Patching made easy: Best patch management tools for all operating systems

Patch management is both a security process and a system management task. We investigate the best patch managers available on the market, so you can make an informed decision.

Patch management is an important duty for system administrators. However, sorting out patches manually can be a time-consuming task. Automated patch managers run without human intervention. They discover all devices, create a software inventory, and then look out for patch availability. 

An automated patching tool removes the likelihood that an administrator might just forget to look for the latest patches. If they discover that patches are available, they copy down the installers and then schedule them for installation. These systems can run unattended overnight and startup, bounce, and shutdown computers as needed. 

Letting a patching tool take care of software updates solves a lot of problems, but only if you buy the right tool. You need to ensure that your patching system is compatible with all the operating systems that you are running on your site. You also need to check that it will update all of your software. In this report, we will highlight the best tools available for patching and focus on their capabilities. This gives you a shortlist to work from when shopping around for a new patch manager. 

Here is our list of the seven best patch management tools:

1. NinjaOne Patch Management - EDITOR'S CHOICE: A cloud-based system that scans all endpoints on a site and documents the operating system and software it encounters, automatically patching outdated packages. Patches endpoints running Windows, Linux, and macOS, plus more than 200 applications. Get a 14-day free trial.
2. ManageEngine Patch Manager Plus: This system provides patching for Windows, Linux, macOS, and more than 850 third-party software packages. Available in free and paid editions and offered as a SaaS platform or a software package for Windows Server.
3. SecPod SanerNow: A cloud-based platform that provides a vulnerability scanner and a patch manager that is compatible with Windows, macOS, Linux, and third-party software packages among other services.
4. Atera: A remote monitoring and management package that includes a patch manager for Windows, macOS, and software. This is a cloud-based system.
5. Syxsense Manage: This cloud-based endpoint management system will discover endpoints, create hardware and software inventories, and patch for Windows and Linux.
6. SolarWinds Patch Manager: This patch manager for Windows is based on SCCM, and it will also patch third-party software. Runs on Windows Server.
7. KACE Systems Management Appliance: Inventory documentation, software deployment, and patch management for Linux, Windows, and macOS. Offered as a SaaS platform or for installation as a virtual appliance.
8. GFI LanGuard: This asset management system includes a vulnerability scanner and a patch manager to fix Linux, Windows, and macOS. Runs on Windows or Windows Server.

The best patch management tools

Our methodology for selecting a patch management tool

We reviewed the market for patch managers and analyzed options based on the following criteria:

• A discovery service that lists all endpoints.
• A software inventory.
• Patch availability discovery.
• A scheduler for out-of-hours installation.
• Activity logging that includes completion status reports.
• A free trial or a demo option to enable a cost-free assessment.
• Value for money from a system that is offered at a fair price with respect to the facilities that are on offer.

With these selection criteria in mind, we looked for patch management systems that will repay the cost of acquisition through efficiency.

1. NinjaOne Patch Management (FREE TRIAL)

NinjaOne Patch Management is available as a standalone service or as part of a remote monitoring and management (RMM) package. The system is delivered from the cloud as a SaaS platform, and it is offered in a format for IT departments or with a multi-tenant architecture for managed service providers. 

Key features:

• Delivered from the cloud: This is a SaaS platform.
• Patches operating systems: Windows, macOS, and Linux.
• Patching for third-party software: Updates more than 200 applications.

Why do we recommend it?

I determined that NinjaOne Patch Management provides process automation for software management. This includes asset discovery and license management, as well as patching. The service is delivered from the cloud and the dashboard can be accessed through any standard Web browser. The tool is available as part of a remote monitoring and management package. 

This system will check for patch availability automatically for its list of 200 software systems and OSs. This means that support technicians don’t need to dedicate time to ensuring that all software is up to date. The automation in the Patch Management tool is a cost saver for managed service providers that need to keep prices low in order to win business.

Who is it recommended for?

This package is a good choice for both IT departments and managed service providers. NinjaOne doesn’t publish a price list, which will discourage small businesses. However, it levies a rate per endpoint, which makes the service very scalable. The system is particularly attractive as part of the NinjaOne RMM.

This package is hosted in the cloud, so you sign up for an account on the NinjaOne website. During the onboarding process, the system will download agents onto your endpoints. You can examine the NinjaOne Patch Management system with a 14-day free trial and enquire about custom quote.

EDITOR’S CHOICE

NinjaOne Patch Management is our top pick for a patch management tool for all operating systems because this service can patch Windows, macOS, and Linux. In addition to the operating systems, the service will patch up to 200 applications that run on top of them. The system maintains a software inventory and checks for patch availability. It will copy down installers and apply patches automatically at the next available maintenance windows. This patching service is integrated into a full remote monitoring and management package. The platform is hosted in the cloud and can manage entire sites, accessing any network anywhere in the world as long as it is connected to the internet. NinjaOne is available in a multi-tenant architecture, which is suitable for use by managed service providers. 

