Patch management tools automate the process of deploying updates, or “patches,” to operating systems, applications, and other software installed on a computer or network.
We evaluated 70+ patch management tools on the market to bring you our list of the best patch management software & tools:
- NinjaOne Patch Management EDITOR’S CHOICE TRIAL A support tool aimed at managed service providers that patches Windows and Mac OS environments and is tuned to update 135 different software packages. Get a 14-day free trial.
- Atera Patch Management (FREE TRIAL) A cloud-based patch manager designed for deployment by managed service providers (MSPs) that includes patch availability searches and a dashboard that allows patch selection. Access the free trial.
- Syncro (FREE TRIAL) This patch manager is part of a cloud platform of RMM tools and it is able to provide automated updates for software packages as well as for the Windows operating system. Access a 14-day free trial.
- SuperOps Patch Management (FREE TRIAL) Part of an RMM package, this service will patch endpoints running Windows. Delivered from the cloud. Start a 14-day free trial.
- ManageEngine Patch Manager Plus (FREE TRIAL) A patch manager for Windows, Linux, and Mac OS that supports more than 750 applications. Download a 30-day free trial.
- PRTG Network Monitor (FREE TRIAL) IT infrastructure monitor that also supervises software and operating system versions.
- ESET Protect MDR A fully managed cybersecurity package that includes threat detection and response, vulnerability scanning, and patch management. Endpoint agents for Windows, macOS, Linux, iOS, and Android.
- SecPod SanerNow Patch Management A cloud-based cyber-hygiene security-focused endpoint management platform that features interlinked vulnerability, patch, and asset management.
- Heimdal Security Patch & Asset Management This SaaS package is part of a platform of security systems and will patch Microsoft, Linux, and software packages.
- GoTo Resolve This cloud-hosted RMM platform includes patching for Windows and software packages plus device monitoring for networks and endpoints.
- SolarWinds Patch Manager A patch manager for Windows systems that is part of a wider suite of IT infrastructure management tools. This system integrates with SCCM and specializes in patching Microsoft products. Installs on Windows Server.
- N-able N-sight Remote monitoring and management software that is a great network monitoring tool for IT professionals and it includes patch management. This is cloud-based so it can be accessed from any operating system through a browser.
By automating the patch management process, these tools can help improve security, reduce downtime, and ensure the overall stability and reliability of the network.
In this article, we’re going to look at the best patch management software and tools on the market.
Keeping devices up-to-date is a fundamental cybersecurity practice. If devices are using software or firmware that is out-of-date, they can be vulnerable to cyber-attacks and poor performance. Patch management software is just as important as performance monitoring for keeping devices safe.
Why Do I Need to Use Patch Management Software?
Patch management tools are critical because they allow you to update multiple devices from one geographic location. Rather than updating lots of network devices individually, you can update them collectively through one platform. From one user interface, you can push software and firmware updates to devices connected to your network.
Patch management software is useful because it saves the user time and makes managing patches much easier. Being in the position to keep devices updated reduces the likelihood of a device being unpatched and compromised.
The Best Patch Management Software & Tools
Our methodology for selecting patch management tools
We reviewed the market for patch management software and analyzed the options based on the following criteria:
- An autodetection process that is able to contact each device connected to the network
- A system scanner that will compile a software inventory giving all current versions of software, including operating systems
- An automated patch finder that will monitor the sites of software providers for update availability
- Integration with WSUS and SCCM
- Automated patch rollout for unattended actions with termination status reports
- A free trial for a cost-free assessment period or a money-back guarantee
- Value for money with functions that are worth paying for
1. NinjaOne Patch Management (FREE TRIAL)
Tested on: Cloud environment
NinjaOne Patch Manager specializes in updating endpoints that run Windows, Linux, and MacOS. As an RMM, NinjaOne is specifically built to manage devices remotely, so it is an excellent software package for managed service providers (MSPs). The patch manager is able to manage updates for more than 135 different software packages.
Key Features:
- Updates Windows, Linux, and macOS Endpoints: Patches operating systems and software packages
- Patch Availability Report: Checks for new patches every day
- Scheduled Rollouts: Set up a maintenance calendar that tells the scheduler when it can run
- Queues Patches: Waits for the next available maintenance window
- Compliance Reporting: Good for GDPR
Why do we recommend it?
