12 best patch management software and tools for 2023
These 12 tools approach patching from different perspectives. Understanding their various approaches can help you find the right product for your needs.
IT teams must ensure that the software running on their managed infrastructure receives security patches and updates in a timely manner to minimize application disruptions and security risks. For this, the teams need comprehensive patching tools that fully automate the patch management process without adding undue complexity to their endpoint and network management responsibilities.
There are many products, and choosing one is no small task. Here are 12 patch management products chosen in part because of their popularity, but also because they represent a diverse set of options that approach endpoint management in different ways. Comparing the different approaches can help to identify the types of features to look for in patch management software. The descriptions are based on vendor documentation.
Atera is a cloud-based remote monitoring and management platform that comes in separate versions for IT departments and managed service providers (MSPs). The platform provides services such as IT automation, custom scripting, network discovery, ticketing, reporting, real-time alerts and patch management. From a centralized interface, administrators can automatically identify and deploy patches on macOS and Windows servers and workstations. They can also reboot remote systems if necessary.
Atera can patch operating systems, applications and hardware drivers. It supports common third-party software such as Chrome, Zoom, Java, Dropbox, Microsoft Office and Adobe products. Administrators can create automation profiles for installing or updating patches at scale, while excluding specific patches when necessary. A single profile can also include other tasks along with patching, such as installing a software bundle, upgrading a Windows version or managing storage disks.
The Atera platform offers several comprehensive reports specific to patching. For example, administrators can generate a report based on Microsoft knowledge bases and then install missing patches with a single click directly from that report. Administrators can also view details about patch statuses and logged actions. Atera offers three subscription plans for the IT department version -- Professional, Expert and Master -- which are available as either monthly or annual subscriptions. All three plans support patch management.
Automox is a cloud-native systems management platform that automates patching, compliance and configuration of local, remote and cloud-hosted endpoints. The platform supports Windows, macOS and Linux systems and provides a single console for managing OS and third-party application patching and updates. In addition, Automox can automatically inventory all hardware and software, according to the vendor, offering full visibility into both authorized and unauthorized applications installed on managed devices.
Automox can identify missing patches in the three operating systems and in a wide range of applications. It provides native support for products such as Adobe Reader, Apple iTunes, Citrix Workspace App, Dropbox, Inkscape, Office 365, Notepad++, Slack and many more. Administrators can view pending patches and then approve or reject them. They can also access details about individual patches.
Automox makes it possible for administrators to create custom scripts that provide granular control over configuration and patch management processes. They can schedule patching for specific times or configure it to occur automatically every time a device connects to the internet. Automox also includes notification and reporting capabilities, which can be set up according to an organization's specific requirements. Automox is available in three subscription plans: Basic, for patch management; Standard, which adds endpoint management; and Complete, which augments the Standard package with multi-zone endpoint management, remediation and other advanced features.
GFI LanGuard is endpoint protection software that enables administrators to assess vulnerabilities and patch software on local and remote desktops, servers and virtual machines. Administrators can also scan their networks for missing patches as well as other vulnerabilities. LanGuard supports Windows, macOS and Linux devices, as well as third-party applications from over 60 vendors, including Adobe, Apple, Google, Microsoft, Mozilla, Oracle, VMware and many others.
Administrators can set up LanGuard to scan their networks automatically, or they can perform scans on demand. They can also deploy patches from the central interface or deploy agents to individual machines that carry out the patching operations, thereby distributing the processing load. In addition, administrators can control which patches to install, automatically download missing patches and roll back patch updates if they encounter a problem.
LanGuard also provides a web-based reporting interface that lets administrators export reports to such formats as PDF, RTF or CSV. They can also schedule reports to be automatically sent by email. For large networks, administrators can deploy multiple LanGuard instances and generate aggregated reports based on data from those instances. GFI licenses LanGuard on an annual, per-node basis, with pricing dependent on the number of nodes and whether the product is purchased with other GFI products. The per-node price drops substantially at the 50- and 250-node thresholds.
ITarian is a cloud-based IT management platform for MSPs. It offers four primary services: remote monitoring and management, IT service management, service desk and patch management. The patch management feature supports both the Windows and Linux operating systems as well as over 400 third-party applications. Administrators can scan devices for missing patches and automate each stage of the patch management process, including patch downloads.
ITarian makes it possible to identify which endpoints contain vulnerabilities, tag those endpoints, and create policies for automatically deploying patches at scheduled times to specific endpoint groups. Administrators can create custom tags that they can use to organize endpoints according to business requirements. In addition, they can also deploy patches based on severity, vendor or type, and they can schedule deployments by time, group, computer or other criteria. Administrators can also test patches before approving them for deployment.
ITarian provides in-depth reports on the hardware, software and patch update history of managed devices. The central interface offers a single-pane view of endpoint statistics and patch statuses and identifies which endpoints contain vulnerabilities so they can be quickly patched. ITarian tracks and manages patches on endpoint systems in real time and provides reports about applied or missing patches, as well as failed deployments. Organizations can use ITarian for up to 50 endpoints for free. After that, subscription fees are on a per-device basis.
Kaseya VSA is remote monitoring and management software that includes features such as alerting, discovery, automation and patch management. Administrators can use the platform to deploy, update and patch Windows, macOS and Linux computers and third-party applications. VSA provides fully automated patch management, adopting a configurable, policy-driven approach that's location-independent and optimized for bandwidth. VSA uses agent-executed scripts to automate patching operations and other processes.
Administrators can also use scripts to automate software and patch deployment across all endpoints, whether on or off the network. Additionally, they can override patches and view patch histories. The policy-based approach helps to standardize software maintenance through the use of profiles, which enable administrators to manage patch approvals, scheduling and installation. In addition, administrators can prevent patches from being applied during certain time windows, and they can deny specific patches to a subset of machines.
As part of the patch update process, administrators can schedule regular network scans and analysis to identify software vulnerabilities. VSA supports over 100 third-party applications out of the box, such as Adobe Acrobat Reader DC, Citrix Receiver, FileZilla Client, Inkscape, LibreOffice, Opera Browser, TeamViewer, Wireshark and many others. Administrators can patch endpoints across multiple locations and domains, including home-based user devices. Potential customers should contact Kaseya directly for information about product licensing.
ManageEngine Patch Manager Plus
ManageEngine Patch Manager Plus is a comprehensive patch management platform available as either a cloud service or on premises. It provides automated patch deployment on Windows, macOS and Linux endpoints, with support for both server and desktop systems, including virtual machines and roaming devices. Patch Manager Plus supports over 850 third-party applications. Although most of these are Windows software, the platform can also handle a fair number of macOS and Linux applications.
Administrators can use the centralized web interface to scan endpoints to detect missing patches, as well as test patches before deploying them. ManageEngine also provides prebuilt, tested and ready-to-deploy packages to help simplify patching of third-party applications. In addition, administrators can customize deployment policies to meet their specific business requirements, and they can specify which installation and reboot options to perform on an endpoint when deploying a patch, software update or service pack.
Patch Manager Plus includes auditing and dynamic reporting capabilities to help analyze and fix vulnerabilities. The platform provides real-time patch management metrics that can be viewed through patch status dashboards and patch management reports. Patch Manager Plus is available in three editions: Free, Professional and Enterprise. The Free edition supports up to 20 workstations and five servers. The cost for the other two editions depends on the subscription plan and whether it is the on-premises or cloud edition. There are some feature differences between the two deployment options, but for the most part, they offer similar functionality.
Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager -- formerly System Center Configuration Manager -- is now part of the Microsoft Endpoint Manager brand, which also includes Intune, Desktop Analytics, Autopilot and other features in the Device Management Admin Console. Configuration Manager is an on-premises system for managing desktops, laptops and servers that are on the local network or connected via the internet. Among its other capabilities, Configuration Manager includes the ability to perform software updates.
Configuration Manager contains a set of tools and resources for tracking and applying software updates to client computers. It integrates with Windows Server Update Services (WSUS) to manage updates, and it connects to Microsoft Update to retrieve update metadata. Administrators can schedule or manually start synchronizations with Microsoft Update. They can also scan for update compliance on client computers before deploying any updates. Configuration Manager provides a wizard for easily implementing deployment packages that contain the software updates.
The updating capabilities in Configuration Manager are geared primarily to Microsoft software. However, administrators can use the Third-Party Software Update Catalogs feature in the Configuration Manager console to subscribe to third-party catalogs, publish their updates to a software update point and then deploy the software to client computers. Configuration Manager licensing can be somewhat confusing, and organizations should carefully review Microsoft's licensing requirements or talk to a Microsoft representative before deciding how to proceed.
NinjaOne Patch Management
NinjaOne Patch Management is part of the NinjaOne IT operations platform, which includes a suite of cloud-based services that support remote management and monitoring. With NinjaOne Patch Management, administrators can patch Windows, macOS and Linux operating systems, as well as over 135 third-party Windows applications. Managed endpoints can be on or off the corporate network as long as they have an internet connection.
NinjaOne Patch Management automates patch identification, approval, deployment and reporting. Administrators have complete control over how each endpoint is patched. They can approve and schedule patch deployments to meet their specific needs. They can also define patch policies that help to optimize and automate endpoint patching at scale. Additionally, administrators can perform ad hoc deployments when needed. The platform offers a single pane of glass for identifying and remediating software vulnerabilities.
With NinjaOne Patch Management, administrators get real-time visibility into patch statuses so they can quickly determine which devices are vulnerable. In addition, they can generate and share reports that provide detailed information about endpoint compliance. NinjaOne subscription fees are on a monthly, per-device basis, with subscribers charged only for what they need. Prospective customers should contact the company directly for a customized quote.
SecPod SanerNow Patch Management
SecPod SanerNow Patch Management is one of the components included in the SanerNow endpoint security platform, a suite of cloud-based tools that provide vulnerability and compliance management, asset exposure, endpoint controls, patch management and other services. SanerNow Patch Management makes it possible to automatically patch Windows, macOS and Linux servers and workstations, as well as update over 350 third-party applications, all from a centralized, cloud-based console with role-based access control.
With SanerNow Patch Management, administrators can automate end-to-end patch-related tasks such as scanning endpoints, prioritizing patches, downloading patches and scheduling deployments. The Patch Management service provides new patches from supported vendors within 24 hours after being released, helping to minimize security risks. The patches are pretested and ready for deployment. Administrators can also test new patches or roll back deployments if there are problems with a patch.
SanerNow Patch Management can perform continuous scans to verify patch compliance in real time. Administrators can customize the scans to meet the needs of their specific environments. The centralized console provides a unified view of the managed endpoints, making it easier to identify systems that are out of compliance. The console also offers auto-generated reports and an integrated audit log. For information about subscription rates and plans, interested parties should contact SecPod directly.
SolarWinds Patch Manager
SolarWinds Patch Manager is patch management software that targets Microsoft products and third-party applications. It works with and extends Microsoft WSUS and Microsoft Endpoint Manager to patch both physical and virtual servers and workstations, including offline machines. Administrators can automate patching operations using prebuilt, pretested update packages, which helps to simplify patch management processes, from researching updates to deploying them in endpoint environments.
Patch Manager gives administrators extensive control over the patching process. They can specify which servers and workstations should be patched, targeting endpoint systems based on such criteria as operating systems or IP ranges. They can also control which patches to deploy and when to deploy them, as well as create different patching schedules for different endpoint groups. In addition, administrators can create packages that define specific actions to take before or after patch deployment. Patch manager also provides prebuilt and pretested packages for third-party applications.
Patch Manager offers a centralized web interface for all patch management tasks. The interface includes a patch status dashboard and built-in reports. For example, administrators can view details about patch compliance, latest available patches, the top missing patches or a general health overview. They can also build custom reports to meet specific business needs. SolarWinds offers both subscription and perpetual licensing options for Patch Manager. Both types are based on the number of managed endpoints.
SysAid Patch Management is an asset manager feature integrated into SysAid's line of IT service management software products, which includes Help Desk, ITSM and ITSM AI. The patch management feature uses original equipment manufacturer (OEM) technology to provide patch management services for Windows server and desktop computers, as well as third-party applications such as Mozilla Firefox, Google Chrome, Java, RealPlayer, Skype, Mozilla Thunderbird and 7-Zip.
The SysAid Patch Management software is a fully automated patch manager that's configurable and highly scalable. It uses a formal change management process to approve patch deployment and audit the patching process, which helps to ensure that patching operations are documented and that security patches and updates are properly applied. Administrators can also customize the Patch Management policies, and they can manually manage patches for individual assets or groups of assets.
IT teams can use Patch Management in both on-premises and cloud environments. A SysAid agent collects the scan results from the OEM agent's patch and transfers them to the SysAid server through Windows Server's Remote Desktop Services. Patch Management is an optional component in Help Desk, ITSM and ITSM AI that requires its own annual subscription license. It can only be used for assets with active licenses.
Syxsense is an endpoint management and security platform that combines IT administration, security vulnerability scanning and patch management into a single cloud-based system. Syxsense can patch Windows, macOS and Linux systems, whether on premises, connected remotely or in the cloud. It supports both physical and virtual environments. Syxsense can also patch third-party software such as Java, Google Chrome or Adobe products -- all from a single console.
With the Syxsense patch management software, administrators can scan and prioritize patching based on exposed security risks. They have full access to information about device health, enabling them to quickly address potential gaps. Administrators can also access information about which patches have been released and their severity, and then determine which devices are vulnerable and need to be updated. Syxsense patch deployments are fully automated; however, administrators can choose which patches to deploy, when to deploy them and which devices to patch.
Syxsense records all patching activity for reviewing and auditing purposes. The platform also provides extensive reporting capabilities that range from high-level overviews to detailed reports that can be filtered and customized. For example, administrators can generate reports about the security health of their third-party applications or virtualized server farms. Potential customers should contact Syxsense directly for details about its subscription plans and how the products are licensed.
8 WSUS alternatives for patch management
Patch management vs. vulnerability management: Key differences
Guide to Linux patch management
Key software patch testing best practices