This content is part of the Essential Guide: The complete guide to Windows 10 security tools

Essential Guide

Browse Sections

Patch management tool comparison: What are the best products?

With so many different vendors in the market, it isn't easy to pick the right patch management tool. Read this product comparison to see which is best for your company.

Considering the corporate compliance and governance requirements that most companies must observe to keep IT infrastructure patching up to date, a patch management tool can no longer be treated as an afterthought by IT management. Patch management has become both a practical and legal requirement for most companies, requiring budgets and skilled admin personnel that are commensurate with the high stakes involved.

From appliance-based to virtual machine-based to cloud-based patch management, there is a product available for every budget, requirements list and architectural scenario. What follows is a sampling of the most popular patch management tools available.

GFI LanGuard

GFI Software's LanGuard offers comprehensive patch management capabilities and vulnerability scanning to assist companies in maintaining compliance with corporate governance and governmental regulations related to software patching. GFI customers are currently using LanGuard to manage patches on more than 2,000,000 nodes worldwide.


LanGuard is a full-function patch management tool that uses agents to communicate and manage nodes. The LanGuard patch management process leverages Microsoft Windows Software Update Services and can be automated to check for and automatically deploy critical new patches as they are released.

In addition to patching OSes, LanGuard can also patch common Microsoft and third-party applications. LanGuard includes a vulnerability scanner that can automatically notify businesses if any of their users are running OSes or third-party software that is not patched to the latest, most secure release version.

LanGuard supports vulnerability scans on mobile devices, including iOS, Windows Phone and Android platforms, to ensure that bring-your-own-device policies are enforced for all mobile device users.

LanGuard also includes a software distribution capability in the patch management product licensing.

Supported platforms

LanGuard patch management runs on Windows, macOS and Linux platforms through an installable agent on each OS. The LanGuard vulnerabilities scanner also supports popular mobile devices.


LanGuard is positioned for the SMB market, and the company recognizes that pricing simplicity is important to this market segment. As a result, LanGuard switched to a subscription model a few years ago, making licensing their patch management software very quick and easy.

GFI sells LanGuard via their direct sales staff in regional offices, as well as through their nationwide network of distributors and resellers. Annual subscription pricing starts at $26 per node for up to 49 nodes, with the price per node dropping in graduated tiers down to $10 per node in quantities above 250 nodes. Larger discounts are available for customers requiring more than 3,000 managed nodes, and there is a significant discount when renewing annual or multiyear subscriptions on all pricing tiers.

HEAT PatchLink

Over the past 20 years, as HEAT Software USA Inc. merged with or acquired other companies and products, a broad-ranging product portfolio emerged, including hybrid IT service management, cloud service management and unified endpoint management. PatchLink has thrived in the HEAT Software range of unified IT management products.


PatchLink has patching capabilities with both security and non-security patches for operating systems, Microsoft and popular third-party apps from vendors such as Adobe, Apple, VMware, Sun and Oracle, and WinZip.

HEAT's patch management tool offers tight integration into Microsoft System Center Configuration Manager (SCCM) to ease the burden of managing patches on Windows computers and for applications deployed in those environments. PatchLink features automated identification and deployment of new Microsoft patches and automated patching of dozens of third-party applications and tools.

To assist companies in maintaining compliance with corporate patching guidelines and governmental regulations, a wide variety of reports and dashboards are available for use right out of the box with PatchLink.

Supported platforms

HEAT runs on most flavors of Windows, Linux, Unix and macOS. Microsoft applications and OS patch coverage includes both security and non-security content for OSes back to Windows XP, as well as common Microsoft applications, such as Office. It also supports Citrix's virtualization platform.

HEAT offers a separate software product for mobile devices, called enterprise mobility management.


HEAT licenses PatchLink in several different ways. There are two perpetual licenses: $25 per desktop node and $7 per SCCM node. There's also an annual license option for $15 per desktop node.

Kaseya VSA Patch Management

Kaseya's VSA patch management tool is primarily intended for the SMB and managed service provider markets, with affordable patch management software that can scale from dozens to thousands of nodes, as needed.

Recognizing that the administrative burden can increase exponentially as the number of managed computers rises, VSA automates as much of the patching process as possible, while keeping the manual activities as intuitive as possible.

As with many of the other products in this series, VSA is part of a larger portfolio of IT systems management and monitoring tools that includes remote control, antivirus, network performance monitoring, and audit and inventory capabilities.


VSA offers automated patch deployments that users can schedule in advance or manually kick off, as needed. Admins can configure central download sites that distribute the load of patching to machines that reside closest to the computers being patched.

