Features

Self-hosted, with a signed installer and safe in-app upgrades. Tap any item to read more.

Imaging & task sequences Wizard-driven WIM customization, reusable recipes

Drop in any Windows ISO and FluxDeploy auto-detects editions, builds, and architectures. Customize via guided wizard: AppX debloat, Windows Update injection, language packs, .NET, optional features. Output is a SHA-256 verified WIM, rejected if the hash doesn't match.

Compose deployment recipes once and apply them to any fleet. Steps run automatically at the right phase: PreImaging, PostImaging, PreDriverInjection, PostDriverInjection, PreAnswerFile, PostAnswerFile, or FirstBoot. Indexed ordering keeps execution deterministic.

Driver intelligence One-click OEM driver packs, auto-matched

Download driver packs from major OEM catalogs in one click. Packs are auto-matched to your machine models, so the right drivers land on the right hardware without manual hunting. Priority ordering (DriverPack, Storage, Chipset, Network, Video, Audio) ensures injection happens at the right phase. Two injection modes: Offline (into the WIM) or WinPE-Live at boot.

Distributed deployment Linux or Windows relays, MCC dual-role, PXE built in

One binary, two modes. Relay sites can run on Linux or Windows, and each relay can double as your Intune Microsoft Connected Cache. Sync over the public internet, Tailscale, WireGuard, or any IP-routable VPN. Resumable WIM transfer over HTTP Range and ETag, mutual cert pinning, and offline-of-Core operation when the link drops.

Boot is UEFI-only, Secure Boot compatible. PXE and TFTP are built in with per-site performance modes. USB and ISO fallback for sites without DHCP control. The boot image embeds Core's TLS thumbprint at build time so the agent can pin its trust before any code runs.

Autopilot & MCC Auto-enrollment done right, content offload

Image a machine through FluxDeploy and it auto-enrolls in Windows Autopilot: hardware hash, group tag, and Intune profile, all set the right way with zero clicks per machine. Microsoft Connected Cache integration lets your relays serve Windows Update and Store content locally instead of every machine pulling from Microsoft.

Identity & security SAML SSO, RBAC, cert pinning, full audit log

SAML 2.0 with Entra ID, Google Workspace, Okta, or any compliant IdP. Role-based access (Admin, Operator, ReadOnly) is enforced server-side, not just hidden in the UI.

HTTPS everywhere with TLS 1.2+ and bidirectional cert pinning. SHA-256 verification on every WIM. Atomic file writes for config and state (power-loss safe). Full audit log on every admin action, filterable and exportable.

Notifications Slack, Teams, email, webhooks

Slack, Microsoft Teams, email, and webhook delivery. Per-event routing lets you send build failures to one channel and audit events to another. Channels auto-disable after repeated delivery failures with a one-click re-enable.