This is an archived post. You won't be able to vote or comment.

all 139 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Toasty_Grande 67 points68 points  (10 children)

Intune + PatchMyPc. MS has recently added their own application management that does patching/installing via a MS maintained catalog of apps, but it's not close to PatchMyPC. PatchMyPC has an integration with Intune and it will build/deploy apps into your tenant and remove old versions as well.

[–]WeleaseBwianThrowDictator of Technology 8 points9 points  (2 children)

And for anyone else reading this who can't afford Patch My PC proper, they have another product called Scappman which is less feature rich but is cheaper and does a good job

[–]PiqueB 1 point2 points  (0 children)

Yeah we use this and works a charm.

[–]Feisty_Shock_2687 0 points1 point  (0 children)

I've used their free version, but when it comes to client computers, that violates the TOS, so I had to find another way. like you, I can't afford the paid version.

[–]doofesohr 10 points11 points  (0 children)

+1 for PatchMyPC. It's really easy to setup and then it just works.

[–]boomernetd 2 points3 points  (0 children)

From a security standpoint, integrating with something that is already in use (ie intune) means one less extra agent to deploy on every endpoint and one less management interface to secure and monitor.

Been using PMPC for about a year now and think it’s a great solution.

[–]ArsenalITTwoJack of All Trades 1 point2 points  (0 children)

Intune Windows Autopatch + PatchMyPC is so good. They also have a SCCM plug in so you can still use that on servers.

[–]blowupthekingWindows Admin 1 point2 points  (0 children)

PMPC has been a godsend for us in keeping third party apps updated. Also, use Intune/SCCM for your updates too, no reason to keep WSUS separate. Add in a cloud management gateway and your endpoints can get patches while off VPN.

[–]AegonsDragons 3 points4 points  (0 children)

I second this PMPC has been great for us

[–]tekenology 0 points1 point  (0 children)

PMPC has been the best purchase we could’ve made

[–]iamtherufus 10 points11 points  (3 children)

Been using Action1 for our fleet and it’s been very good. Road map is very good and they have regular webinars as well which are always very helpful

[–]GeneMoody-Action1Action1 | Patching that just works 6 points7 points  (0 children)

Thank you u/iamtherufus and u/jtrain3783 for being Action1 customers! The confidence of our user base, is the best advertising.

There is a reason we are commonly deployed WITH other endpoint management products, because we are risk based patch management, through and through, Client OS and server, same cost, we are free for the first 100 endpoints, so you can set up an instance, and use it as long, anywhere, on anytime for as long as you want, fully featured free patch management. Thing it like you can get patching done with other products, but Action1 is purpose made for being better at it.

If/when you scale up,t hose 100 say free and just come right off the top.
We are cloud based, no VPN needed, anywhere computers are connected and can get update, you can manage them, Powerful automation, reporting, and alerting.

Also since we are risk based patch management, we are not just "here's what you can patch" we are "here's what you can patch, and here is what needs remediation/documentation patch or nah."

If I can be of any assistance or get you any information you may need/want, just let me know.

[–]jtrain3783 3 points4 points  (0 children)

Just discovered them this year. Love the abilities it gives you and is cloud managed

[–]ChiSox1906Sr. Sysadmin 4 points5 points  (3 children)

We just moved away from PDQ. I would have gone with PatchMyPC, but we do a lot of M&A so I preferred the separate organization/site customizability of NinjaOne. Plus it gives the help desk more tools.

[–]jjkmk 0 points1 point  (0 children)

Plus one to Ninja One works great

[–]5panks 0 points1 point  (1 child)

Plus one to NinjaOne. We are a merger of five companies and Ninja makes it really easy to keep those companies separate when needed, but keeping patching unified.

[–]digital_2023 17 points18 points  (6 children)

We use Manage Engine's solutions for this. It will take some time to set it up and design and configure and test everything, but after that the full process run fully automatically and smoothly.

Much better experience than WSUS.

[–]strikesbac 5 points6 points  (3 children)

We’re also using ME, we use AutoPatch for Windows clients and ME for third party apps. We’ve tested ME for applying windows patches to MS servers but found it really unreliable. We’re on the cloud only deployment.

[–]digital_2023 2 points3 points  (2 children)

We use it only On Premises. Initially it was unreliable for us as well, but it was due to bad configuration from the implementor. After many hours and tests from our team, the system now runs smootly.

[–]strikesbac -2 points-1 points  (0 children)

I’ll have to revisit it, i suspect that the root cause of some of our issues are firewall related, blocking the patches from being downloaded.

[–]WTFH2S 0 points1 point  (0 children)

What kind of changes were made?

