Windows Server Update Services (WSUS) is a feature of the Windows Server platform that lets you manage the distribution of the software updates that are released through Microsoft Update to the Windows machines on your network. While WSUS is a mature feature that has been around for some time now, as I’ve mentioned in the past not every Windows administrator is happy using it to control how their Windows machines are patched, plus it’s only useful for patching Windows operating systems and Microsoft applications like Microsoft Office. It can’t be used, for example, to patch Adobe software on your computers. But rather than spend the rest of this article writing about what’s wrong with or missing from WSUS, I thought it might be helpful to share about some of the other patch management solutions out there that are available for keeping Windows patched. Most of these third-party solutions were recommended to me by my colleagues, and if you’re presently unsatisfied with WSUS you may want to explore several of them to see if one of them can meet the needs of your specific environment. So, without further ado, here is a brief bird’s eye summary of some of the best of what’s available. (And if you use a patch management solution that’s not on this list, feel free to mention it in the comments section below.)
Patch My PC
Patch My PC is a third-party add-on for Microsoft System Center Configuration Manager (SCCM) that lets you deploy updates for hundreds of common enterprise software applications and suites. It comes in Basic, Enterprise, and Enterprise Plus subscription formats that let you perform all sorts of custom actions when you patch computers such as automatically closing applications before installing patches, skip updating an application if it’s currently running, running custom pre- or post-installation scripts during patching, and so on. It’s a powerful and highly customizable tool and if you’re already using SCCM, it’s definitely worth considering if you want to make patching systems in your environment easier.
GFI LanGuard is a powerful tool for scanning networks for vulnerabilities, automating patching, and achieving compliance with regulatory requirements. GFI LanGuard is a full endpoint management platform and you can use to deploy both security and non-security patches. You can use it to do patch management for Windows, macOS and Linux platforms including more than 60 third-party applications such as Apple QuickTime, Adobe Acrobat, Adobe Flash Player, Adobe Reader, Adobe Shockwave Player, Mozilla Firefox, Google Chrome, Apple Safari, Opera, Mozilla Thunderbird, Java Runtime and more. GFI LanGuard is available in several pricing tiers ranging from starter to small, medium, and large environments. There’s also an “unlimited “version that includes several other useful products to help you keep a firm hand on your system’s environment.
Manage Engine Desktop Central
Manage Engine Desktop Central is another unified endpoint management solution that you can use to apply patches, deploy software, manage licenses, and more. Desktop Central Patch Management can help keep your network security by automating patch management for Windows, macOS and Linux systems and many third-party applications. Desktop Central Patch Management is an agent-based solution that lets you completely automate your patch management process to keep your endpoint systems secure. In addition, there’s also a fully functional free edition you can use to keep up to 25 PCs patched and up-to-date on your network.
Ivanti Patch for Endpoint Manager lets you patch Windows, macOS and Linux systems and keep hundreds of third-party applications properly patched to keep your environment safe. Patch for Endpoint Manager provides you with a single console for assessing and deploying patches. It allows you to ensure your patches roll out in stages to help minimize any possible negative impact created from poorly designed vendor patches. One colleague I know who manages several hundred Windows servers in a large enterprise uses Patch for Endpoint Manager to keep his company’s servers up to date by letting him create setup schedules that cause patches to be installed and systems rebooted at specific times of low usage. Ivanti also has other patching products that allow patching systems from within the SCCM console and patching both physical and virtual systems.
SolarWinds Patch Manager
SolarWinds Patch Manager lets you automate patching and reporting and save time by simplifying patch management on servers and workstations. Patch Manager extends the capability of WSUS to third-party patches and it can be integrated with SCCM to let you view details of third-party software patches and the status of endpoints managed by SCCM. You can use Patch Manager to build your own custom patches, and SolarWinds also provides pre-built and pre-tested patches for enterprise applications including the Java platform. A status dashboard is included that lets you quickly view the latest available patches, top 10 missing patches, and the general health of your environment.
PDQ Deploy and PDQ Inventory are agentless solutions that are affordable and able to inventory and patch a wide range of third-party applications. PDQ Inventory is a systems management tool for tracking and organizing hardware, software, and Windows configuration data, while PDQ Deploy is a software deployment tool used to keep Windows PCs up-to-date without bothering end-users. One colleague says he has “never looked back” since he started using these easy-to-use solutions. PDQ Deploy includes patch support for more than 200 applications and lets you deploy and run a variety of different kinds of scripts including .vbs, .reg, .bat, and .ps1 files.
BatchPatch is a simple, easy to use tool that lets you install Windows Updates remotely across your network. You can use BatchPatch to run software deployments, start remote processes, and run custom scripts. BatchPatch was designed to be simple and intuitive to use. You don’t even have to install it — you just launch the .exe for the tool, load up a list of computer names or addresses (IP or MAC), choose the machines you want to patch, and select the actions you want to perform on them. One colleague of mine uses BatchPatch exclusively for patching the servers on his network and he says it does everything he needs.
And finally, there’s 0patch, a product that does patching differently. 0patch provides what is called “micropatches” that are small and don’t require active systems to be rebooted. It’s particularly useful in situations where a zero-day vulnerability has been reported in some product and the vendor hasn’t yet released a patch for mitigation. Another useful use of 0patch is to let you patch unsupported and end-of-life products, and several admins I know who still have Windows 7 systems in their environment (and expect to have them around for the foreseeable future) have told me they’ve been taking a hard look at using 0patch as a way of keeping those systems secure once Microsoft ends extended support for Windows 7 in January.
Featured image: Shutterstock