In this article, I compare the 6 best patch management software solutions for Windows and 3rd party applications.
Continuous vulnerability assessment and patching is the most effective method for protecting against vulnerabilities. The Center for Internet Security has continuous patching as a Top 5 CIS control for protecting organizations against cyber attack vectors.
It starts with having the right tools.
I’ve been a System Administrator for a long time and I’ve managed and tested several different patching solutions. The list below is the best solutions on the market.
Best Patch Management Software for 2020
Simplify software patching and reporting for both Microsoft and third-party applications across all your servers, workstations and virtual machines. SolarWinds Patch Manager simplifies many steps during the patching process, from research, scheduling, deployment, reporting, and more.
Bottom line: As a user of SolarWinds products their software is easy to install, setup and use. The interface is very easy to navigate and provides a central web based dashboard for all patch related tasks. SolarWinds is a popular choice for patching 3rd party applications, it is affordable and has good support. This is a good solution for small to large size environments.
Patch Manager Plus is a simple patch management tool that makes it easy to keep your network patched and secure. It is an endpoint patch management software that provides enterprises a single interface for automating all patch management tasks from detecting missing patches to deploying patches. Whether you have one computer or a thousand, they can all be patched at the same time from a single point of console.
Bottom line: Great all around solution that works well in small environments and large. Has a fully automated patching process from testing to production systems. Includes a very large library of 3rd party apps and pre built packages. One of my favorite features of this product is a software ban list, just add the software to the ban list and it will remove it from any detected computer.
GFI LanGuard enables complete patch management of security and non-security patches to Microsoft operating systems, Mac OS X, major Linux distributions and third-party applications. It can also automate patching for all major web browsers too. Security audits check for over 60,000 vulnerability assessments using an extensive, industrial strength vulnerabilities database incorporating OVAL (11,500+ checks) and SANS Top 20 standards.
Bottom line: This is a robust system with lots of configuration options and scanning capabilities. This product can be a complete vulnerability assessment tools with all of its scanning options. If you are looking for a simple solution to patch Windows and 3rd party apps then this might be overkill. If you want a complete vulnerability assessment tool then this is worth checking out. It also comes with a big price tag and annual subscription.
Microsoft System Center Configuration Manager is a Windows product that enables administrators to manage the deployment and security of devices and applications across an enterprise. SCCM is part of the Microsoft System Center systems management suite. SCCM has been around for a long time, it’s grown into a complete end point management system.
Bottom line: Good solid solution once you get it installed and configured. This is a popular choice for very large environments. The only problem with SCCM is that it can be a beast to setup and comes with a big price tag. I recently setup a demo of this product and Microsoft has made many improvements to the installation process.
PDQ Deploy is a software deployment tool that allows system administrators to silently install almost any application or patch to multiple Windows computers simultaneously.
PDQ Deploy saves time and effort by enabling administrators to easily install, uninstall, update, repair, or make many other types of changes across the network without remote logins or physically walking to each computer.
Bottom line: PDQ deploy is known for its ease of use and simple setup. Has a large library of pre built 3rd party applications. Good choice for small to medium size environments that need a quick and simple solution.
Ninite is a browser based patch management system it lets users automatically install popular applications for their Windows operating system. It allows users to make a selection from a list of applications and bundles the selection into a single installer package. The new Ninite Pro lets you manage your software in a live web interface. Each machine is a row and each app is a column. You can select an individual cell to update, install, or uninstall an app on a machine. Or select many cells (or whole rows or columns or everything) to perform bulk actions. You can even watch the agents work in real-time.
Bottom line: With its simplicity and easy deployment this is a popular choice for many admins. For what you get it is expensive and it seems to lack many features offered by other products. Maybe a good fit for small environments.
Finding the Right Patch Management Software
Patch management is a process that must be done on a regular basis, all end points need to be scanned and patched. In computer networks, it takes just one machine to get compromised to open the door to a large scale breach. This is why its so important to have the right patch management solution in place.
Risk based Security’s latest vulnerability report shows a 38% increase in the number of vulnerabilities over the previous year.