NinjaOne Patch Management is part of a cloud-based RMM platform that provides full system monitoring and management tools. The patch manager will update operating systems and third-party software. It is able to wake up and reboot devices as part of the installation cycle and writes activity logs for each patch run.
The automation features of NinjaOne’s patch manager can be set at any level: organization, site, department, group, or device. This enables MSPs to cover more customers with less staff and they won’t be held up by tricky client sites with varied roles and software inventories. Operators can schedule patch rollout and restart commands separately and also launch patch installation in bulk or case-by-case manually.
The console includes a visual layout to report patching activities that enables instant recognition of failed rollouts. The reporting functions of NinjaOne support SLA compliance proof and billing functions.
NinjaOne is a cloud-based management platform so it can be accessed from anywhere, even remotely. MSPs can white-label the interface for the service, so clients can be given access to the console without weakening the MSP’s brand.
Who is it recommended for?
NinjaOne is a major rival to Atera and the two platforms should be trialed side-by-side. The company doesn’t publish its price list, so it isn’t possible to assess whether it is appropriate for small businesses. However, the tool is recommended for use by in-house and MSP support technicians.
Pros:
- Can Patches Endpoints in Use: Not obtrusive unless the update needs a reboot
- Other Automated Maintenance Tasks can be Easily Scheduled: Use the same scheduler as the patch manager
- Hosted on the Cloud: Platform agnostic web-based management
- Patch Rollout Completion Status: Leaves failed patches in the queue with an error status
Cons:
- Lacks Support for Mobile Devices: Also won’t update IoT firmware
From an industry perspective, NinjaOne’s excellence in RMM and Patch Management is ratified by its 11-time recognition on G2. Prices are levied per monitored device on a pay-as-you-go basis, so you won’t be tied down by contracts or early termination fees. You can register for a free quote. NinjaOne has offices in the USA, the UK, France, Spain, and Germany and the service is fully GDPR compliant. You can get the NinjaOne experience with this full interactive demo, and you can register for a 14-day free trial.
EDITOR'S CHOICE
NinjaOne is our top pick for a patch management system because the full NinjaOne platform is a remote monitoring and management system for all IT assets. The patch manager is an integrated feature in this cloud-based system and it is closely linked to endpoint monitoring and software license management features. The patch manager is able to automatically identify out of date operating systems and software packages. Users define maintenance windows in the console and the tool will queue up patches to be applied at the next available window.
Download: Start 14-day FREE Trial
Official Site: https://www.ninjaone.com/freetrialform/
OS: Cloud-based
2. Atera Patch Management (FREE TRIAL)
Tested on: Cloud-based SaaS
Atera is a patch management solution and RMM software platform. This tool is designed to cover any sized business needs and provides a dashboard-based monitoring experience. It is SaaS-based so you can update patches on your network devices no matter where you are located. Patches can be identified and automatically updated to keep your network updated with minimal effort.
Key Features:
- Cloud-Based Service: Access the console from anywhere through any browser
- Software Inventory: Records the patch status of each installed system
- Patch Gathering: Checks for patch availability
- Patch Scheduler: Can also run standard maintenance tasks and scripts
Why do we recommend it?
Atera Patch Management provides a scheduling tool that can also be used to launch maintenance tasks, such as temporary file clearing, scripts for automation, and software deployment packages. The tool can run patches unattended and will wake up endpoints and restart them when necessary.
Atera can be used to view the real-time status of system resources, active users, windows updates, SQL servers, Exchange, Active Directory, VMware, and Hyper-V. You also have the option to automatically discover newly available patches and schedule updates monthly or weekly.
Alerts is another feature that helps you to stay on top of network security. On the main dashboard, you are shown a breakdown of Recent Alerts which are ranked and color-coded with additional details. This helps to keep you in the loop about what is happening on your network and if any devices have been left vulnerable.
The Atera platform is integrated into a full suite of remote monitoring and management tools. This package is ideal for managed service providers but it can also be used by in-house Operations departments to run multiple sites. The patch manager includes a method to launch your custom scripts as well s standard system update files. This allows you to create your own workflows and run them on a schedule so that out-of-hours processing of maintenance tasks won’t interfere with the system’s availability for users. The patch manager can optionally reboot devices once a patch has been applied. All of these functions are fully documented so you can show your clients the work that has been performed on their systems and contribute to their compliance reporting.
