Private Beta — Waitlist Open

Package once. Deploy to
Intune and SCCM. Without the war room.

PackageForge turns an installer into a PSADT v4 package, an .intunewin, and an SCCM application — vulnerability-scanned, staged, and audited — in one flow.

Join the Waitlist See How It Works

Why PackageForge

The packaging layer the rest of the suite skips

Most tools pick a side — patching, ConfigMgr, or Intune. PackageForge is the workbench underneath all of them.

PackageForge is the packaging and deployment workbench for Windows admins who run Intune and SCCM — built by packagers, for packagers, with PSADT v4 at the core and a real audit trail from analysis through staged rollout.

vs PDQ Deploy
PDQ is excellent on the LAN. PackageForge ships to Intune and SCCM with one PSADT package and a staged rollout.
vs Patch My PC
PMP automates third-party patching. PackageForge handles your in-house and bespoke apps with the same rigor.
vs Action1
Action1 is cloud patch management. PackageForge is the packaging layer Action1 doesn't try to be.
vs Endpoint Central
Endpoint Central is a suite. PackageForge is the dedicated packaging layer it doesn't have.
vs Recast
Recast extends ConfigMgr. PackageForge bridges ConfigMgr and Intune — same package, both targets, one audit trail.
vs ScalePatch
ScalePatch is patch deployment. PackageForge is what produces the package being deployed.

Capabilities

Inside the Forge

Four pillars. One package. Both deployment systems.

01 / ANALYZE

Know what's in the box before it ships

Catalog · Installer · Vulnerability

Installer analysis

MSI metadata, ProductCode, UpgradeCode, EXE properties, silent-install args, dependencies — pulled out automatically.

MSIEXEMSIX

Software catalog

WinGet and Homebrew in one catalog. Download SHA256-verified. Vulnerability scanning built in.

WinGetHomebrewSHA256

Vulnerability scanning

VirusTotal hash lookup, NVD CVE matching, and Defender TVM cross-reference — before the package leaves the bench.

VirusTotalNVDDefender TVM
02 / PACKAGE

PSADT v4 packages, the way packagers build them

PSADT · Detection · Blueprints

PSADT v4 generation

Install, uninstall, and repair scripts generated from the v4 community template. You still own the script — we just stop you typing the boilerplate.

PSADT v4Handlebars

Detection rules

Auto-generated MSI, file, registry, and PowerShell detection methods. Edit them. Test them. Trust them.

MSIFileRegistryPowerShell

Forge blueprints

Your packaging standards, baked in. Branding, transforms, custom actions, log paths — templated once, applied everywhere.

TemplatesReusable
03 / DEPLOY

Same package. Both deployment systems.

Intune · SCCM · Lifecycle
New

SCCM lifecycle

Publish to ConfigMgr through a relay-queue connector with HMAC-authenticated agents. Then run the parts ConfigMgr never gave you: supersedence chains, retire/restore, soft-guard against accidental retirement, impact preview before you click, and a full audit feed of every move.

SupersedenceRetire / RestoreImpact previewAudit feedHMAC

Intune publishing

Build the .intunewin, upload via Graph, set detection rules, assign to Entra groups. No portal-clicking.

.intunewinGraph APIEntra groups

Deployments dashboard

Every package, both targets, one view. Install status, available updates, supersession state — surfaced.

UnifiedReal-time

Quick deploy

Vulnerable app or version drift detected? One flow — latest version, packaged, dual-published.

One flow
04 / GOVERN

Stage it. Audit it. Sleep through the rollout.

Iron Chain · Reports · Audit
New

Iron Chain — staged rollout

Pilot → Broad → Production. Configurable success thresholds per phase. Auto-advance when the floor holds. Batched Graph status calls so it scales to thousands of devices without throttling. Real-time progress over WebSocket, not a five-minute refresh loop.

Pilot → Broad → ProductionAuto-advanceBatched GraphWebSocket

Client install reports

PSADT scripts POST install outcomes back to the server. Rate-limited, persisted, and queryable per device.

Per-deviceRate-limited

Secure by design

OIDC via Entra ID, AES-256-GCM encrypted secrets, full audit feed of lifecycle actions, web-only deploy on Azure Container Apps.

OIDCAES-256-GCMAudit log

Integrations

Plugs into the stack you already run

No re-platforming. No new agent on the endpoint.

Microsoft Intune

Win32 and macOS app upload (DMG/PKG via Graph), group assignment & supersedence

SCCM / ConfigMgr

Relay-queue connector, HMAC-authenticated agents, supersedence, retire/restore.

Entra ID / OIDC

SSO via authorization code flow. Legacy password fallback for first-run.

WinGet

Windows software catalog — SHA256-verified downloads

Homebrew / Cask

macOS software catalog — search, SHA256-verified download, Intune upload (DMG/PKG)

VirusTotal + NVD

File-hash threat intel, CVE lookup by product/version, aggregated risk score.

Defender TVM

Cross-reference packages against your tenant's Defender vulnerability findings.

FAQ

Common questions

The things the packaging team asks before they sign up.

Does it work with co-managed (Intune + SCCM) environments?

Yes — that's the primary use case. PackageForge publishes the same package to both targets from a single flow.

Does the SCCM relay require an on-premises agent?

Yes. A lightweight .NET connector runs on your ConfigMgr infrastructure and communicates outbound over HTTPS. No inbound firewall rules required.

Do you store our installers?

No. Installers and PSADT packages stay in your environment. PackageForge stores metadata, deployment status, and the audit record — not binaries.

Is the generated PSADT script editable after generation?

Yes. Every generated script is yours to edit before packaging runs. We generate the scaffold; you own the source.

What's included in beta access?

Full access to the packaging pipeline, Intune and SCCM publishing, Iron Chain rollouts, and the deployments dashboard. Capacity is limited per wave.

Is there a self-hosted option?

PackageForge v2 is web-only, hosted on Azure. A self-hosted option is on the roadmap — join the waitlist to vote on it.

Does PackageForge support macOS packaging?

Partially — here is what works today: The software catalog searches both WinGet (Windows) and Homebrew (macOS), and you can download and upload macOS apps (DMG and PKG format) directly to Microsoft Intune from the same workspace. PSADT packaging, SCCM deployment, and Iron Chain rollouts are Windows-only capabilities. If your team manages both Windows and macOS endpoints through Intune, the catalog and upload flow works today.

Join the private beta waitlist

We're letting in packaging engineers and endpoint teams in waves. Tell us what you run — we'll reach out when your spot opens.

Invites go out in waves. When your spot opens, you'll get a short email with early-access instructions — no sales call, no commitment.