5 WSUS alternatives for patch management

Compare the features and functionality of five prominent patch management tools for Microsoft and third-party applications to find the right option for your organization.

IT pros commonly use Microsoft System Center Configuration Manager or Windows Server Update Services to manage patches on Windows Server and desktop systems. Both options are well known, widely deployed and integrated into the larger Windows ecosystem, making either one a natural fit for organizations running computers on Microsoft's operating systems.

The patch management features in System Center Configuration Manager (SCCM), which is now bundled with Intune in a product called Microsoft Endpoint Manager, can help administrators manage the complex tasks of tracking and applying updates. SCCM features a set of integrated tools for updating software manually or automatically, as well as controlling when and how patches are deployed. SCCM offers other management functionality, giving IT a single tool to carry out many of the tasks associated with administering Windows computers.

SCCM uses Windows Server Update Services (WSUS) to synchronize updates and to conduct update applicability scans. However, organizations don't need SCCM to use WSUS, which is a free server role in Windows Server used to manage and distribute updates. Like SCCM, WSUS provides an integrated tool to patch Windows machines, but without the expense or overhead of SCCM.

Why consider SCCM or WSUS alternatives?

Although many organizations use SCCM and WSUS for Windows patching, both products have limitations. For example, some IT professionals consider SCCM to be expensive and overly complex. The product also offers limited support for non-Windows platforms and non-Microsoft applications. In addition, SCCM must be installed on Windows Server.

Like SCCM, WSUS must be installed on Windows Server, which can bring additional licensing fees. The product also has a reputation for being inefficient, cumbersome and buggy at times. In addition, WSUS provides only rudimentary automation and little in the way of reporting capabilities.

Third-party patching tools seek to address these limitations, either by extending WSUS or SCCM or by providing a separate tool for patch management. Third-party tools can help streamline and simplify patching operations, while providing greater control over the patching process. But not all patching tools are the same. Here we look at five prominent WSUS alternatives that each take a different approach to updating the Windows OS and the applications that run on them.

Comparing third-party patch management software tools
Comparing third-party patch management software tools

Ivanti Security Controls

Ivanti Security Controls, formerly Patch for Windows, is a versatile patch management product for Windows computers, virtual machines and VM templates. It also supports VMware ESXi hosts, Windows applications and Linux distributions, including Red Hat Enterprise Linux and CentOS. Security Controls has a centralized interface that makes it easy to scan physical and virtual systems, assess and deploy patches, and schedule remote operations, while providing granular privilege management to balance access and security.

Admins can configure Security Controls to automatically run recurring scheduled scans and deploy missing patches that are detected during those scans. Security Controls can detect and categorize software and hardware, track asset inventory over time and control a computer's power state, such as shutdowns and restarts. Security Controls gives admins a way to run PowerShell scripts against one or more computers to carry out tasks or automate operations. The REST APIs integrate Security Controls with other products and support remote access and control, while offering a method to automate operations.

Security Controls generates multiple reports that provide a variety of information, such as the installed OSes, machine power states, patch deployments and status, machine compliance, and machine and software assets. Admins can also use database queries to generate custom reports. Security Controls can allowlist applications, services and components, as well as import the Common Vulnerabilities and Exposures (CVEs) list. Security Controls can automatically determine which patches are related to each CVE and then display the results for review.

Ivanti Security Controls patching tool
Ivanti Security Controls protects Windows and Linux machines

Kaseya VSA

Kaseya VSA is a cloud-based remote monitoring and management service that includes patch management capabilities to install, deploy and update software on Windows Server and desktop machines. VSA uses policy-based patch management that automates and standardizes software maintenance. Admins can approve, schedule and install patches, as well as schedule regular network scans for analyzing computers and automating software updates.

Kaseya VSA has a centralized console to assist with patch management operations, including uninstalling and repairing software. Admins can scan computers for missing patches, view a summary of the patch status for each machine, and deny patches for specific machines. Kaseya VSA can also run procedures before or after updates. For example, an admin can use a procedure to automate the preparation and setup of a newly added computer.