When searching for a patch management software it can be overwhelming and be challenging with all the different products on the market. If you talk to a sales person they always say their software is the best or it’s the only one on the market that has these amazing features. The right solution is going to depend on your requirements and your policy.
Must have Features for Successful Patch Management
Keeping servers, workstations and all those applications up to date on patches is no easy task. Factor in mobile users, different operating systems, and trying to not disrupt users just make the task much more challenging.
The patch management software you choose must have the right set of features in order to keep all those systems patched. Here are the features you should look for (the top 6 list I provided above all have these features).
1. 3rd Party Patching
Patching 3rd party applications is a must and most products do have this feature. To effectively patch 3rd party apps the product should, detect, report and patch most commonly used apps such as adobe, java, browsers, zip programs and office. Most products will provide a list of what applications they will patch, pay attention to this and make sure it covers the apps you need. The number of apps various between each product.
2. Automatic patch deployment
You need to get patches deployed as quickly as possible but you also need to test them before deploying them enterprise wide. Some of the best tools have the ability to auto deploy to a test group and after x amount of days with no issues it will auto approve to all computers. Not all will have this ability but you they should have the option to auto deploy when new patches are available.
3. Create custom deployments
You may need to deploy a patch or update to a specific group of computers. The tool should have the ability to create custom groups, such as by operating system, by department, by java version or however you want. You may need to apply an emergency patch to Windows 10 computers or computers on a specific version of java, being able to deploy to custom groups makes this easier.
4. Pre Built Packages
Most patching systems now provide pre built packages such as, adobe reader, java, flash, browser updates. The packages is usual tested and configured to silently install. This is a huge time saver. This eliminates the need to download, create a custom package and run it through some testing.
5. Detailed Reports
To stay on top of your systems you need detailed reports. Some helpful reports include: top vulnerable systems, top missing patches, systems that need rebooted to complete, and being able to report on specific patches. Pay attention to this one as not all products provide great reporting.
6. Patch Status
It’s helpful to quickly see how many systems are unpatched, missing updates and systems that have failed. Some systems provide a compliance report that shows your most vulnerable systems.
7. Email notifications
You need a product that can provide you email notifications on things like, status report, new patches, emergency patches, highly vulnerable systems.
8. Retry to offline machines
Never buy a product that doesn’t offer this feature, it will be impossible to keep machines up to date without it. Your going to have machines that are offline such as vpn/mobile users that miss a patch deployment. A good patching tool should auto retry once that machine is online. It would take a lot of manual labor to sit and wait for those machines to come online then try to push them out.
9. Custom groups
You may not be able to patch every system at the same time, you could have special environments that need a custom schedule. If that’s the case make sure the product can create custom schedules to specific computers or groups. In my case we have a 24/7 department, so we can’t just install updates in the middle of the day. I created a custom schedule that deployed to this group of computers in a specific window that was separate from other computers.
How did I determine the best 6? I have personally used or evaluated several tools over the years, from my experience these are the 6 best I’ve come across. I also looked at reviews from various websites, read system admin forums and asked other IT pros what they used for patch management. These products got good reviews, where the most recommended and talked about in the online community.
Why is Microsoft WSUS not in the top 6? Although it is still a popular choice, it’s often used in combination with another product for patching 3rd party apps.
In my experience it worked well in small environments, once you get up to 1500+ computers it would have problems. It also lacked a lot of features and customization needed for larger deployments, the lack of 3rd party app support is was a show stopper for me.
So what’s the best Patching Management Software?
You have plenty of good options to choose from. Any of the top 6 I listed will get the job done but to find the best solution you will need to review your requirements and try them out for yourself. You also need to know what your budget is? There is no point in looking at tools your company can’t afford.
The most important factor when finding the best patch management software is to DEMO IT. Setup a test server and run it through a real world test. Some tools look great on paper but once you get hands on experience with it they may not work for you.
Hopefully, you found this article helpful, if you have any questions leave a comment below.
Recommended Tool: SolarWinds Server & Application Monitor (SAM)
This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.