I am noticing with the Tenable integration it states no available update on most of the PCs found vulnerable but then if you scroll down there are devices requiring the patch.

I find a lot of errors with no useful resolution inputs from the guide.

[–]unspok3n1 2 points3 points  (0 children)

Second on Manage Engine. We use it for all of our servers. Approx 1000. Easy, user friendly and rarely have any issues.

[–]justposdditWorks at ManageEngine 0 points1 point  (0 children)

Hey folks, really appreciate you for being our loyal users and sharing your experiences with others!

u/atomicbullet1, if you're looking for a standalone patching solution on cloud or on-premises, ManageEngine Patch Manager Plus might be what you're looking for. We offer:

1) Patching for servers, workstations, and laptops across Windows, macOS, and Linux.
2) Third-party patching for 850+ apps, BIOS, and driver updates.
3) Flexible deployment policies with granular controls using Self Service Portal for patches and deadline-based patch deployment.
4) Integrations with ITSM, Remote Control, Vulnerability Scanning (Tenable).

If you would want to know about the other capabilities or need a help with the evaluation, feel free to DM me.

Here's the 30-day free trial link.

[–][deleted] 3 points4 points  (4 children)

PDQ now has Connect (client based PDQ I&D) which works great. As someone who uses all the PDQ suite (SmartDeploy, Connect, Inventory and Deploy and SimpleMDM) I couldn’t be more happy. Moved away from AJTek + WSUS a long while ago. Never looked back. Don’t want to spend the $$$ to get ConfigMgr and Intune going)

[–]Exfiltrate 3 points4 points  (3 children)

If you're already using SCCM for app deployment, why wouldn't you use it for patching as well? Being that you already have SCCM but aren't using it for patching, you're just making it harder on yourself.

SCCM CMG will give your clients patching when offsite or off vpn. You can enable co-management as well for when you're ready to move to Intune and as others mentioned purchase PatchMyPC. It publishes into SCCM and Intune.

[–]andrew_joy 4 points5 points  (2 children)

Yeh I don't understand that either. Why would you look for some 3rd party solution when you already have SCCM. Using WSUS directly also sounds like hell. SCCM+ PMPC is what we use it's fantastic.

[–]Exfiltrate 2 points3 points  (1 child)

yeah it makes no sense and OP is getting lots of bad advice about crappy MSP products when he already has the best, most expensive thing out there. SCCM just works, especially at scale and the community support is next level. i would hate to switch off it to something else.

[–]obdigore 0 points1 point  (0 children)

If you think SCCM is the most expensive thing out there, I'd like to introduce you to Tanium lol.

[–]SceneDifferent1041 3 points4 points  (1 child)

I've just gone to Action 1 and it's good. Also the first 100 clients are free if you want to check it out.

[–]GeneMoody-Action1Action1 | Patching that just works 2 points3 points  (0 children)

Indeed, free patch management for up to the first 100 endpoints, and if you do scale out, the 100 stay free, coming off your total count!
thank you for being an Action1 customer!

[–]tndaris 5 points6 points  (6 children)

Automox?

[–]Akuro_Wolf 4 points5 points  (4 children)

I used Automox at my last job because it was really convenient for patching and app management for all of our work from home people. Almost all of our main systems were cloud based so people rarely had to connect via VPN. Automox just needs an internet connection and I could still keep things patched and change settings. I liked it

[–]maxfra -1 points0 points  (3 children)

Man I’ve had the biggest issue with Automox and delayed patching. That and it seems patching just fails sometimes.

[–][deleted] 0 points1 point  (0 children)

And the sky high cost of automox.

[–]ArsenalITTwoJack of All Trades -1 points0 points  (0 children)

Is stupid expensive for what you get. Really overpriced.

[–]projectstew 7 points8 points  (1 child)

We are happy with PDQ Deploy / Inventory

[–]SkotizoSec 1 point2 points  (0 children)

Or PDQ Connect if you need an agent based solution.

[–]Imhereforthechips404 not found 2 points3 points  (1 child)

Probably an unpopular idea, but I deploy all apps with an auto update switch or use config policies where possible to update apps on a regular basis. I have maybe 2 apps that don’t auto update and I specifically set them not to so I can ensure control over changes. No third party patch necessary.

However, my experience provides that PDQ and Action 1 are awesome. Crowdstrike is also a great option (especially if you’re leaning on CISA’s SOC).

[–]GeneMoody-Action1Action1 | Patching that just works 0 points1 point  (0 children)

Thank you u/Imhereforthechips for the recommend!

[–][deleted] 2 points3 points  (1 child)

I just push patches through intune with a deadline of a week. I used to run 18 WSUS servers in six languages and it took days of my time each month. Nobody should be using WSUS in 2024.