Who is it recommended for?
Atera is available in versions for IT departments and MSPs. Its subscription rate is levied per technician, which means that businesses of any size can afford to use the full Atera package including its Patch Manager. Seats can be added and removed easily, removing the cost overhead of lost contracts.
Pros:
- Patch Completion Reports: Identifies the patch run completion status
- Priced Per Technician: Flexible pricing model makes it appealing for small businesses
- Different Plans for IT Departments and Managed Service Providers: All plans include the patch manager
- A Help Desk Ticketing System: Automated routing for team and task management
Cons:
- No On-Premises Version: Only available as a SaaS platform
Atera offers a clear-cut patch management experience that would function well within any enterprise environment type. However, the price tag makes Atera ideal for smaller organizations that want to reduce costs. It costs from $129 (£109) per technician per month for unlimited devices. There is also a free trial.
3. Syncro (FREE TRIAL)
Syncro is a cloud platform that offers professional services automation (PSA) features and a remote monitoring and management (RMM) module that includes an automated patch manager. The Patch management service will keep Windows up to date and also patch the software packages that are installed on computers running the Windows operating system.
Key Features:
- Software Inventory: Records the patch status of each package
- Patching for Windows: Also software packages
- Patch Availability Report: Checks daily for new patches
Why do we recommend it?
Syncro provides a fully automated monitoring and device management services and the patch management package is part of that. The patch manager is based on a software inventory and will apply patches out of hours without the need for technician involvement. This is a time-saver and simultaneously produces logs for SLA management and data protection compliance reporting.
Although Syncro operates in the cloud, it installs an agent on each monitored endpoint. It assembles a software inventory per device and then consolidates that to provide a client-wide view of software assets. This documentation is a useful service for system monitoring and license management as well as for the patch manager.
The patch manager works with a calendar of maintenance windows that you set up in the management console. This cycle can be different for each client sub-account. The tool is able to organize updates according to known patch dependencies and it can also reboot a computer when required by the update.
Patches need to be applied when the software and computer being updated are not in use, which means overnight. You don’t need to pay technicians overtime to watch over the process because the patching services is an automated process that will kick off whenever the defined maintenance window arrives.
Who is it recommended for?
The Syncro package provides all of the software that an MSP needs and it is priced per technician. This means that the smallest MSP gets all of the services that are delivered to very large organizations. There are no setup fees so any new MSP can start operations with almost no upfront investment.
Pros:
- Patch Scheduler: Give it a maintenance calendar
- Patch Dependency Awareness: Wake up, reboot, and shutdown where necessary
- Activity Logging: Including completion statuses
Cons:
- Windows Only: Doesn’t patch devices running Linux, Unix, or macOS
The Syncro platform is priced per technician and there is only one plan, which gives access to all of the features of the package. There is no price supplement for usage, so you can manage as many endpoints and sites as you like with one account for a flat fee. You can assess Syncro with a 14-day free trial.
4. SuperOps Patch Management (FREE TRIAL)
Tested on: Cloud
SuperOps Patch Management is part of an RMM package that is aimed at managed service providers (MSPs). The RMM is a subscription service, offered with plans that also include a professional services automation (PSA) package. So, this deal provides an MSP with all of its software needs. The Patch Management module provides automated processes to keep the software on Windows computers up to date.
Key Features:
- Part of an RMM Package: PSA is also available
- Software Inventory: Records patch statuses
- Patch Availability Report: Automatically identifies new updates
Why do we recommend it?
SuperOps Patch Management is another tool for use by MSPs that is delivered from the cloud as part of an RMM package. The system is able to patch Windows and macOS and the software that runs on them. This patch manager offers a scheduler for automated patch rollout.
The Patch Management system is partnered with an Asset Management module. The Asset Manager discovers all devices connected to the client’s network and checks through its software. This process creates an enterprise-wide software inventory that provides the Patch Manager with a list of packages to maintain.
The service watches over the software running on laptops and desktops and it will keep an eye on the availability of updates to the operating systems of those devices.
The Dashboard for the Patch Management tool is hosted in the cloud and can be accessed from anywhere through any standard Web browser. The console includes a settings section where the technician specifies a calendar of maintenance windows. It is then possible to specify automatic patch rollout. In that scenario, the Patch Management system will queue up available patches for the next available maintenance period.
