6 Best Windows Patch Management Software

by Robert Allen

Looking for the best Windows patch management software to automate Microsoft and 3rd party updates?

There are many patch management tools to choose from and it can be overwhelming to find the right tool for your network.

I’ve tested and used many patch management solutions over the years and the list below is the best tools on the market.

Check it out.

Best Patch Management Software

1. SolarWinds Patch Manager

Simplify software patching and reporting for both Microsoft and third-party applications across all your servers, workstations, and virtual machines. SolarWinds Patch Manager simplifies many steps during the patching process, from research, scheduling, deployment, reporting, and more.

Bottom line: As a user of SolarWinds products their software is easy to install, setup, and use. The interface is very easy to navigate and provides a central web based dashboard for all patch related tasks.  SolarWinds is a popular choice for patching 3rd party applications, it is affordable and has good support. This is a good solution for small to large size environments.

Download 30-Day Free Trial

2. ManageEngine Patch Manager Plus

Patch Manager Plus is a simple patch management tool that makes it easy to keep your network patched and secure. It is an endpoint patch management software that provides enterprises a single interface for automating all patch management tasks from detecting missing patches to deploying patches. Whether you have one computer or a thousand, they can all be patched at the same time from a single point of console.

Bottom line: Great all around solution that works well in small environments and large. Has a fully automated patching process from testing to production systems. Includes a very large library of 3rd party apps and pre-built packages. One of my favorite features of this product is a software ban list, just add the software to the ban list and it will remove it from any detected computer.

3. GFI LanGuard

GFI LanGuard enables complete patch management of security and non-security patches to Microsoft operating systems, Mac OS X, major Linux distributions, and third-party applications. It can also automate patching for all major web browsers too. Security audits check for over 60,000 vulnerability assessments using an extensive, industrial strength vulnerabilities database incorporating OVAL (11,500+ checks) and SANS Top 20 standards.

Bottom line: This is a robust system with lots of configuration options and scanning capabilities.  This product can be a complete vulnerability assessment tool with all of its scanning options. If you are looking for a simple solution to patch Windows and 3rd party apps then this might be overkill. If you want a complete vulnerability assessment tool then this is worth checking out. It also comes with a big price tag and an annual subscription.

4. Microsoft SCCM

Microsoft System Center Configuration Manager is a Windows product that enables administrators to manage the deployment and security of devices and applications across an enterprise. SCCM is part of the Microsoft System Center systems management suite. SCCM has been around for a long time, it’s grown into a complete end point management system.

Bottom line: Good solid solution once you get it installed and configured. This is a popular choice for very large environments. The only problem with SCCM is that it can be a beast to setup and comes with a big price tag. I recently setup a demo of this product and Microsoft has made many improvements to the installation process.

5. PDQ Deploy

PDQ Deploy is a software deployment tool that allows system administrators to silently install almost any application or patch to multiple Windows computers simultaneously.

PDQ Deploy saves time and effort by enabling administrators to easily install, uninstall, update, repair, or make many other types of changes across the network without remote logins or physically walking to each computer.

Bottom line: PDQ deploy is known for its ease of use and simple setup. Has a large library of pre built 3rd party applications. Good choice for small to medium size environments that need a quick and simple solution.

6. Ninite Pro

Ninite is a browser based patch management system it lets users automatically install popular applications for their Windows operating system. It allows users to make a selection from a list of applications and bundles the selection into a single installer package. The new Ninite Pro lets you manage your software in a live web interface. Each machine is a row and each app is a column. You can select an individual cell to update, install, or uninstall an app on a machine. Or select many cells (or whole rows or columns or everything) to perform bulk actions. You can even watch the agents work in real-time.

Bottom line: With its simplicity and easy deployment this is a popular choice for many admins. For what you get it is expensive and it seems to lack many features offered by other products. Maybe a good fit for small environments.

Finding the Right Patch Management Software

Patch management is a process that must be done on a regular basis, all end points need to be scanned and patched. In computer networks, it takes just one machine to get compromised to open the door to a large scale breach. This is why it’s so important to have the right patch management solution in place.

Risk based Security’s latest vulnerability report shows a 38% increase in the number of vulnerabilities over the previous year.

When searching for patch management software it can be overwhelming and be challenging with all the different products on the market. If you talk to a sales person they always say their software is the best or it’s the only one on the market that has these amazing features. The right solution is going to depend on your requirements and your policy.

Windows Patch Management Must Have Features

Keeping servers, workstations, and all those applications up to date on patches is no easy task. Factor in mobile users, different operating systems, and trying to not disrupt users just make the task much more challenging.

The patch management software you choose must have the right set of features in order to keep all those systems patched. Here are the features you should look for (the top 6 list I provided above all have these features).

