With new software vulnerabilities and exploits appearing daily, it's vital to install Windows and application security patches just as soon as they're released. Unfortunately, that's not always easy.
The standard approach to patch management lets every app handle its own updates. You must make sure the apps are set up correctly, allow them to run any standalone updaters, pay attention when they raise alerts, and spot any problems. (Ever run a PC speedup tool, for instance? Some will disable software updaters to improve boot times.)
A dedicated patch manager replaces this chaos with a single central interface to scan multiple apps for updates, report any missing patches it finds, and (sometimes) automatically rectify the situation.
The simplest of these tools work as little more than PC update reminders. They'll warn you when new patches appear, and you then sort out any updates yourself. Sometimes that's a minor hassle, but in some instances it takes mere seconds (in Chrome, click Help > About > Update and the browser sorts out everything else).
The most powerful enterprise-level patch managers can scan systems on your network (often across multiple platforms), detect missing patches (both third-party apps and operating system updates), remotely install them on your preferred schedule, and even roll back any updates if there are problems.
This technology has risks, as well as advantages. If a poorly configured patch manager downloads the wrong update file, for instance, it might break your application, or even affect your entire PC. It's important to choose your manager carefully, and ensure you know how to cope if anything goes wrong.
There are plenty of great patch managers around, though. In this article we'll discuss options for everyone from newbie home users to big corporations. Whatever you're after, most products are available in free or trial forms, so it's easy to take them for a spin and find out what works for you.
- Want your company or services to be considered for this buyer’s guide? Email email@example.com with the URL of the buying guide in the subject line.
Avira Software Updater is a simple patch manager which helps you spot the latest updates for more than 150 popular applications.
Avira doesn't provide a full list of its supported applications, unfortunately, but it seems to include Microsoft Office, Chrome, Firefox, Opera, Adobe Reader, Adobe Flash, CCleaner and more.
Software Updater can also scan for out-of-date drivers, but we wouldn't recommend that. You're unlikely to see any major benefits (drivers rarely get significant security patches that Windows won't handle itself), and a failed or poorly chosen driver update can seriously mess up your PC. Leave driver updates to Windows, it's much safer.
The free version of Software Updater (available standalone, there is no need to install Avira Antivirus) scans your system on launch, displays missing patches, and – that's it. There's no automatic update option, no scheduling or anything else. Clicking a globe icon should take you to the developer's product page, so you can download it yourself, but even that doesn't always work as you expect.
The Google Chrome download link took us to Google.de, for instance, Google's German language site. That's not a big deal – Google automatically translated it for us, and the download would still have worked – but it's an example of how a software updater may use update links and files that you wouldn't see normally.
This won't be an issue for everyone. Arguably the safest way to use any software updater is to get reminders of any missing patches, but then to find and install them yourself. Your software stays current, and you don't risk problems caused by the updater using the wrong patch or not installing it properly.
If automatic updates are a must, Avira's Software Updater Pro is available on the annual plan. It supports Windows updates, too, and includes unlimited customer support via a toll-free number and email.
Security vendor Avast has interesting software update tools covering three levels of user.
Bargain hunters and beginners can install Avast Free Antivirus to get its basic Software Updater. This scans for missing patches, includes a 'What's changed?' link (where possible) to explain what's in an update, and can download and silently install your chosen updates with a click.
Avast's Premier and Ultimate security suites add the ability to automatically install updates as they're detected.
Top of the range, though, is Avast's Business Patch Management. Deploy this with one of Avast's managed antivirus products (Antivirus, Antivirus Pro, Antivirus Pro Plus) across your network, and it allows you to check the update status for a vast range of Windows apps from 100 top vendors: Adobe, Google, Microsoft (Windows and applications), Mozilla, Piriform, WinZip and more.
Avast says there's support for thousands of applications, but keep in mind that as with many competitors, this includes multiple versions. Firefox is counted 72 times, for instance. For a more realistic view of the total, take a look at this PDF of the full application list.
You get vast control over how and when the scan and patching process works. Instead of being forced to scan your entire network at the same time, you're able to set up special rules for each device, or define particular apps or vendors you'd like to exclude. You can choose when to deploy patches (immediately, on a schedule, manually) and decide what should happen afterwards (ask the user, request or even force a reboot).
Comprehensive reports help you see exactly what's going on across your network, covering everything from the most patched applications to details on patches which haven't deployed (important information if the same update is regularly failing across your network).