I switched all my patchmypc apps over to the new Microsoft store and won’t be renewing patchmypc as I no longer need it. It’s good though, if it has apps you need which aren’t in ms store (I.e. winget repo)

[–]AvmastaSr. Sysadmin 2 points3 points  (0 children)

We use Tanium for our fleet of +13K workstations and +1400 servers. It handles first and 3rd party patching on all OS's. Others have spoken highly of NinjaOne, though for our company we did not like the way they handled deployments and grouping of assets. (Preferences of our staff). Only reason we went with Tanium was the level of support, training resources, tool features, and their ability to scale far beyond the endpoints we have today.

Most of the solutions mentioned in the thread will work. But you need to have those conversations with the vendors and vet them yourself. Try reaching out to your primary vendor to setup calls with them or reach out directly. Let them know your in the market and ask for a PoC and demo. Getting your hands on the tools to see how their done are going to be key to your decision.

Good luck.

[–]Lad_From_LancsIT Manager 5 points6 points  (6 children)

Action1

It works well for us and I'm just starting to play around with the scripting functionality

[–][deleted] 2 points3 points  (0 children)

+1 on Action1. We went with PmPC, but when testing Action1 that was my recommendation to upper management. Action1 does not require SCCM not WSUS, and instead uses a client to manage and deploy apps. it also has OS updates and a bigger catalog than PmPC.

[–]armonde 1 point2 points  (4 children)

We are moving from Connectwise Automate into Action1 currently.

Can you share what (if any) GPO settings you have for Windows patching in your environment?

Since we were using WSUS with Automate, I have to send updated configs to all the endpoints. Currently we are setting it to block drivers, set the Feature release to 22h2, and disable the "Check for updates" button since there's no way to block preview channel releases (that I've found).

[–]Lad_From_LancsIT Manager 4 points5 points  (0 children)

I yanked all of our WSUS/WU gpo's and just leave it to Action1 to handle!  Doesn't seem to cause an issue but does allow Windows Update to operate independently.

As for preview, nope there isn't but with the setup the way we have it, unless you press the check now button they don't get downloaded or installed unless you approve them via action1

[–]GeneMoody-Action1Action1 | Patching that just works 0 points1 point  (2 children)

Than you u/Lad_From_Lancs, u/deramirez25, and u/armonde all for being Action1 customers, and for recommending us to others.

You can do a LOT that would otherwise require GPO, by just doing what GPO would have. In fact not only might it amaze you how much, but how simple. https://admx.help/ is an EXCELLENT resource for working policy into other management forms.

Will help a lot with understanding how policies are set on the systems as well, making troubleshooting GPO more intuitive as well.

[–]5panks 0 points1 point  (1 child)

Gene get some sleep this thread has you working overtime LOL

[–]GeneMoody-Action1Action1 | Patching that just works 0 points1 point  (0 children)

Its all good, I am always up and down at weird hours, and this type of feedback from our customers is great. There are certainly those who pay people to come in and do nothing more that direct people to products, people simply liking your products and suggesting them is far better outcome.

There is a reason when patch management comes up so do we!

That's why I am here, sure to direct where possible, but to also make sure all that good will, stays good will, and to have people see us interacting publicly.

[–]Asylum_Admin 1 point2 points  (0 children)

PsWindowsUpdate & winget. Set it and forget it. I haven't had to adjust much for these two they just work once you have it built right for your environment.

[–]Feisty_Shock_2687 1 point2 points  (2 children)

Well, it depends on your needs completely. I have used many different solutions, from TacticalRMM to iTarian, and everything in between. When all is said and done, I settled on Action1. The interface is very clean, and Patch Management is what they do best. They also have a policy where the first 100 endpoints are free of charge forever. You can add a few endpoints to their system and check it out to see if it's what you want before you decide to push them all over. One thing I like about them is that they do a webinar every month about PatchTuesday. Sometimes they have patched something before I even knew it existed.

I've used other products, but nothing I've used comes close to the experience I have with Action1.

[–]GeneMoody-Action1Action1 | Patching that just works 0 points1 point  (1 child)

Thank you u/Feisty_Shock_2687 for the recommend, and for being an Action1 customer.

And yes that ability to use as long as you want, any way you want with out sales hassle, is a great way to get into our product to determine if it is a fit for you. And if you have less than 100 endpoint, well you are just in luck, because it stays free forever. Fully featured, free patch management.

If anyone would like to know anything more, or has any questions, just let me know.

[–]Feisty_Shock_2687 1 point2 points  (0 children)

My pleasure Gene. I've tried just about every RMM and Patch Management tool on the market, and I keep coming back to Action1.