1. 3rd Party patch management

Patching 3rd party applications is a must and most products do have this feature. To effectively patch 3rd party apps the product should detect, report, and patch most commonly used apps such as adobe, java, browsers, zip programs, and office. Most products will provide a list of what applications they will patch, pay attention to this and make sure it covers the apps you need. The number of apps varies between each product.

2. Microsoft automated patch management

You need to get patches deployed as quickly as possible but you also need to test them before deploying them enterprise wide. Some of the best tools have the ability to auto deploy to a test group and after x amount of days with no issues, it will auto approve to all computers. Not all will have this ability but they should have the option to auto deploy when new patches are available.

3. Create custom deployments

You may need to deploy a patch or update to a specific group of computers. The tool should have the ability to create custom groups, such as by operating system, by department, by java version, or however you want. You may need to apply an emergency patch to Windows 10 computers or computers on a specific version of java, being able to deploy to custom groups makes this easier.

4. Pre Built Packages

Most patching systems now provide pre built packages such as adobe reader, java, flash, browser updates. The packages are usually tested and configured to silently install. This is a huge time saver. This eliminates the need to download, create a custom package and run it through some testing.

5. Detailed Reports

To stay on top of your systems you need detailed reports. Some helpful reports include top vulnerable systems, top missing patches, systems that need to be rebooted to complete, and being able to report on specific patches. Pay attention to this one as not all products provide great reporting.

6. Patch Status

It’s helpful to quickly see how many systems are unpatched, missing updates, and systems that have failed. Some systems provide a compliance report that shows your most vulnerable systems.

7. Email notifications

You need a product that can provide you email notifications on things like status reports, new patches, emergency patches, highly vulnerable systems.

8. Retry to offline machines

Never buy a product that doesn’t offer this feature, it will be impossible to keep machines up to date without it. You’re going to have machines that are offline such as VPN/mobile users that miss a patch deployment. A good patching tool should auto-retry once that machine is online. It would take a lot of manual labor to sit and wait for those machines to come online then try to push them out.

9. Custom groups

You may not be able to patch every system at the same time, you could have special environments that need a custom schedule. If that’s the case make sure the product can create custom schedules to specific computers or groups.  In my case, we have a 24/7 department, so we can’t just install updates in the middle of the day. I created a custom schedule that deployed to this group of computers in a specific window that was separate from other computers.

How did I determine the best 6?  I have personally used or evaluated several tools over the years, from my experience these are the 6 best I’ve come across.  I also looked at reviews from various websites, read system admin forums, and asked other IT pros what they used for patch management. These products got good reviews, were the most recommended and talked about in the online community.

Why is Microsoft WSUS not in the top 6? Although it is still a popular choice, it’s often used in combination with another product for patching 3rd party apps.

In my experience it worked well in small environments, once you get up to 1500+ computers it would have problems. It also lacked a lot of features and customization needed for larger deployments, the lack of 3rd party app support is was a show stopper for me.

So what’s the best Patching Management Software?

You have plenty of good options to choose from. Any of the top 6 I listed will get the job done but to find the best solution you will need to review your requirements and try them out for yourself. You also need to know what your budget is? There is no point in looking at tools your company can’t afford.

The most important factor when finding the best patch management software is to DEMO IT. Setup a test server and run it through a real world test. Some tools look great on paper but once you get hands on experience with them they may not work for you.

Hopefully, you found this article helpful, if you have any questions leave a comment below.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

12 thoughts on “6 Best Windows Patch Management Software”

  1. As for SCCM, I agree entirely – for simple tasks it is unbearably complicated.
    I recommend you check Action1.com – it is a robust cloud patch management and RMM solution which allows you to control both system and third-party updates, deploy custom applications, run scripts remotely, and more.
    Also, first 100 endpoints are free. 😉

    Reply
      • Yes, they have a pretty slick UEM automation and deployment solution for on and off network machines. They also offer fully automated MS and 3rd party patch Management combined with a CVE vulnerability scanner. I think you can buy that by itself, without having to buy the whole suite though.

        Reply
    • I’m not a fan of SCCM. MS made it way too complicated for simple tasks like patching servers and computers. Its been a while since I used it so I’m sure they have made some improvements but in general Microsoft seems to make a mess of management tools for admins.

      Reply
  2. I checked Patch Manager Plus and the selling point of creating a Software Ban list which will uninstall software is NOT available. It may be part of their Desktop Central enterprise tool but isn’t available in PMP.

    Reply
    • You are right, the software ban list is part of Desktop Central. I also use Desktop Central so I got the features mixed up. Thanks for pointing that out.

      Reply

Leave a Comment