Avast Business Patch Management is very fairly priced, starting from $29.99. There's no minimum number of devices, making the package suitable for any small business, or maybe even a home network. And if any of this sounds interesting, a free trial gives you 30 days to find out more.
GFI LanGuard is a comprehensive patch manager for businesses, or anyone with 10 or more systems to protect.
The tool is designed to cover your entire network, and can handle updates for multiple operating systems, including Windows 7-10, Windows Server 2003-2012, along with Mac and assorted Linux distros.
If you prefer to leave your OS to handle its own updates, that could be wise, but GFI LanGuard also supports more than 80 third-party apps.
Although we're mostly interested in patch management, GFI LanGuard also includes industrial-strength network auditing and vulnerability scans. Reports might highlight issues with installed applications, your security tools, mobile devices connecting to your network, open ports, file shares, and more.
Start to install GFI LanGuard and it's immediately obvious that this isn't a product for beginners. It prompted us to install SQL server, then a web server, and even when it was running, it took us a while to find out how to do as much as run a scan.
However, put in the effort and you'll get some very impressive results. Items are organized into lists of missing security updates, non-security updates and Windows service packs and update rollups. You can also view recently installed updates, a handy way to see that all is well. All updates have descriptions, notes on severity, and even a link to the developer's website where you can find out more.
You can opt to update some or all missing patches, either immediately or at a specific time. If you're deploying patches to another computer on your network, you can choose to warn the user beforehand, as well as what happens afterwards (do nothing, shut down, reboot and so on).
A free 30-day trial provides a risk-free way to explore what's on offer. Beware, though, that's not as generous as it sounds: GFI LanGuard comes so crammed with functionality you'll probably wish the test period was longer.
ManageEngine Patch Manager Plus is a very powerful tool for deploying patches across Windows, Mac and Linux systems.
Patch Manager Plus updates operating systems, Microsoft Office and a host of Office components, and a decent list of third-party apps, too. Although it's very business-oriented, there's a good range of apps that any experienced home user might have on their PC: 7Zip, Adobe Reader, CCleaner, Chrome, FileZilla, Firefox, IrfanView, Opera, Recuva, RoboForm, and more (check out the full list here – 350+ apps are supported in total).
This isn't some basic software updater where you have to manually check for or initiate updates. Everything can be automated, from checking local systems for missing updates, to downloading as required, deploying updates, and sending you detailed reports on progress.
The entire process is highly configurable. You're able to schedule scanning by time, group or some custom collection of devices, for instance, then deploy in your preferred time window and with per-device custom actions (display alerts, reboot and so on).
This flexibility has all kinds of advantages. If you're managing a large number of devices in a business, for instance, you can deploy critical patches to a small test group of PCs first, and wait for them to be approved as safe (another process you can automate) before rolling them out across the company.
Although Patch Manager Plus isn't exactly difficult to use, the sheer weight of features means you've plenty to learn before you'll be able to find your way around. It's well worth a look for demanding users, though, especially as a Free Edition enables protecting up to 20 computers and 5 servers.
If that's not enough, commercial plans are reasonably priced. For example, Patch Manager Plus supports up to 50 computers, and adds extras like support for a distribution server to serve patches from your local network (so there is no need for every device to download them separately) at just $345 a year, as low as $0.58 per device per month.
Chocolatey is a comprehensive package manager for Windows which can automate installing, updating and uninstalling all your software.
This isn't a tool for newbies. Chocolatey makes heavy use of PowerShell and is run from the command line, rather than a graphical interface, so you'll need some knowledge and experience to get the most from the product. But if you're willing to spend some time learning the basics, don't necessarily let that put you off.
There's nothing difficult about Chocolatey's basic commands, for instance. Here are three examples:
- choco install firefox
- choco upgrade firefox
- choco uninstall firefox
It's very obvious what they're going to do, and now you've got the basic idea, you can probably figure out how to do the same with a host of other apps (for example, just replace 'firefox' with 'googlechrome', 'adobereader' or whatever other app you need).
Chocolatey works its magic with 'packages', PowerShell files which automate the install, upgrade and uninstall tasks for each app. Users can create packages for their own use or share them with others, and as a result of this flexibility, Chocolatey now supports more than 7,000 apps.
Although Chocolatey doesn't have the built-in automation options of specialist patch management tools, you can get a lot done with some very simple scripts. The single command 'choco upgrade all' will upgrade all installed apps, for instance; just run that when your device boots, maybe as a scheduled task, and the system will automatically keep itself updated.