The automation features in the Patch Management tool are great time savers and they free up valuable technician time for other tasks. Patches can be applied overnight without human intervention. On arriving to work the morning after a patch run, the technician team can check on the completion status of each patch. All of the actions of the Patch Management service are fully logged.
Who is it recommended for?
SuperOps is an AI-based system with a high degree of automation and that enables MSPs to squeeze maximum value out of their highly-paid technicians. The system enables each technician to support 150 endpoints and the system is priced per seat. There are plans that combine RMM and PSA functions.
Pros:
- A SaaS Package: Includes storage space for patch installers
- A Patching Scheduler: Give it a calendar of allowed days and times for patching
- Patching Reports: Includes completion statuses
Cons:
- Only Patches Computers Running Windows: No service for Unix, Linux, or macOS
The SuperOps system is a SaaS platform that you pay for with a subscription. SuperOps offers four plans with better monthly prices when billed annually. These are Standard (PSA Only) – $79 , Standard (RMM Only) – $99, Pro Unified Basic – $129, and Pro Unified Advanced – $159. These are subscription packages that are priced per technician per month for up to 150 endpoints.Both Pro plans include the Patch Management service and you can try either on for a 14-day free trial.
5. ManageEngine Patch Manager Plus (FREE TRIAL)
Tested on: Windows, MacOS & Linux
ManageEngine Patch Manager Plus is a centralized patch management tool that can be used to patch Windows, MacOS, and Linux computers. The platform offers support for over 750 applications. ManageEngine Patch Manager Plus can be deployed on-premises or in the cloud and is just as comfortable with managing virtual machines and servers as it is desktop devices. Patch management is automated with connected devices being scanned and assessed automatically.
Key Features:
- Patch Windows, Linux, and macOS devices: Plus more than 850 software packages
- A Cloud-Hosted Patch Repository: Your patch manager will check the library daily for new patches
- All Patches in the Library are Validated: Tested and checked for errors or malware
Why do we recommend it?
ManageEngine Patch Manager Plus is able to keep Windows, macOS, and Linux up to date and also patch the software that runs on your endpoints. The tool keeps track of 850 software packages and records their latest versions. This task is coordinated y a central ManageEngine server.
The bulk of the patch management experience is delivered through the dashboard. The dashboard offers a patch view, all computer view, and a detailed view. Each view displays different information. For example, the patch view option shows you patches that are available for your network whereas the all systems view shows you the status of current devices. Changing between these options helps you to prioritize what information you wish to see.
One exceptional feature available on ManageEngine Patch Manager Plus is the ability to test and approve patches. The ‘test and approve’ feature allows you to test patches on a small group of computers before you apply any changes to the entire network. Using this feature ensures that you don’t deploy any patches that put your network out of action!
Who is it recommended for?
This tool is good for small businesses because there is a fee edition that will support 25 endpoints. Larger companies need to look at the paid versions of Patch Manager Plus. The top plan will scan software on multiple sites. This tool is available as a SaaS package or you can download the software onto Windows Server.
Pros:
- Deployment Options: Access a SaaS platform or download the software to run on Windows Server
- Automated Patching: The patches will run on a schedule
- Patch Dependencies are Taken Care of: Also wake up, reboot, and shutdown where necessary
Cons:
- Consider Other ManageEngine Options: This tool is included in Endpoint Central, RMM Central, and VulnerabilityManager Plus – might offer a better deal
There are three versions of ManageEngine Patch Manager Plus: the Free Edition, Professional Edition, and Enterprise Edition. The Free Edition package supports up to 25 computers. The professional version supports larger LAN environments and provides patch management reports and third-party patch management. The Professional Edition adds antivirus definition updates and the ability to test and approve patches. There is also a downloadable 30-day free trial.
6. Paessler PRTG Network Monitor (FREE TRIAL)
PRTG Network Monitor is widely-known as a network monitoring platform but also offers centralized patch management capabilities as well. You can use this tool to check for Windows patches and other updates performed within your network. If a device is experiencing issues updating then you can see that through the dashboard view.
Key Features:
- Patch availability scans
- Status reports
- Software audits
Why do we recommend it?
Paessler PRTG Network Monitor doesn’t include system management tools. However, it is possible to check your Windows operating system to detect whether updates are needed or available. These update notifications are a feature in Windows but remote managers not using those devices don’t see them. The PRTG sensor gathers those notifications and displays them to administrators.