Kaseya VSA offers five methods for applying patches to managed machines, giving admins both manual and automated options for updating software, while offering granular control over the patching process. Admins can also set up patch reports to see compliance across their environments and quickly identify endpoints and applications that need attention. In addition, Kaseya VSA aggregates the patch status of all machines to see which CVEs need to be addressed on each. Admins can also use the product to access recent network scans to identify installed and missing patches.

Kaseya VSA patch management
Kaseya VSA monitors and remediates vulnerabilities.

ManageEngine Patch Manager Plus

ManageEngine, a division of Zoho, offers Patch Manager Plus, a versatile patch management tool that's available as on-premises software or as a cloud service. It supports Windows, Mac and Linux endpoints, along with more than 350 third-party applications. But only the on-premises software supports Linux. Admins can carry out all patching operations from a single interface and use the vendor's prebuilt packages to streamline patch management. Admins can also automate patch deployment for both the OSes and applications.

Patch Manager Plus includes numerous auditing, analytics and reporting features for visibility into the patch status of computers and applications. ManageEngine offers a free edition and two paid editions, Professional and Enterprise. Only the Enterprise edition manages systems across LAN and WAN environments. The free edition supports similar features as the Enterprise edition but is limited to 20 workstations and five servers. The Professional edition supports many of the same features but lacks capabilities such as antivirus definition updates, drive and BIOS updates, and automated testing and approval.

With the Enterprise edition, IT can automate the entire patch management process. This includes scanning endpoints for missing patches, downloading patches from vendor websites, deploying the downloaded patches and generating reports of the patch management process. The Enterprise edition also supports distribution servers for patching computers in remote offices. However, all three editions include such features as service pack deployments, Active Directory authentication, roaming user patching, role-based administration and on-demand remote shutdown.

The Patch Manager Plus patching tool
ManageEngine Patch Manager Plus checks for missing patches.

PDQ Deploy

PDQ Deploy from PDQ.com is a lightweight software deployment tool for automating patch management on Windows Server and desktop machines. PDQ Deploy also supports more than 250 Windows applications, which can be updated using the vendor's prebuilt, pre-tested packages. In addition, IT can create custom packages as well as copy over files, send messages to users or force reboots on managed systems. PDQ offers a free edition of the software, but this includes only a subset of features available in the regular paid edition.

PDQ Deploy uses a centralized console for installing, uninstalling, updating, repairing and making other changes across the network. The console also provides access to the prebuilt application packages. In addition, PDQ offers a command line interface for working with packages.

Admins can also use scripts to automate operations, with support for several scripting languages, including Visual Basic, PowerShell and batch files. In addition, IT can set up multiple distribution points for sharing custom packages, schedules and target lists.

For most deployments, admins will use the scheduling capabilities to deploy packages at specified intervals. They can also create automatic deployments for new package versions as they become available from the package library. In addition, PDQ Deploy can send an email with details about patch deployments, including which computers or software were updated and which systems might need more attention. Admins can also access built-in reports that provide deployment and scheduling information.

PDQ Deploy patch manager
PDQ Deploy automates patch management and updates system changes.

SolarWinds Patch Manager

SolarWinds Patch Manager builds on and extends WSUS and SCCM to provide a patch management tool for addressing software vulnerabilities and managing third-party applications. IT teams can automatically apply Windows updates using customized schedules that target specific business groups or system categories, based on such factors as OS or IP range. Patch Manager also helps teams proactively identify which Windows machines need to be patched and then quickly deploy the patches to those systems, including virtualized workloads.

Patch Manager provides extensive support for third-party applications, while enabling IT to use their existing WSUS or SCCM infrastructures. Admins can create pre- and post-update package scenarios to verify third-party patch deployments. Patch Manager includes the Custom Package Wizard for admins to build packages for any application, without the need for complex scripting or the System Center Updates Publisher. SolarWinds also offers prebuilt, pre-tested application packages that admins can quickly deploy through WSUS or SCCM.

SolarWinds Patch Manager
SolarWindsPatch Manager provides WSUS sync status and settings.

Patch Manager features a web console for centralizing patch management and viewing important patch information. The console offers several reporting options for determining patch status and demonstrating patch compliance to auditors. Admins can also view information about the latest available patches, missing patches on their systems and the general health of the patch environment. In addition, Patch Manager can notify admins when updates become available, either through the console or by email.

Dig Deeper on IT operations and infrastructure management