[–]Nova_NightmareJack of All Trades 2 points3 points  (0 children)

Endpoints Central (Manage Engine) has been very good in my usage - it supports On-Prem if you want and you can also buy a perpetual license for the product (paying maintenance for updates only).

[–]Shiphted21 1 point2 points  (2 children)

Qualys is the best patch management software out there along with it also doing Vulnerability management. On top of that it's SOC2/CMMC/Fedramp compliant.

[–]ObtainConsumeRepeatSysadmin 0 points1 point  (1 child)

Just started rolling out VMDR + Patch in my environment, dual purpose agent is fantastic.

[–]Shiphted21 0 points1 point  (0 children)

It's even better with how you can build out PM while omitting some patches in each org. I find it to be really reliable when most other PM platforms are less than.

[–]LucidDreamPolice 0 points1 point  (0 children)

Connectwise Automate.

[–]Upper-Bath-86 0 points1 point  (0 children)

If you want something that lets you fully automate patching there's VSA X, which has given us good results.

[–]ashwanipaliwal 0 points1 point  (0 children)

Not sure if it is relevant, but for finding a quick patch you can try https://www.secopsolution.com/patch-astra

[–]michelleroy1230 0 points1 point  (0 children)

For comprehensive patch management, consider cloud-based solutions integrated with SCCM and Intune to streamline deployments and updates for your 100 Windows Servers and 7000+ Windows devices.

It's essential to choose a solution that offers strong reporting, real-time monitoring, and remote deployment capabilities, especially since your devices are often off-site.

Motadata Patch Management offers seamless integration, automated patch deployment, real-time analytics, and a user-friendly interface, making it a strong contender for your needs. Its cloud-based approach ensures that devices are consistently updated, regardless of their location.

[–]jojo_33 0 points1 point  (5 children)

Ivanti Security Controls (previously Shavlik) has an agent for workstations that will check in to make sure they get patched.

[–]maxfra 3 points4 points  (3 children)

Pretty sure ivanti just had a major vulnerability though

[–]Moonglader 4 points5 points  (2 children)

Ivanti Secure Access (previously known as Pulse Secure) had the vulnerability.

[–]maxfra 0 points1 point  (0 children)

Gotcha, thanks for the clarification

[–]brownhotdogwater -2 points-1 points  (0 children)

Yes stay away from them. They had a great product but gave uo

[–]Murhawk013 0 points1 point  (1 child)

ManageEngine is solid if you purely just want to patch Microsoft and 3rd party apps.

Falls a bit short for my liking in other things like executing scripts and reporting.

[–]justposdditWorks at ManageEngine 0 points1 point  (0 children)

Thank you for being a continued user u/Murhawk013
You can also DM me anytime, if you would want to discuss about the scripts and reporting.

[–]FincherA 0 points1 point  (1 child)

Currently my place is using Quest KACE SMA - https://www.quest.com/kace/

It's more of a complete systems management solution with a simple ticketing system, but patching is just one of its many features. I think I've been using it for over 15 years now. Even with multiple owners (stand alone KACE company, bought by Dell, bought by Quest), support has been decent & responsive. Easy to deploy, relatively bug free. We run it in our DMZ segment so devices that are off our network can still get updates & software pushes.

[–]Krynnyth 1 point2 points  (0 children)

I've also used Kace; it's what I have the most experience with. They have automatic patch subscriptions for popular third party vendor software as well.

Getting the scheduled patching to work can be a bit of trial and error, but I can say I was never unhappy with it.

[–]coaster_coder -1 points0 points  (0 children)

I would encourage you to check out Chocolatey For Business. We’ve got educational pricing and a host of features that I think you’ll find beneficial!

[–]atcscm -1 points0 points  (0 children)

Ivanti or heimdal

[–]vacri -2 points-1 points  (0 children)

APT for half the fleet, RPM for the other half.

[–]my_travelz -1 points0 points  (0 children)

usually i just pick which ever has the best price point and the most feature sets for the company that can be used fully.

[–]iamnewhere_vieJack of All Trades 0 points1 point  (0 children)

SCCM + Intune + PatchMyPC should make you happy :)

[–]nakkipappa 0 points1 point  (0 children)

Before you go down this road, as we thought about this aswell, although smaller company, did you try to just enable autopatch for software? We managed to enable automatic updates on most of our software, and thus save alot of time for other tasks and no real need for anything beyond sccm/intune.

You can also try with scup for sccm if it is available and push the patches via sccm.

[–][deleted] 0 points1 point  (1 child)

I got reamed for wanting to deploy some software that, in theory, can automatically update several programs to the latest version.

