IT pros commonly use Microsoft System Center Configuration Manager or Windows Server Update Services to manage patches on Windows Server and desktop systems. Both options are well known, widely deployed and integrated into the larger Windows ecosystem, making either one a natural fit for organizations running computers on Microsoft's operating systems.
The patch management features in System Center Configuration Manager (SCCM), which is now bundled with Intune in a product called Microsoft Endpoint Manager, can help administrators manage the complex tasks of tracking and applying updates. SCCM includes a set of integrated tools for updating software manually or automatically, as well as controlling when and how patches are deployed. SCCM offers other management functionality, giving IT a single tool to carry out many of the tasks associated with administering Windows computers.
SCCM uses Windows Server Update Services (WSUS) to synchronize updates and to conduct update applicability scans. However, organizations don't need SCCM to use WSUS, which is a free server role in Windows Server used to manage and distribute updates. Like SCCM, WSUS provides an integrated tool to patch Windows machines, but without the expense or overhead of SCCM.
Why consider WSUS or SCCM alternatives?
Although many organizations use SCCM and WSUS for Windows patching, both products have limitations. For example, some IT professionals consider SCCM to be expensive and overly complex. The product also offers limited support for non-Windows platforms and applications. In addition, SCCM must be installed on Windows Server.
Like SCCM, WSUS also has to be installed on Windows Server, which can bring additional licensing fees. The product also has a reputation for being inefficient, cumbersome and buggy at times. In addition, WSUS provides only rudimentary automation and little in the way of reporting capabilities.
Third-party patching tools seek to address these limitations, either by extending WSUS or SCCM or by providing a separate tool for patch management. Third-party tools can help streamline and simplify patching operations, while providing greater control over the patching process. But not all patching tools are the same. Here, in alphabetical order, is a quick summary of eight prominent WSUS alternatives that each take a different approach to updating the Windows OS and the applications that run on it. Read on for details about all eight products.
Top WSUS alternatives for patch management
- Automox. A cloud-based, cross-platform system management tool for patch management, software distribution, reporting and policy enforcement.
- GFI LanGuard. Cross-platform patch management and vulnerability scanning for smaller organizations.
- Ivanti Security Controls. An enterprise-grade tool for Windows and Linux systems running on physical or virtual hardware. In addition to OS and application patching, it supports allowlisting of applications and Just Enough Administration.
- Kaseya VSA. A cloud-based platform for Windows and macOS systems. It offers automatic scanning and analysis of managed endpoints and supports policy-based patch management with options for manual and scheduled overrides.
- ManageEngine Patch Manager Plus. Patch management for Windows, macOS and Linux, as well as a huge number of applications. There's a free edition for SMBs.
- PDQ Deploy. A lightweight tool for deploying Windows patches and applications. Besides deploying Microsoft cumulative updates, it provides a library of over 250 ready-to-deploy applications.
- Quest KACE Systems Management Appliance. A virtual appliance that can perform patch management for Windows, macOS and Linux and can be used for other tasks such as software distribution and license tracking.
- SolarWinds Patch Manager. For organizations that are already using WSUS or SCCM, it offers broad support for third-party applications and more comprehensive reporting capabilities than most tools.
Automox is not purely a patch management tool, but rather an IT operations system. In addition to its patch management capabilities, Automox can be used for configuration management, software deployment and policy enforcement. Another key feature is single-click remediation of vulnerabilities that have been identified by CrowdStrike, Rapid7 or Tenable.
Automox performs patch management of operating systems and applications across a variety of endpoints. Agents are currently available for Windows, macOS and Linux, and Automox can natively patch dozens of third-party applications across the platforms.
Automox is a SaaS product, and the vendor offers two types of subscriptions: Patch, and Patch & Manage. The Patch plan is geared toward organizations that need patch management capabilities. Besides OS and application patching, it includes features such as full device inventories, basic reporting and end-user notifications. Patch & Manage includes all of the same features as Patch but adds the ability to install and enforce software, rules-based patching, Security Assertion Markup Language (SAML) authentication and other capabilities.