Chocolatey is available for free in its very capable open source form. Commercial plans add all kinds of handy package-building options, reporting features and other enhancements, and prices start at $96 for up to 8 personal devices, or $16 per device for business use.
Ninite is a simple tool for installing and updating a lot of Windows apps at once.
The service stands out for its streamlined, web-based interface and its automated installers. If you decide you need to install or update Chrome, Firefox and Opera on a PC, for instance, this is all you need to do: go to Ninite.com; check the box for each browser; click Download to download a custom installer, and run it to install or update the browsers.
That's it. Really, it's that simple. No need to register, create an account, hand over your email address – there aren't even any ads. You'll be done in 30 seconds, maybe less.
It's not all good news. Although Ninite supports 90+ apps, and some big names among them – the main browsers, Skype, various free antivirus (Avast, AVG, Avira), iTunes, .NET, Java, Google Earth, Steam – it's mostly focused on open source and freeware projects. If you're looking for a PDF viewer, for instance, there's no Adobe Reader; instead you get Foxit Reader, maybe SumatraPDF or CutePDF.
The free Ninite only has the most basic features, too. Once you have your installer, you can share it with others, then run it to install your chosen apps, or update any that are missing patches. But there's no automation, no scheduling, no reports or anything else.
Ninite probably works best as an easy way to install your favorite apps on a new PC. You can equip your new hardware with Chrome, Steam, 7-Zip, IrfanView, Paint.NET, Google Earth and more in a fraction of the time it would take if you installed them manually.
Ninite's simple updating is worth a try as well, though, and businesses who need more can check out Ninite Pro. Install the Pro agent on each system and they show up on your web management interface, with all their installed app details, and you can update them manually or automatically with a range of configuration options.
Ninite Pro still can't match the vast power of tools like GFI LanGuard, but that's reflected in the price. This starts at only $1 per device per month for up to 20 devices, but falls as you add more, so for example 700 devices would cost only $0.41 per device per month.
Best free patch management tools
Patch My PC is a free Windows program which can help you monitor over 300 popular apps, automatically detecting any updates and (optionally) silently downloading and installing any patches it finds.
The '300 apps' figure is boosted a little by the inclusion of products which are obscure, obsolete or both (Bitdefender Anti-Ransomware, Imgburn, Microsoft EMET – the full list is here). But it's still better than many competitors, especially for a free product, and geeks will appreciate some of the more technical apps it supports: Angry IP Scanner, Atom, Brackets, GIMP, Sysinternals Suite, and more.
Unusually, Patch My PC doesn't require installation, or ask you to hand over your email address or other personal details. Launch it, the program detects your installed apps (and portable versions) and displays up-to-date products in green, or any which are missing patches in red.
Patch My PC's interface is a little cluttered, and doesn't always work as you might expect. Its scan report doesn't give you a table of results you can work with individually, for instance (update these two immediately, ignore that for now, don't check these apps in future, say). The results are plain text only, and you can't do anything but look at them.
If you're more interested in speed and automation, though, the program works very well. You can have it install all missing patches with a click, for example. And a well-designed scheduler enables automatically checking for updates at your preferred time and frequency, with the option to run it again later if a check is missed (because your PC was turned off, say).
Patch My PC also works well as a simple application manager. It's easy to create a custom list of your ten favorite apps, say, and have the program set them all up for you on a new PC. And a built-in Uninstaller lets you remove multiple apps in a single operation.
An interesting range of bonus options includes the ability to cache updates in a local folder. If you're running Patch My PC on a USB key, for instance, it will save new updates to a local folder. Plug the key into other PCs, and if they need the same update, they'll use the cached copy rather than download it again.
KC Software's SUMo (Software Update Monitor) is a veteran patch manager that's been helping PC owners update their systems for many, many years.
This experience brings some immediate and very obvious benefits. While Patch My PC supported 29 applications on our test PC, SUMo recognized 70. It counted some of these twice – BlueStacks, PaintShop Pro – so this was a little misleading, but even so, the package still found more applications and updates than anything else we've tried.
We would like to tell you exactly how many apps SUMo supports, but unfortunately, the website doesn't say, and the company didn't give us a figure, either. It seems to work with most of the products you'd expect, though – browsers, Adobe Reader, Flash, more – and a page on the website facilitates searching the database for any apps you particularly need.
SUMo's free users won't necessarily be pleased to hear about its wide software support, because there's no support for automatic updates. All you get is a web page to launch searches for the package on Google and popular download sites. For every update it spots, you must find the correct site, the page, the download, all by yourself.
Upgrading to SUMo Pro improves the situation a little, getting you a direct link to the product page for your app. There's still no automatic download and installation, though, and it's expensive for what you get.
Thor Free is the software updating module from Heimdal Security's commercial range of security suites: Thor Vigilance, Thor Foresight and Thor Premium. As the name would suggest, it’s free to download and use.
As we write, the package supports updating around 100 apps (or around 60, if we exclude those with multiple versions). The full list is available on the website.
Thor Free has the same interface as Heimdal's full-strength suites, making it a little bulkier than most of the competition. Our opening screen had four greyed-out areas with 'Upgrade' messages, for instance, and one button which led to the actual updating module, which Thor calls 'X-Ploit Resilience.'
Even the main Thor Free module isn't as straightforward as usual. There's no Scan button, and we had to check a 'Monitor' option before Thor Free looked for updates. And once you get the report, all you can do is tell Thor Free to automatically update that package in future, or leave it up to you.
There's not a lot of power or configurability here, then, but the few features you do get seem to work very well. Once we checked the Monitor and AutoUpdate boxes for our chosen apps, Thor Free automatically detected updates, downloaded and silently installed them in the background, without hassling us in any way.
Npackd is an interesting open source application store for Windows which can help you find, install, update and uninstall a host of popular apps.
The package supports an impressive 1,469 apps at the time of writing. That's not quite as good as it sounds, because many apps count at least twice for 32-bit and 64-bit downloads, plus many are low-level runtimes rather than applications you actually want to install (there are 13 downloads supporting 'WinRT Intellisense', for instance). Still, even if we ruled out all of those, there's a lot more here than you'll see with most of the competition.
Launch Npackd and its full catalog appears in a simple table, along with the current version of all apps, and whatever version you have installed. It's a very long list, but fortunately you can filter it by category (Music, Productivity, Security and so on) or by entering part of an app name in the Search box.
Select one or more apps and you can have Npackd silently install (or uninstall) them all in a couple of clicks. Choose the 'Updateable' category and Npackd displays every supported app you've installed with a missing patch. Again, select them all, tap Install, and Npackd will quickly run its update tasks.
We noticed some technical and interface oddities. Npackd didn't seem able to detect the currently available version for quite a few apps, for instance, which presumably will make it impossible to safely update them. Some apps didn't properly install for us, either, although the package does at least provide quite a few ways to address this. (You can look at the commands used during the installation, for instance, or open the app website directly to check version numbers.)
The interface doesn't directly enable automating, scheduling or otherwise managing your updates, either. Although there's a lot you can do – add support for custom apps, for instance, or manage tasks from the command line or scripts – you'll need some Windows experience to get the most out of the system.
Still, overall it's a capable product, and well worth a look for more demanding users.
RuckZuck is a free and very easy to use software package manager for Windows. And it really is seriously easy to get to grips with. You don't have to install anything or create an account, for instance. Just download and run the portable version and you're ready to go.
The interface is extremely simple. Launch RuckZuck, and after a few seconds it tells you how many updates, if any, are available for your installed apps. Click that button and RuckZuck lists them all, highlighting the current and latest version numbers. Clicking Update All silently updates everything on the list, or you can select one or more apps and update only those.
If you think that sounds basic, you'd be right, but RuckZuck has more to offer. A command line tool enables automating updates from your own scripts, for instance. Installing RuckZuck's OneGet Provider gives you custom software updating PowerShell commands, and enterprise users can even get integration with Microsoft's System Center Configuration Manager.
RuckZuck's software catalog looks impressive, too, with hundreds of apps supported: 540 at the latest count. It's not quite as good as it seems – there are a lot of open source and freeware projects you may not even recognize, let alone use – but you'll find plenty of popular apps, too: 7-Zip, .NET, Adobe Reader, Chrome, CCleaner, FileZilla, Firefox, IrfanView, iTunes and more.
Our main reservation is that RuckZuck is a small project – and entirely free to use – so doesn't have the people or resources behind it that you'll see with the bigger names. That's not really a criticism – it's a huge achievement that RuckZuck does so well – but inevitably means it can't possibly have as much testing or as many updates as the well-funded competition. And although the developer is very responsive, generally identifying and fixing problems within a day or two, he can't possibly replace the professional support team you'd get with a commercial service.
Experienced users should check out RuckZuck anyway, as it's a likeable tool with a lot to offer. But if you're a business user, looking for maximum reliability and guaranteed speedy support if anything goes wrong, you'll probably be better off elsewhere.