Get a 14-day free trial: https://www.ninjaone.com/freetrialform/

Operating system: Cloud-based

2. ManageEngine Patch Manager Plus

ManageEngine Patch Manager Plus is a dedicated patching system that first discovers and records all endpoints on a network. The service is able to patch Linux, Windows, macOS, and more than 850 third-party software packages. This system relies on a patch repository that is hosted in the cloud by Zoho Corp, the parent company of ManageEngine.

Key features:

• Patches operating systems: Windows, Linux, and macOS.
• System discovery: Creates hardware and software inventories.
• Patch availability report: Checks daily for new patches.
• Pre-tested and verified patches: Only has to refer to the Zoho Central Patch Repository.
• Patching scheduler: Set it up with a maintenance calendar.

Why do we recommend it?

I found that ManageEngine Patch Manager Plus is a stable and reliable patching service that needs very little human involvement. The tool checks daily for new patches that relate to the systems that it has logged in its site software inventory. The tool automatically copies down, schedules, and then applies all patches. 

Patch Manager Plus discovers all endpoints and scans them for software. It creates hardware and software inventories. Each entry in the software inventory includes its version number, which indicates its patch status. 

Every implementation of Patch Manager Plus checks with the Zoho Central Patch Repositories every day. The patches held in the library have all been tested and verified. If the patch number of the latest version of a software package is higher than that indicated by the version number in the repository, the patch manager copies down the installer. 

Who is it recommended for?

This package is a good choice for any business. It is available as a software package for Windows Server, and ManageEngine has also created a cloud-hosted SaaS package for it. There is a Free edition that will patch 20 workstations and five servers. 

There are three editions for Patch Manager Plus. The Free edition is free forever but is limited to patching 20 workstations and five servers. The Professional edition is suitable for a LAN, and the Enterprise edition will patch endpoints on multiple sites from one location. You can get a 30-day free trial of the Professional edition.

3. SecPod SanerNow

SecPod SanerNow is a cloud platform of endpoint management and security systems. The service installs an agent on a managed site and then scans for endpoints. The tool also scans each computer for software. After creating hardware and software inventories, the platform implements vulnerability scanning. If software is discovered to be out of date, SanerNow kicks off its built-in patch manager.

Key features:

• Delivered from the cloud: Installs an agent on the protected site.
• Asset discovery: Creates hardware and software inventories.
• Vulnerability scanning: Identifies misconfigurations.
• Patches multiple OSs: Windows, Linux, and macOS.

Why do we recommend it?

SecPod SanerNow is an asset management package that provides extensive security monitoring services. This cloud-based system concentrates on system hardening through its preventative security measures. The service will advise on security weaknesses and automatically update software that is out of date. The package can update more than 450 software packages plus the Linux, Windows, and macOS operating systems.

I noted that the SecPod platform constantly checks for patch availability with the producers of more than 450 software packages. All new patches are tested before being made available for installation. If an account on the cloud platform has software in its inventory for which a new patch is available, that patch is scheduled for deployment.

Who is it recommended for?

SecPod SanerNow is suitable for mid-sized and large companies. Although it could be interesting for small businesses, the free service offered by ManageEngine is probably going to tempt those business owners more. The SanerNow system provides regular security testing and remediates all problems that can be resolved automatically.

SecPod doesn’t publish a price list, which will deter small businesses. You can start your investigation into the platform by accessing 30-day free trial.

4. Atera

Atera is a package of systems for use by managed service providers or IT departments. The exact contents of the bundle you get depend on which plan you choose. However, all the options include a patch manager. The system also creates a software inventory.

Key features:

• Software inventory: Includes license management.
• Patches operating systems: Windows and macOS.
• Patches third-party software: Well known applications, such as Adobe and Apache.

Why do we recommend it?

Atera provides many system operations management functions, including a patch manager. The patching system is automated, and it will operate remotely, updating endpoints on multiple sites if necessary. The tool will run on a schedule, launching rollouts in the next available maintenance window. 

I discovered that the scheduler for the patch manager provides other functions. It has a list of standard maintenance tasks that can be launched through the interface, such as clearing out temporary files. It is also possible to write your own automation scripts and get them run on all remote devices through the scheduler. 

Who is it recommended for?

The Atera system is delivered from the cloud, so you don’t need to worry whether you have a server with the right operating system to host it. The package includes a ticketing system, so the whole deal will attract Service Desk teams. There is also a multi-tenant version for managed service providers. 

Atera has many plans with special categories of editions for IT departments and managed service providers. You can assess the package, which includes the patch manager with a 30-day free trial.

5. Syxsense Manage 

Syxsense Manage is an endpoint management package that is delivered from the cloud. This package scans your network and creates hardware and software inventories. It provides software license management and controls over the installation of unauthorized software by users. The package also includes a patch manager.

Key features:

• A cloud based system: A SaaS platform.
• Endpoint management: Device discovery.
• Software inventory: License management.

Why do we recommend it?

Syxsense Manage is a cloud-based system that reaches out to a managed network by installing an agent. The platform will install an agent on each discovered endpoint to scan for software. That function forms the basis of the patch management service, which automatically checks for patch availability.