GFI LanGuard is a network security tool focusing on patch management, network auditing and vulnerability detection. It can be used with or without agents, and its reporting engine has been specifically designed to assist with regulatory compliance (HIPAA, PCI DSS, etc.)
GFI LanGuard supports patch management for Windows, macOS and Linux systems, as well as third-party applications. The software scans managed nodes and identifies missing patches, but also checks for over 60,000 known vulnerabilities. If a vulnerability is detected, the software provides a graphical indication of the vulnerability's severity, as well as a recommended course of action. GFI LanGuard is also designed to integrate with over 4,000 security applications. Incidentally, GFI LanGuard's vulnerability scanning is not limited to Windows, macOS and Linux. It also supports Apple iOS and Android and can scan some network hardware, such as printers and switches.
GFI LanGuard is licensed based on the number of nodes to be managed. GFI offers three different licensing plans, which are simply called Small, Medium and Large. Each plan is based on an annual subscription and includes all the same features. The only difference between the plans is the cost, with larger organizations paying less per node. GFI LanGuard is also part of the GFI Unlimited Plan, which includes licenses for a number of other GFI products.
Ivanti Security Controls
Ivanti Security Controls, formerly Patch for Windows, is a versatile patch management product for Windows computers, virtual machines and VM templates. It also supports VMware ESXi hosts, Windows applications and Linux distributions, including Red Hat Enterprise Linux and CentOS. Security Controls has a centralized interface designed to make it easy to scan physical and virtual systems, assess and deploy patches, and schedule remote operations while providing granular privilege management to balance access and security.
Admins can configure Security Controls to automatically run scheduled recurring scans and deploy any missing patches that are detected during the scans. Security Controls can detect and categorize software and hardware, track asset inventory over time and control a computer's power state, such as shutdowns and restarts. It also gives admins a way to run PowerShell scripts to carry out tasks or automate operations. The REST APIs integrate Security Controls with other products and support remote access and control while offering a method to automate operations.
Security Controls generates multiple reports that provide a variety of information, such as the installed OSes, machine power states, patch deployments and status and machine compliance. Admins can use database queries to generate custom reports. Security Controls can display applications and their services and components, as well as import the Common Vulnerabilities and Exposures (CVEs) list. It can also show which patches are related to each CVE.
Kaseya VSA is a cloud-based remote monitoring and management service that includes patch management capabilities to install, deploy and update software on Windows and macOS machines. It uses policy-based patch management that automates and standardizes software maintenance. Admins can approve, schedule and install patches as well as schedule regular network scans for analyzing computers and automating software updates.
Kaseya VSA has a centralized console to assist with patch management operations, including uninstalling and repairing software. Admins can scan computers for missing patches, view a summary of the patch status for each machine and exclude patches from specific machines. Kaseya VSA can also run procedures before or after updates. For example, an admin can use a procedure to automate setting up a newly added computer.
Kaseya VSA gives administrators both manual and automated options for updating software while offering granular control over the patching process. Admins can also set up patch reports to see compliance across their environments and quickly identify endpoints and applications that need attention. In addition, Kaseya VSA aggregates the patch status of all machines to see which CVEs need to be addressed on each. Admins can also use the product to access recent network scans to identify installed and missing patches.
ManageEngine Patch Manager Plus
ManageEngine, a division of Zoho, offers Patch Manager Plus, a versatile patch management tool available as on-premises software or as a cloud service. It supports Windows, macOS and Linux endpoints, along with more than 850 third-party applications. Admins can carry out patching operations from a single interface and use the vendor's pre-built packages to streamline the process. They can also automate patch deployment for OSes and applications.