Utilizing policy-based administration tools enables patching admins to configure patch activities that adhere to a particular policy, relieving much of the day-to-day administrative overhead found in some IT management products. Automated emailing of alerts and regular reporting enables users to track anomalies and keep team members and managers up to date on current patch levels and vulnerabilities.

Supported platforms

VSA supports Microsoft Windows NT, 2000, XP, 2003, Vista, 2008, Windows 7, Windows 8 and Windows Server 2012. VSA also supports macOS and many popular versions of Intel-based Linux, including SUSE, Red Hat Enterprise Linux, Ubuntu, openSUSE 12 and CentOS (versions 5 and 6). Other versions of Linux are supported on a best-effort basis.


Base licensing for VSA includes far more capabilities than just patch management, so be aware that the pricing may or may not compare favorably to patch-only products from other vendors.

VSA pricing starts at $6.50 per node, per month for quantities up to 100 nodes, and that price goes down as the quantity of nodes increases. There is a free trial available on the Kaseya website.

ManageEngine Patch Manager Plus

ManageEngine is a longtime player in the infrastructure and application management market. A popular part of ManageEngine's Desktop Central integrated management software suite is Patch Manager Plus, which provides automated distribution of OS and application patches in highly complex environments.


Patch Manager Plus features an autodiscovery tool that mines Windows computer data from Active Directory. Once a computer is discovered, patch admins can then install and leverage Desktop Central agents on the devices that require patching and run vulnerability assessments that report back on any OSes or applications that do not have up-to-date patching.

ManageEngine products follow common lifecycle frameworks and offer IT Infrastructure Library processes and procedures that help maintain regulatory and corporate governance compliance.

Supported platforms

The Patch Manager Plus agent is the basis for all patching activities, and it currently runs only on Windows Vista and later desktop OSes, Windows Server 2003 and later, Linux, and macOS. The Linux agent supports all active versions of Ubuntu and Debian. All Desktop Central agents support both physical and virtual server installations.


Patch Manager Plus is offered in three distinct editions, which can include more capabilities than just patching: software distribution, a self-service portal, antivirus definition updates, remote control and many other useful features are available. All editions include common management tools for mobile devices. Here are the licensing costs for each edition:

  • Free edition -- Supports patching on up to 25 computers, and also supports managing up to 25 mobile devices (though patching of mobile devices is not supported and reporting is limited).
  • Professional edition -- $245 for managing up to 50 computers on a local area network. Includes many features above and beyond patching.
  • Enterprise edition -- $345 for all Patch Manager Plus features and capabilities on up to 50 computers on a wide area network.

Microsoft SCCM Patch Management

Microsoft System Center Configuration Manager patch management capabilities have been a de facto standard for enterprise IT shops for many years. SCCM may work for SMBs if the company already has SCCM licensing included in an enterprise licensing agreement with Microsoft, making the software acquisition costs relatively negligible. But even if licensing costs are minimal, a business should carefully evaluate the deployment, management and maintenance costs of SCCM for patching, as there can still be substantial costs involved with deploying free software.


Due to its Microsoft pedigree, SCCM is a patch management tool optimized to patch OSes. SCCM can also accomplish application patching, though that support is not as deep or as automated as OS patching.

For most Microsoft applications and some third-party applications, SCCM does provide patch management that can be tailored to meet requirements for those applications, but that requires more manual effort to package and distribute those patches.

Supported platforms

SCCM was originally focused on supporting Windows computers, but over the years, Microsoft has also added support for most flavors of Linux, Unix and macOS.


There are Datacenter and Standard management licenses available, with the difference being that the Standard server license supports up to two operating systems environments (OSEs), while the Datacenter edition supports unlimited OSEs on that server.

Datacenter edition pricing starts at $3,607 per server, managed for up to two processors, while the Standard edition licenses start at $1,323 per server, managed for up to two processors. End-user management licenses start at $62 per endpoint. Note that these prices are suggested by the manufacturer, and actual license costs may vary.

Quest KACE Patch Management

The KACE systems management appliance is offered by Quest Software Inc., a company spun out by Dell Software Group in 2016. The primary differentiator of KACE versus the other patch management tools in this roundup is that KACE typically runs on a dedicated appliance. KACE can also run as a virtual machine or as a hosted service.

KACE appliances are now in use at companies of all sizes, though its price likely means that KACE appeals most to midrange and enterprise IT shops. KACE is worth consideration regardless of business size if organizations are looking for a comprehensive systems management system that includes, in addition to patch management, hardware and software inventory, IT asset management, server management and monitoring, service-level agreement-based help desk, software licensing management and software distribution.


