Professional

Supersedence & Outlier Analysis

Catalog hygiene · failure clustering

Find superseded and expired updates cluttering your groups and remediate in one click. Then cluster deployment failures by model, subnet, boundary, or DP to find the one signature behind a wave of tickets.

Why now: supersedence done wrong is a top ticket driver. And an AI-explained failure cluster turns "50 machines failed" into "the Dell 7440 driver."
Deployment outlier analysis
Enterprise

OSD Deployment Tracker

Task-sequence progress, live

Watch task sequences move through their state messages in real time (which step, which device, which failure) instead of parsing SMSTS logs after the fact.

Why now: imaging day shouldn't mean log spelunking. See the pipeline, catch the stall early.
OSD deployment tracker
Universal Core

Client-Estate Health

Estate rollup + worst-N

Estate-wide client-health scores, a healthy-percentage trend, and the worst clients first with their actual issues (WMI, ccmexec, inactive) so you fix causes, not symptoms.

Why now: broken clients make every other number a lie. Surface them before they become a compliance gap.
Client health
Professional

Boundary & Infrastructure

Coverage gaps · site health

Overlapping and orphaned boundaries, clients outside any boundary group, distribution-point content status, and site-server health. The plumbing that quietly generates tickets, made visible.

Why now: boundary-group misses are the invisible cause behind "software won't install." Find them before your users do.
Boundary validator

Plus Devices & Device 360, CMPivot and Run Scripts web consoles, Software Catalog, Collection Watchdog, Deployment SLA tracking, Knowledge Chat, the NLP report builder, and the Site Health Map. Every view ships dark and light, responsive to 375px, with real loading, empty, and error states.

// The AI layer

Ask your estate anything.
Trust every answer.

Endpoint360 ships five AI capabilities that work where AI usually can't. Every answer is grounded in your own site data, never a generic guess. And the whole layer is built for shops where "we ran it through a chatbot" fails the audit.

Off by defaultOne global switch, role-gated and audited. It turns on when your governance says so, not before.
Your providerAzure OpenAI, OpenAI, or AskSage for DoD IL4/IL5. Selected by config, swappable without a code change.
Grounded, not genericAnswers cite your inventory, your compliance data, your incidents. Retrieval runs over your environment, not the open internet.
Degrades by designEvery module is fully functional with AI disabled. Nothing in the console depends on a model to work.
https://endpoint360.yourdomain.local:8360/chat
PatchAdmin · 07:52Patch compliance dropped in the Denver boundary group overnight. Why?
Knowledge Chat · groundedCompliance fell 4.1% at 02:10. 212 clients in DEN-BG-02 missed KB5054321, and all 212 pull content from DEN-DP-01, which failed content validation at 01:55. Anomaly agent AN-114 already opened incident INC-2081 with redistribution as the suggested fix.
v_UpdateComplianceStatusDP HEALTH MONITORINC-2081
> which other DPs share that config
AI-01 CORE

Knowledge Chat

Plain-language questions about your environment, answered from your site database, your configuration, and the product docs, with the sources cited inline.

> "why is DEN-DP-01 red?" → validation failed 01:55 · 3 pkgs affected
AI-02 CORE

Anomaly Agents

Background agents watch estate signals around the clock and turn a spike into a governed incident with an owner and an SLA clock, not a chart nobody opens.

AN-114: heartbeat drop 6.2σ → INC-2081 opened · owner assigned
AI-03 PROFESSIONAL

Outlier Explanations

Deployment failures cluster by model, driver, subnet, and DP. Then the AI names the signature in one sentence a human can act on.

52 failures → 1 cause: Dell 7440 storage driver 10.2.4
AI-04 PROFESSIONAL

NLP Report Builder

Describe the report you need and get validated SQL against your site database. The safety layer fails closed: read-only, schema-checked, and audited, so the worst case is "no report," never "wrong data."

> "laptops missing the May CU, by building" → report · 0.4s
AI-05 ENTERPRISE · VANGUARD

Vanguard Decision Briefs

Campaign evidence compressed into the one page an approver actually reads: severity, exposure, confidence score, the weakest check, and the deadline math. The human decision, fully briefed.

CVE-2026-31184 · GO 92 · 1,412 exposed · respond by 07/12 02:00
// Security posture

Runs on your infrastructure.
All of it. Only it.

01A single Windows service on your server: no containers, no sidecars, no agents beyond the ConfigMgr client you already run.
02Threat feeds (MSRC, CISA KEV, DISA IAVM) ingest as offline bundles. Connected fetching is an option, never a requirement.
03Windows Negotiate/Kerberos sign-on; roles map from the ConfigMgr security roles you already assigned. Zero new identity infrastructure.
04The installer is one readable PowerShell script. Government customers audit it line by line, and we like it that way.
05Every state-changing action writes an audit row. AI features are off by default and provider-pluggable, including IL4/IL5 paths.
PS C:\> .\Install-Endpoint360.ps1
[1/6] Prerequisites .......... OK
[2/6] Database (existing SQL) OK
[3/6] Service account ........ OK
[4/6] Windows service ........ OK
[5/6] Console deployed ....... OK
[6/6] Listening on :8360 ..... OK
 
Transcript written for your change record.
Internet connections attempted: 0
// Company

Built by someone
who has lived the tickets

EndPoint360 Solutions

Troy Wilch, founder of EndPoint360 Solutions
Troy WilchFounder · 28 years on this product line

Troy has worked with this product line for 28 years, starting with SMS 1.0 in 1998. He went on to support Configuration Manager at Microsoft itself, across every sector of government and a range of industry verticals, on some of the largest deployments in the world.

"I've seen a lot of what works and what breaks. Like so many admins still running this product, I spent years wishing the product group would ship a web console. Eventually I stopped wishing and built it."

That is why Endpoint360 feels different: every feature started as a real ticket, a real Patch Tuesday, or a real audit question. Lean by design, no layers, no bloat, and support that talks to the engineer who built it, not a tier-1 script.

SMS 1.0 → CONFIGMGREX-MICROSOFT SUPPORTGOV + ENTERPRISE SCALE

Where we're headed

AVAILABLE · ENDPOINT360 FOR CONFIGMGRThe full console + Vanguard Autopilot, shipping today.
NEXT · SOFTWARE PORTALA fast, modern self-service catalog for end users.
PLANNED · ENDPOINT360 FOR INTUNEThe same cockpit for cloud-managed estates.
ALWAYS · CLOSE TO THE CUSTOMERFeature requests go straight to the person who builds it.
// Early access

Your ConfigMgr estate deserves a console from this decade

We're onboarding early-access customers now: enterprise and government, connected or air-gapped. Whether your team says ConfigMgr, SCCM, or MECM, this is the console built for it.

Request early access