This service will patch Windows, macOS, and Linux. It will also patch well-known applications, such as Google Chrome, Adobe Acrobat, Apache Web Server, and Java. I observed that the system requires little human intervention and provides activity reports in the dashboard. The Syxsense server maintains a library of patches, which it updates nightly. Each customer account then automatically checks on patch availability for the systems listed in its software inventory.

Who is it recommended for?

Syxsense doesn’t publish a price list, which is discouraging for small businesses. The package is comprehensive and also manages mobile devices and IoT equipment. Other features in the package include security scanning and remote control, so this would be a good bundle of services for an IT Help Desk or a managed service provider. 

You have to request a quote in order to find out the subscription price for the Syxsense Manage SaaS package. Access a demo to find out more. 

6. SolarWinds Patch Manager  

SolarWinds Patch Manager is an on-premises package that manages Windows and Microsoft tools. This system relies on the native Windows systems for updates: WSUS and SCCM. The service has adapted these systems to install non-Microsoft systems, such as Adobe and Java. However, it won’t update macOS or Linux, and it won’t even update software running on top of those operating systems. 

Key features:

• Patching for Windows: Uses WSUS and SCCM.
• Patching for third-party tools: Mostly Microsoft systems.
• On-premises package: Runs on Windows Server.

Why do we recommend it?

SolarWinds Patch Manager is a good choice for businesses that want to focus their software purchases on respected and reliable brands. This system is an on-premises package, which also provides greater security and privacy for security systems. Working with WSUS gives the package the benefit of the functions of that package.  

I noticed that the WSUS system includes a discovery routine. This generates hardware and software inventories, so SolarWinds decided not to duplicate these functions. The patch manager checks for updates, and it alerts the administrator if new patches are available. In truth, this package relies heavily on WSUS, which does all the work. 

Who is it recommended for?

This system is going to appeal to large businesses. Another key characteristic of a typical SolarWinds Patch Manager user is that the company should only have Windows on its premises because this service won’t patch Linux or macOS. This package includes a reporting engine, which is useful for companies that need to record patching activity for compliance reporting. 

The SolarWinds system relies heavily on WSUS, which is provided for free as part of Windows Server. So, you might wonder whether you should just rely on that system and not bother with the cost of the SolarWinds Patch Manager. However, the system is available for a 30-day free trial, which offers a good opportunity to experience the added features that this package brings. 

7. KACE Systems Management Appliance

KACE System Management Appliance from Quest Software is an IT asset management package that includes a patch manager. The service is a SaaS package but there is an option to download the software and run the system as a virtual appliance. The patch manager in this package will patch Windows, macOS, and Linux. It will also update software.

Key features:

• Deployment options: Offered as a SaaS platform or as a virtual appliance
• Operating system patching: Windows, macOS, and Linux
• Software distribution: Create installation packages

Why do we recommend it?

I found that KACE System Management Appliance provides hardware and software management functions. The software manager maintains a software inventory, which provides license management as well as a basis for patch management. The system is able to deploy software and also update it. You can set up a patching calendar to run patches out of office hours. 

The KACE system also scans the network and logs all the network devices as well as endpoints. This scan provides a security benefit because it enables the administrator to spot rogue devices. Similarly, the software inventory will reveal any installations of unauthorized software.

Who is it recommended for?

This package is going to interest any type or size of business. As with most of the systems on this list, Quest doesn’t publish a price for the KACE Systems Management Appliance, which makes it difficult to recommend the package to small businesses. The deployment options will widen the appeal of the package. 

If you choose to operate the KACE Systems Management Appliance as a virtual appliance, it can be run on VMware ESX/ESXi, Hyper-V, or Nutanix AHV. The underlying operating system can be Windows or Linux. For those who don’t want to host the package, there is always the SaaS option.

8. GFI LanGuard

GFI LanGuard is a system security package that focuses on endpoint management. The package includes a vulnerability manager that identifies misconfigurations that can provide hackers with a way into the system. The vulnerability scanner has a list of 60,000 exploits to look for. When the scanner discovers that software or operating systems are out of date, it triggers the patch manager in the package.

Key features:

• Patches operating systems: Windows, Linux, and macOS.
• Compatible with a long list of Linux distros: CentOS, Debian, Ubuntu, RHEL, SUSE, and Fedora.
• System discovery: Creates hardware and software inventories.

Why do we recommend it?

GFI LanGuard is a competent IT asset security package. This system is an on-premises package that runs on Windows or Windows Server. It includes a vulnerability manager as well as a patch manager, which makes a great suite. The system will automatically fix many of the security issues that it discovers and provide guidance for issues that need manual attention.

I saw that the discovery service in the GFI LanGuard package identifies and documents all equipment on the network, including routers and switches. This has the advantage of identifying rogue devices on the network. The package also generates a software inventory that immediately checks patch statuses. The tool automatically checks for patch availability and queues up the installers in a scheduler for out-of-hours installation.

Who is it recommended for?

Companies that run Linux on their computers will be interested in this package because it is compatible with many distros. However, there is a problem because the software won’t run on Linux – only Windows and Windows Server. There is a multi-tenanted version available for managed service providers. 

There is no price list for GFI LanGuard, so you would have to request a quote. There is no free trial for the software, but you can access a demo.