KACE can automate patch management processes, while enforcing information security policies designed to ensure that patch levels on all network-attached computers satisfy any corporate governance and compliance guidelines. Powerful scripting and automation enables KACE to recognize system vulnerabilities and security policy violations for software patches and to rectify any patch deficiencies automatically.

KACE also supports automated patching for many third-party vendors, including Symantec, Oracle and Adobe. It supports scheduling of critical and noncritical OS and application patches and the ability to roll back patches, if needed. KACE includes customizable reporting and alerting.

Supported platforms

Although KACE includes systems management agents for Windows, Linux and macOS platforms, the KACE patch management features run only on Windows Vista, 7, 8.x, 10 and macOS.


KACE sells its patch management tool in three different use scenarios: the hardware appliance, the software-based appliance running on Hyper-V and VMware, and the cloud-based KACE virtual appliance. The hardware-based appliance starts with some resellers at $7,634. The cloud-based or hosted version of the KACE appliance costs $6.50 per managed device, per month. KACE Express is a free version of the software-based KACE appliance, available for download from the KACE website.

SolarWinds Patch Manager

SolarWinds Worldwide LLC started providing system and network monitoring tools way back in 1998, and was very popular for its low-cost, easy-to-use management tools for many years. SolarWinds has built on a modest beginning through organic growth and strategic product acquisitions to build their current portfolio into a comprehensive suite of infrastructure and application management tools, IT security offerings and help desk tools.


Patch Manager is positioned as an extension of Microsoft SCCM, filling in gaps in SCCM's patching capabilities. In particular, it addresses patching third-party (non-Microsoft) applications, scheduling and reporting.

For instance, SCCM patching offers little in the way of standardized reporting, and detailed reports must be built through SQL queries and scripts. Patch Manager offers standardized reports and custom reports that are far more granular and that require no SQL knowledge.

Patch Manger can also report on patching compliance and vulnerability on all managed computers.

Supported platforms and prerequisites

Patch Manager supports desktop computers running Windows Vista and newer versions. On the server side, the Patch Manager agent runs on Windows Server 2003 and newer versions.

As an extension to SCCM, Patch Manager requires a full SCCM and Windows Server Update Services installation in order to function. Businesses also need access to a SQL Server database instance to run Patch Manager.

The Patch Manager management console runs on Windows Vista, Windows 7, Windows 8.x or Windows Server 2003 and newer. There are specific subversion and service pack requirements listed on the Patch Manager website. Companies should check those prerequisites closely before buying.


Patch Manager licensing starts at $3,617 for 250 managed computers. For smaller quantities, a SolarWinds subsidiary, Dameware, offers Patch Manager licensing starting at 50 managed computers, even though the software is identical. There is a fully functional, free trial version available.

Symantec Patch Management Solution

Symantec Corp.'s Patch Management Solution, formerly known as Altiris, is a veteran patch management tool that started out as a product targeted at a single IT function or process, and has blossomed over the years to include software and hardware asset tracking, configuration management and, most importantly, patch management.


Symantec Patch Management Solution is an agent-based product that is sold as part of Symantec's Client Management Suite endpoint management software. Symantec Patch Management supports policy-based management of the patching process; support for zero-day patching; and automated patch rollouts for test beds, pilots and production patching.

Zero-day patching enables companies to configure Symantec to automatically monitor, download and deploy patches based on criteria they define. If Microsoft releases a zero-day patch in the middle of the night, Symantec can have those patches available to end users before they show up for work the next morning. Symantec's Client Management Suite includes process management, self-service end-user support, deployment and migration, software distribution, inventory, and reporting capabilities.

Supported platforms and prerequisites

In addition to the appropriate endpoint agent for each supported platform, Symantec Patch Management requires three separate server components that support operation of the software: a management server, a site server and a workflow server.

Symantec supports endpoints running Windows XP and newer, macOS and macOS Server, and most versions of Red Hat Enterprise Linux and SUSE Linux. Symantec also includes support for more than 50 non-Microsoft applications, including Java, macOS, Adobe, Chrome, Firefox and many others.


Endpoint licenses start at approximately $50 per endpoint. The price goes down the more endpoint licenses you purchase. There is a free trial available on the Symantec website.

Next Steps

Learn more about how patch management tools help businesses

Businesses have trouble implementing important emergency patches

Addressing mobile security issues without hot patching 

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing