WinSentinel Pro is the brain on top of agents you already run. The free
winsentinel agent daemon does the work on each box;
Pro gives you one place to see them all and command them together. Here is the whole flow —
five steps, real commands, copy-paste ready.
WSP-XXXX-XXXX-XXXX. Do not have one yet? Get early access, or start a trial.Free first: every machine can run the full WinSentinel audit on its own with no license at all. You only need Pro when you want them managed together.
WinSentinel ships as a .NET global tool on NuGet. Install it once per machine — this is the same free CLI everyone uses for single-machine audits.
dotnet tool install --global WinSentinel.Cli
# already installed? make sure you are current
dotnet tool update --global WinSentinel.Cli
winsentinel --versionNo .NET SDK on a machine? The agent also ships as a standalone install — see the README for the MSIX / winget options.
Activation is per-user, not per-machine. Run it once where you will drive the fleet from. The key is verified, then cached locally with a 30-day offline grace window so a flaky connection never locks you out.
winsentinel pro activate WSP-7Q2K-9F3M-X8AB
# confirm the license is active
winsentinel pro statusThe license is written to %APPDATA%\WinSentinel\license.json. Just trying it out? winsentinel pro start-trial begins a 14-day trial instead.
On every machine you want managed, start the agent daemon with your license. It registers with the control plane, identifies itself by license key plus a per-machine fingerprint, and sends a heartbeat every five minutes. The agent is free — pointing it at a control plane is the Pro part.
# register this machine and start heartbeating
winsentinel agent start --license WSP-7Q2K-9F3M-X8AB
# run it as a background Windows service (survives reboots)
winsentinel agent install --license WSP-7Q2K-9F3M-X8ABWithout a Pro license the same daemon still runs — it just audits and monitors locally instead of reporting to a control plane. Nothing about the free experience changes.
Give it a minute for the first heartbeats to land, then check from the CLI or the web console at console.winsentinel.ai. New nodes show as Active; a node that has not checked in for 15 minutes flips to Stale.
# headline view: totals, active/stale, avg score
winsentinel fleet status
# list every registered node (JSON for scripting)
winsentinel fleet nodes --jsonPrefer a dashboard? Open console.winsentinel.ai, paste the same license key, and you will see every node, score, and alert on one screen.
Now the payoff: scan the whole fleet from one command, push a hardening baseline, and pull an org-wide compliance rollup for auditors — no logging into each box.
# scan every node, or a subset, or specific modules
winsentinel fleet scan-all
winsentinel fleet scan-all --nodes db-prod-1,db-prod-2 --modules defender,firewall
# push a CIS L1 baseline to the whole fleet
winsentinel fleet push-policy --file cis-l1.jsonCompliance rollups (CIS L1 / SOC2 / HIPAA) and drift alerts populate automatically as scans report in. Export to PDF or CSV from the console Compliance tab.
Heartbeats land every five minutes, so allow a few minutes after agent start. Then confirm the machine can reach your control plane over HTTPS (a proxy or egress firewall is the usual culprit) and that the agent was started with the right --license key. winsentinel agent status prints the last successful check-in.
Fleet commands (fleet status / scan-all / push-policy / nodes) are Pro-gated. Run winsentinel pro activate <key> on that machine first. Single-machine commands (audit, monitor, fix) never require a license.
Stale means no heartbeat for 15+ minutes — usually the machine is offline/asleep or the agent service stopped. Install the agent as a Windows service (winsentinel agent install) so it restarts on boot.
Yes — the enroll step is a single command, so push it with your existing tooling (GPO startup script, Intune, Ansible, a PDQ/SCCM package). Bake the --license key into the deployment and every machine self-registers on first run.
Install free, activate Pro once, enroll your machines, and you are managing the fleet from one place. No servers to run — the control plane is hosted.