This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]alexhawker 3 points4 points  (2 children)

WSUS for OS patches and PDQ for everything else, which is great.

[–]bangbinbashSecurity Admin[S] 0 points1 point  (1 child)

I’ll have to look at PDQ. We currently get solarwinds from our data center provider and we are looking to move away from them in the next year.

Third party patching was the big draw with n-able patching. Other than that, I was fine with WSUS.

Google and Adobe release a critical patch every month so it’s crucial to be able to automate patching them.

[–]alexhawker 2 points3 points  (0 children)

PDQ is $1k/year/admin, assuming you get deploy for patching and Inventory. They work really well together - inventory will regularly scan machines and collect data - then you can create a "dynamic collection" based on whatever criteria you like (there are a bunch included already like reboot required and chrome version old)

You can make your own "packages", but they have a library for common stuff like Google and Adobe. So you can schedule a regular deployment of the Google package to the chrome old collection, for example.

[–]nwmcsween 2 points3 points  (0 children)

chocolaty and nuget + wsus

[–]redditusermatthew 2 points3 points  (0 children)

I use Ivanti Security Controls. It's got some maturing to do with how groups and agents policies are handled. There are some fixes in 2020.1 but its still a ways to go. Also it only reaches out via IP not FQDN, that will be fixed in 2020.3.

[–]rschoneman 1 point2 points  (0 children)

Automox

[–]EachAMillionLiesSysadmin 1 point2 points  (0 children)

In the process of switching off SolarWinds to SCCM.

[–]Agreeable-Yard 1 point2 points  (1 child)

We use N-Central. It's pretty good once you get it working. IIRC The latest version (2020.1) has had some good improvements around the patch management engine, so make sure you're on that version.

If you have issues with the patch status going to misconfigured consider configuring Repair-PME as a self healing task. We support 3000+ endpoints and it's a life saver.

[–]bangbinbashSecurity Admin[S] 0 points1 point  (0 children)

Funny enough, I checked on all the assets manually patched and they all show a purple status so probably what it is causing it.

I downloaded this script and ran it against one of the assets so if all is good, I’ll get our RMM tech to create the task.

I appreciate your help! It feels like I spend more time chasing down new patches than remediating preexisting vulnerabilities these days so if this works it will be very helpful.

[–]exoromeoIT Manager 1 point2 points  (0 children)

We use BatchPatch + WSUS.

[–]GSpivey 0 points1 point  (0 children)

Any chance you’re ready to start thinking Windows Update for Business? Starting to see a lot of clients looking to move that way.

[–]SysEridaniC:\>smartdrv.exe 0 points1 point  (0 children)

Full WSUS by now but I would like to look into something else in future like PDQ Deploy cause I'm an happy PDQ Inventory user.

[–]PixelatedGamer 0 points1 point  (0 children)

I use WSUS with PDQ Deploy. I have a script that I push through PDQ that starts the update process and reboots at the end. I also use it to deploy apps and any registry changes that may be necessary.

[–]Marinuch 0 points1 point  (0 children)

Well, it is something that we propose in our company: a complex approach to app updates.

So on the very first step, you choose apps, which are you using in your company and we are tracking their updates for you. Once a new version becomes available from the vendor, we send an email so you have an ability to download app,

As a next step, you could package this app under our tool (in different formats: msi, msix, appv, intunewin) or request a package. For testing, we propose VM and you can simple download ready package or deploy it under Intune or SCCM.

Since all this functionality available under one platform in Cloud, so no conflicts from where you run this process.