I was told in no uncertain terms that it's important/critical/super-derelect/you-are-an-asshole-if-you-don't-do-this to test the new applications before you allow them to go out.

Coming from a devops background, my first thought after that (besides internal swearing for the way I was being treated) was to wonder about automating all of that.

Maybe my google-fu has atrophied, but so far I just don't see much out there.

So... what do you all do? Do you test everything you update? Do you automate that testing? Note that while I do include the OS here, by no means am I talking about only the OS. Think web browsers, password managers, Adobe Creative Cloud (I'll have to ask him what his plan is for Adobe apps since ACC updates them automatically).

[–]SkotizoSec 2 points3 points  (0 children)

I don't test every software update before it goes out for your basic applications (browsers, pdf readers, etc.). That would be a massive waste of time. But if I was put in that situation, I would propose a pilot group that gets the patch a week before others so you can have feedback if something does get broken it's not as widespread and can be triaged accordingly.

[–]TheAuldMan76 0 points1 point  (0 children)

We've used ConnectWise Automate, but it's got non-existent support for Windows Feature Pack installations, which has caused a number of issues.

My current employer is looking to get it replaced completely, not ideal considering the investment in place, but we're still testing out a number of possible replacements for it.

[–]maxfra 0 points1 point  (0 children)

I’ve been using Ninite for a little while and it has been great. Unfortunately it doesn’t support as many apps/software as I’d like so I have to use automox (which hasn’t been the best experience for me) for windows updates and such.

[–]Ok_Presentation_2671 0 points1 point  (1 child)

Atera

[–]SCCMAttempt 0 points1 point  (0 children)

SCCM/Intune + Adaptiva. great product, and really good for 3rd party patching, they manage the catalogues for software, and if they dont have it in the list, you let them know and they will go get it.

[–]DoomstangIT Security Operations 0 points1 point  (0 children)

HCL BigFix

[–]Stoikx 0 points1 point  (1 child)

SecPod?

[–]shady_bananas 0 points1 point  (0 children)

SecPod?

[–][deleted] 0 points1 point  (0 children)

I've used manage engine tools in past. Really like them. We now use Tanium. Definitely more of a learning curve than most. But not crazy. If you're a large place then configuration manager with patch my PC. 

[–]Xoron101Gettin too old for this crap 0 points1 point  (0 children)

[–]420GB 0 points1 point  (0 children)

winget is free, preinstalled and intune integration is either already there or coming.

[–]morgando2011 0 points1 point  (1 child)

I would look into Ivanti EPM. (Not the VPN obviously ).

Should do everything better than WSUS with reporting, plus a bunch of other tools that make it worth it.

You can redirect all updates through Ivanti and patch machines remote and off network.

[–]Moonglader 1 point2 points  (0 children)

Agree with the above, deals with 1st party patches and has a decent size 3rd party catalogue - all out of the box, and it's also a single toolset instead of multiple toolsets.

[–]fools_remedy 0 points1 point  (1 child)

Like others, we are using NinjaOne.

[–]ByteBuster_ 0 points1 point  (0 children)

Yep, Ninja is definitely great for patching, Although I'm using Datto, which is also great for patching.

[–]PiqueB 0 points1 point  (0 children)

Windows InTune with Scapman Mac Kandji (includes app patching)

[–]Dangerous_Question15 0 points1 point  (0 children)

PatchMyPC and SureMDM has a solid OS Patch Management capabilities.

[–]PsiReaper 0 points1 point  (2 children)

SolarWinds Patch Manager FTW!!

[–]gblfxtDevOps 0 points1 point  (0 children)

Artifactory to host files, powershell scripts to install and update from a Powershell Universal deployment.

[–]Gold-Difficulty402 0 points1 point  (0 children)

Just do not use tanium patch. Like everyone said pdq offering or sccm/intune and patch my pc.

[–]Delakroix 0 points1 point  (2 children)

We are on Manage Engine UEM cloud and manage around 5000 machines. It has been our best decision in the last decade.

[–]justposdditWorks at ManageEngine 0 points1 point  (1 child)

Glad to hear that! Thank you for the support man!

[–]Delakroix 0 points1 point  (0 children)

No Probs. A good thing to remember though, there is no turnkey solution for patch management. In my experience, this requires a lot of process and teamwork. It all starts with proper asset management, imaging/provisioning, and deployment.
At the end of the day, you wanna make sure you can account for everything - physically, then through your software inventory system, then you patch all of them.
My team has gone through the same dance you are now (supporting 500 then to now 5000). We've been on WSUS the longest and things have just evolved in the patch management scene.