Patch Manager Plus includes numerous auditing, analytics and reporting features for visibility into the patch status of computers and applications. ManageEngine offers a free edition and two paid editions, Professional and Enterprise. The Enterprise edition is suitable for WAN use, while Professional is designed for LANs. The Enterprise Edition includes all of the features found in the Professional Edition, but adds antivirus definition updates and the ability to test and approve patches. The Enterprise edition also includes a distribution server, which can help conserve bandwidth. The free edition supports similar features as the paid editions but is limited to 20 workstations and five servers.
With the Enterprise edition, IT can automate the entire patch management process. This includes scanning endpoints for missing patches, downloading patches from vendor websites, deploying the patches and generating reports on the patch management process. However, all three editions include such features as service pack deployments, Active Directory authentication, roaming user patching, role-based administration and on-demand remote shutdown.
PDQ Deploy from PDQ.com is a lightweight software deployment tool for automating patch management on Windows Server and desktop machines. It supports more than 250 Windows applications, which can be updated using the vendor's pre-built, pre-tested packages. In addition, IT can create custom packages as well as copy over files, send messages to users or force reboots on managed systems. PDQ offers plans for small business, education and enterprise use. Licensing costs are based on the number of admins who will be using the software. A 14-day trial is available.
PDQ Deploy uses a centralized console for installing, uninstalling, updating, repairing and making other changes across the network. The console also provides access to the pre-built application packages. In addition, PDQ offers a command-line interface for working with packages.
Admins can also use scripts to automate operations, with support for several scripting languages, including Visual Basic, PowerShell and batch files. In addition, IT can set up multiple distribution points for sharing custom packages, schedules and target lists.
For most deployments, admins will use the scheduling capabilities to deploy packages at specified intervals. They can also create automatic deployments for new package versions as they become available from the package library. In addition, PDQ Deploy can send an email with details about patch deployments, including which computers or software were updated and which systems might need more attention. Admins can also access built-in reports that provide deployment and scheduling information.
Quest KACE Systems Management Appliance
The Quest KACE Systems Management Appliance is designed to be a unified endpoint management system that can do far more than just basic patch management. You can also use it for tasks such as software distribution, software license tracking and server management and monitoring. There is even a mobile app for managing service tickets on the go.
The appliance can perform patch management for Windows, Linux and macOS systems, along with a vast number of applications. Quest uses a system of smart labels that allows admins to classify both endpoints and updates and then perform actions or create reports based on the labels. For example, patches might be labeled by vendor, date or severity. The appliance can also perform automated vulnerability scans as well as configuration management and policy enforcement. In multi-site environments, the appliance can use replication servers to minimize bandwidth consumption during patch management.
Quest offers several deployment options for the KACE Systems Management Appliance. It can be deployed as an on-premises virtual appliance or hosted on VMware, Hyper-V, Nutanix or in the Microsoft Azure cloud.
SolarWinds Patch Manager
SolarWinds Patch Manager builds on and extends WSUS and SCCM to provide a patch management tool for addressing software vulnerabilities and managing third-party applications. IT teams can automatically apply Windows updates using customized schedules that target specific business groups or system categories, based on such factors as OS or IP range. Patch Manager also helps teams proactively identify which Windows machines need to be patched and then quickly deploy the patches to those systems, including virtualized workloads.
Patch Manager provides extensive support for third-party applications, while enabling IT to use its existing WSUS or SCCM infrastructure. Admins can create pre- and post-update package scenarios to verify third-party patch deployments. Patch Manager includes the Custom Package Wizard for admins to build packages for any application, without the need for complex scripting or the System Center Updates Publisher. SolarWinds also offers pre-built, pre-tested application packages that admins can quickly deploy through WSUS or SCCM.
Patch Manager features a web console for centralizing patch management and viewing important patch information. The console offers several reporting options for determining patch status and demonstrating patch compliance to auditors. Admins can also view information about the latest available patches, missing patches on their systems and the general health of the patch environment. In addition, Patch Manager can notify admins when updates become available, either through the console or by email.