There are also notifications to provide real-time updates on patch status. For example, if a patch fails then you can be sent an alert with more details. To use the alerts system, all you need to do is configure a sensor for the type of system that you want to monitor. PRTG Network Monitor uses configurable sensors to measure particular segments of your network.
For example, there is a Windows Updates Status (PowerShell) Sensor. You can use this sensor to monitor the following information: time elapsed since last update, installed windows updates, missing windows updates, and hidden updates. All of this information is categorized by severity and shown to you with numerical and graphical meters.
You can configure thresholds for each sensor so that you receive a notification once certain criteria have been met. You can configure PRTG Network Monitor to notify you of the moment that an update has been missed. Alerts are sent via email, SMS, or push notifications.
Who is it recommended for?
PRTG provides network, server, and application monitoring tools in one bundle, so it is a useful package for IT operations departments that need centralized system reporting tools. Paessler offers a free version that includes an allowance of 100 sensors and that is ideal for small businesses.
Pros:
- Flexible reporting and alert options for patching notifications
- Full customizable dashboard is great for NOC teams
- Drag and drop editor makes it easy to build custom views and reports
- Supports a wide range of alert mediums such as SMS, email, and third-party integrations into platforms like Slack
- Great option for companies looking for patch management and network/application monitoring
- Supports a freeware version
Cons:
- Is a very comprehensive platform with many features and moving parts that require time to learn
There is a free version of PRTG Network Monitor which supports up to 100 sensors. If you need more than that, you can purchase one of the paid versions. The price of the paid versions depends on the number of sensors you require. The paid versions start with PRTG 500 which provides 500 sensors for $1600 (£1,214). You can download a 30-day free trial.
7. ESET Protect MDR
ESET Protect MDR is a managed security service that provides endpoint protection for devices running Windows, Linux, macOS, iOS, and Android. All endpoint units provide anti-virus and intrusion detection and can also implement automated responses. These units also upload activity logs to the ESET cloud platform for reporting and threat hunting. His server is able to implement automated responses by sending instructions to devices on the site. Higher plans cover cloud systems as well and include a vulnerability scanner with a patch manager.
Key Features:
- Blocks malware and human threats
- Dual-level threat hunting
- Vulnerability scanning and patch management
Why do we recommend it?
ESET Protect MDR is a security operations center that will manage your company’s cybersecurity for a fee. The service includes the ESET cybersecurity software that provides endpoint protection, email security, cloud service protection, vulnerability scanning, and patch management.
The Managed Detection and Response aspect of ESET Protect MDR package is a team of cybersecurity technicians. The ESET security software includes a lot of automation to block threats but there will still be cases that require manual decision making. If you don’t have any experts on your payroll, you could make up for that skills gap by contracting in the ESET team.
The ESET Protect platform is a range of plans. The lowest package just provides anti-virus on endpoints. The next plan up creates a cloud-based XDR that operates on the data uploaded by those endpoint units. The top two plans include the vulnerability scanner and patch manager.
Each plan is priced for a minimum of five devices, except for the top plan, ESET Protect Elite, which protects a minimum of 26 devices. After choosing your ESET Protect plan, you then add on the security operation center option to create your own ESET Protect MDR package.
Who is it recommended for?
This package is very flexible but if you need a patch manager, you should opt for the top two plans. Adding the MDR option will provide you with round the clock security monitoring for your company. This is a good choice for businesses that struggle to find suitably qualified cybersecurity staff.
Pros:
- A team of cybersecurity experts to manage your company’s security
- Constant off-site monitoring
- A console with live activity statuses that clients can access
Cons:
- No free trial for MDR service
While there is a minimum number of devices for an account, there isn’t really a maximum. The central threat hunting service is easy to expand simply by installing the endpoint protection service on another device. There isn’t a free trial for the MDR service, so to find out more, contact ESET.
8. SecPod SanerNow Patch Management
SecPod SanerNow Patch Management is a cyber-hygiene endpoint protection and management platform that is delivered on the SaaS model from the cloud. The service will manage endpoints running Windows, macOS, and Linux and it includes a patch manager that automates deployment of the latest patches. While watching over operating system versions, this patch manager will also monitor third party software packages and keep them up-to-date. The patching system is fully automated while still allowing manual patch rollout launch for emergency situations.
Key Features:
- Automated Patching: Updates Windows, Linux, macOS, and software packages
- Bundled with a Vulnerability Scanner: Patching triggered by the scanner
- Data Privacy Standards Compliance: Suitable for HIPAA, PCI, ISO, NIST CSF
Why do we recommend it?
SecPod SanerNow Patch Management can update Windows, macOS, and Linux and 400 software packages. The full SanerNow SaaS platform is a vulnerability manager and the patch management tool resolves the software-related security weaknesses that the vulnerability scanner reveals. All the activities of the SanerNow system are logged for compliance reporting.
A big selling point of the SecPod SanerNow Patch Management system is that it combines many of the system management and security tools that any systems administrator will need to use. Not only does the package provide a comprehensive list of essential tools, but it links their operations together in an automated workflow.
The package includes a vulnerability manager that checks on system configurations as well as software and operating system versions. The data exchange between this service and the patch manager automates the search for available and necessary patches and updates.
The patch manager also interacts with the asset management service that is built into SanerNow. The two modules update each other on operating system and software versions, which makes reference information on all assets instantly available to the systems administrator.
Patch gathering and rollout are automated. When patches become available, they will be queued up in the patch manager for application at the next available maintenance window. The systems administrator has the option to suspend a patch. After the rollout has occurred, outcome statuses are available, enabling the administrator to check on failed patches and rerun them.
Who is it recommended for?
SecPod SanerNow is a cloud platform that plugs into on-premises systems or oyster cloud platforms. The tool can be set to run continuously, so one usage possible with this system is for application security testing in a CI/CD pipeline. Operations teams can use the vulnerability scanner and patch manager to keep on-premises and cloud software secure.
Pros:
- Cloud-Based SaaS Package: Includes cloud storage space and a virtual server to run the software service with no need to host or maintain the system management software
- Patch Activity Logging: Includes completion statuses
- Patch Scheduler: Will only run when your maintenance calendar allows
Cons:
- You Can’t Host it Yourself: Only available as a SaaS package
SecPod SanerNow Patch Management is a unified service that covers asset discovery, security services, and asset monitoring. The package is all accessed through a cloud-hosed console and is offered as a subscription service. The easiest way to fully understand the capabilities of SanerNow is to access it on a 30-day free trial.
9. Heimdal Security Patch & Asset Management
Heimdal Security Patch & Asset Management is a cloud-based system that is able to monitor the software inventories of endpoints on the networks of its clients. The package is offered on s platform that includes a range of cybersecurity tools.
Key Features:
- Patches Linux and Windows: Doesn’t patch macOS
- Maintains Software Inventory: Records patch statuses
- Patch Availability Scanning: Will run automatically
Why do we recommend it?
Heimdal Security Patch and Asset Manager is part of a wider platform of cybersecurity tools. You can combine several modules on the platform and manage them all through a single Web-based console. Many of the security systems, including the patch manager, are automated, which increases technician productivity.
You need to know what software packages and operating system versions you have before you can work out whether they need to be updated. This is why the Heimdal system is called Patch and Asset Manager. It scans each endpoint and identifies all of the software on it, drawing up a software inventory, which can also be used for license management.
The patching scheduler can be used to deploy software as well as update it. This enables you to create software profiles for each user type, creating packages that can be installed out of office hours without human intervention. The scheduler similarly implements software updates.
The patching system is able to take time zones into account. It is always preferable to install or update software when the device is not in use, which means during unsociable hours. However, multinationals can be operating offices around the globe where midnight in your data center can correspond to office hours in branch offices.
The patcher is able to identify patch dependencies and command reboots when needed by the installation processes. There might be reasons why this activity isn’t even suitable in the small hours of the morning, so it is possible to set up software management processes as a task that users themselves can choose to launch when it is convenient for them.
Who is it recommended for?
Although the Heimdal Patch and Asset Manager is very flexible, it isn’t suitable for every business. Small businesses won’t need all of the functions in the package just to manage a few endpoints. Very large businesses and particularly multinationals with centralized IT administration will benefit the most from the Heimdal patching system.
Pros:
- Central Patch Scheduler: Will keep endpoints updated for an entire organization
- Unattended Software Installation and Patch Rollout: Provide it with a maintenance calendar
- Patch Dependency Management: Also wake up, reboot, and shutdown when needed
Cons:
- Not Available for Self-Hosting: This is a SaaS platform
Heimdal Security offers many system management and security monitoring tools from its cloud platform. Your buyer’s journey begins with a consultation, which will result in a recommendation of all of the security software that you need.
10. GoTo Resolve
GoTo Resolve is a remote monitoring and management (RMM) platform that monitors and manages networks, endpoints, and software. It’s endpoint management services include a patch manager that focuses on keeping Windows and software packages up to date.
Key Features:
- Delivered from the Cloud: Technicians access the system dashboard through a web browser
- Operating System Patching: Patches Windows
- Software Updates: Remote access directly to the command prompt is also possible
Why do we recommend it?
GoTo Resolve is a cloud-based remote monitoring and management package that focuses on endpoint management. The service includes automated management systems, which include patch management for Windows and software packages. The plans include a Remote Support edition, which provides a remote desktop service. All of the paid plans of the RMM include that feature as well.
The remote access feature gives a view on the desktop of the remote device. The connections are protected by 256-bit AES encryption and session recording is possible. The remote session service includes a chat panel. The technician console also provides a diagnostic check to highlight some of the more common problems that endpoints can encounter.
Who is it recommended for?
GoTo Resolve has a Free edition, which would please small businesses. However, that version doesn’t include the remote desktop service – it does get the remote access function to get to an endpoint’s command prompt. All of the paid RMM plans allow access to many endpoints for each technician and there are features such as session transfer.
Pros:
- Examine and Test Patches: See details of each patch package and run it on one endpoint first
- Automated Rollout: Specify maintenance windows and the patch manager will kick off at the next available window
- Patch Completion Reports: See whether patches run unattended succeeded
Cons:
- No Patching for macOS or Linux: Will only patch Windows and Windows Server
GoTo Resolve has a Free edition but that doesn’t include the patching unit. There is also a Remote Support edition, which only offers the remote desktop facilities and not the patch manager. There are two paid RMM plans available that include the patch management system. Get a free trial to assess the GoTo Resolve RMM package.
11. SolarWinds Patch Manager
SolarWinds Patch Manager is a tool used for Microsoft WSUS patch management. This tool integrates with SCCM and offers users the ability to automate patches. In other words, you don’t need to add patches manually in order to stay up-to-date. If there are any problems with patches, then you can diagnose problems with Windows Update Agent.
Key Features:
- Integrates with SCCM: Uses WSUS
- Patches Windows: Also Microsoft products and important applications, such as browsers
- Compliance Reporting: Suitable for HIPAA
Why do we recommend it?
SolarWinds Patch Manager is an on-premises package that will patch endpoints across a network. It amends the SCCM system so that it will install and update non-Microsoft software. However, it can’t update operating systems other than Windows. The system provides completion logs and compliance reporting.
This comprehensive patch management experience offered by SolarWinds Patch Manager is very user-friendly. On the patch status dashboard, you can view the latest patches and the top 10 missing patches to see where your network security needs to be improved.
If you require more details you can also view the status of SCCM endpoints and additional third-party patches. Updates from the following applications are supported: Adobe, Apache, Apple, Citrix, Dell, Google, HP business, Malwarebytes, and VMware.
There are also patch compliance reports which can be used to detail the status of patches and overall regulatory requirements. All of this information can be sent onwards to other members of your team for further analysis.
Overall, SolarWinds Patch Manager is great for patch management as it manages vital Windows patches and Microsoft software updates. The system also updates software for key services from Adobe, Apple, VMWare, and other major systems providers. The Patch Manager provides a unified interface for updates to all servers and endpoints on your system that run Windows versions. Control features allow patches to be paused for examination and the results of patch rollouts are displayed in the console, indicating failed updates that can be relaunched.
Who is it recommended for?
This package is intended for use by mid-sized and large organizations. It operates on devices running Windows and it installs on Windows Server, so businesses that are all Windows would be interested in this package. The package provides a solution for administrators to install third-party software through standard Windows processes.
Pros:
- Patch Availability Report: Will check for updates
- Patch Testing: Pause a patch or remove it from the queue
- Automated Execution: Runs through a scheduler
Cons:
- Not for Linux, macOS, or Unix: Only patches Windows and Windows Server
Overall SolarWinds Patch Manager is well-suited to those looking for a WSUS and SCCM patch management solution with a simple dashboard and patch compliance reports. SolarWinds Patch Manager starts from a price of $3,750 (£2,845). There is also a 30-day free trial available.
12. N-able N-sight
N-able N-sight is a very useful network monitoring tool for IT departments that have responsibility for many sites. The remote monitoring and management software bundle includes automated patch management.
Key Features:
- Part of an RMM Package: Includes many other endpoint management functions
- Software Inventory: Notes patch statuses
- Patch Availability Detection: Queues up relevant patches
Why do we recommend it?
N-able N-sight is designed for use by MSPs. This package of tools for remote monitoring and management includes a patch manager that operates on devices running Windows. The system is able to update software packages as well, and not just Microsoft products. This is a SaaS package.
The Patch Manager in the RMM network monitoring software allows a network manager to set up different policies that trigger specific patch rollout strategies according to a list of criteria, such as device location, type, or model. The patch management software allows for manual launches or scheduled execution of patch distribution and compilation. It is also possible to launch a patch rollback on demand if a patch is later discovered to have caused problems.
Other features in the Patch Manager include disabling individual devices, heightened security for specific patch rollouts, and deep scans to detect all firmware instances that need to be managed.
The patch management utility is just one of the features included in the RMM package that support all of the functions of an IT department. Other features in the bundle include network discovery, constant SNMP network monitoring, regular endpoint management/detection, and response for security protection.
Who is it recommended for?
N-able estimates that its N-sight system enables each technician to support 100 endpoints. The package is priced per technician with a Take Control remote access license included in each subscription. This is an MSP platform that is aimed at mid-sized and large businesses. Businesses with clients running macOS or Linux need to look elsewhere.
Pros:
- Cloud-Based Deployment: Access the console from anywhere via a web browser
- Automatic Asset Discovery: populates the software inventory
- Activity Logging: Includes completion statuses
Cons:
- Only Patches Windows: Not for Linux or macOS
The N-able N-sight system is a cloud-based service and so it isn’t tied down to one specific operating system. The dashboard can be accessed from anywhere through any browser or through a mobile app. The system is charged for by subscription and it is available for a 30-day free trial.
Choosing Patch Management Software
Though there are many different patch management tools, Atera Patch Management, NinjaOne, SuperOps, and SecPod SanerNow stand out as some of the best on this list. Each of these tools has the design and production value to sustain networks of all sizes. These three tools are competitively-priced making them accessible to smaller organizations as well.
However, if the price tag of these tools is too high a tool like PRTG Network Monitor is a formidable alternative. Being able to create your own patch management sensors helps to give you all the functionality of some higher-priced tools without the costs (though you can always transition to paid versions as well!).
Likewise, if you want general network monitoring features as well you can simply provision network monitoring sensors to keep tabs on your network. Combining patch management and network monitoring is useful for limiting the potential for vulnerabilities of all shapes and sizes.
Investing in a patch management tool will pay off over the long term as you keep your network’s devices updated and safe from critical software vulnerabilities. Trying to manually update patches inconsistently can have disastrous consequences if a cyber attacker exploits an unpatched vulnerability. By using a patch management tool you can reduce the risk of a successful attack and stay online.
Patch Management FAQs
Which patch management software is best at documenting vulnerabilities?
- ManageEngine Patch Manager Plus maintains a vulnerability database
- GFI LANGuard includes a vulnerability scanner and patch manager
- Kaseya VSA checks the software inventory against a list of common vulnerabilities and exposures
- Syxsense Secure Implements a vulnerability scan and patches automatically
How often should patch management be performed?
In any standard environment, once a month should be a sufficient frequency for patch rollouts to be performed. More critical systems should be patched more frequently – the US Department of Defense uses a 21-day timeframe.
What is the business case for patch management?
Patch management focuses on getting the operating system and services up to date. This is particularly important for businesses as many patches are created in order to close down newly discovered exploits created by hackers. The producers of software that runs on top of the operating system assume that you have the OS up to the latest version; if you don’t apply all patches those software providers might refuse to offer support when things go wrong with their products.
What is a patch management policy?
A patch management policy is a set of working procedures that can be implemented through patch management software. It applies to different categories of software, such as applications or operating systems, and can implement patch rollout by device type, make, model, or operating system. The patch management policy dictated when and how each arriving patch is applied.