Best patch management tools
With new software vulnerabilities and exploits appearing daily, it's vital to install Windows and application security patches just as soon as they're released. Unfortunately, that's not always easy.
The standard approach to patch management lets every app handle its own updates. You must make sure the apps are set up correctly, allow them to run any standalone updaters, pay attention when they raise alerts, and spot any problems. (Ever run a PC speedup tool, for instance? Some will disable software updaters to improve boot times.)
A dedicated patch manager replaces this chaos with a single central interface to scan multiple apps for updates, report any missing patches it finds, and (sometimes) automatically rectify the situation.
The simplest of these tools work as little more than PC update reminders. They'll warn you when new patches appear, and you then sort out any updates yourself. Sometimes that's a minor hassle, but in some instances it takes mere seconds (in Chrome, click Help > About > Update and the browser sorts out everything else).
The most powerful enterprise-level patch managers can scan systems on your network (often across multiple platforms), detect missing patches (both third-party apps and operating system updates), remotely install them on your preferred schedule, and even roll back any updates if there are problems.
This technology has risks, as well as advantages. If a poorly configured patch manager downloads the wrong update file, for instance, it might break your application, or even affect your entire PC. It's important to choose your manager carefully, and ensure you know how to cope if anything goes wrong.
There are plenty of great patch managers around, though. In this article we'll discuss options for everyone from newbie home users to big corporations. Whatever you're after, most products are available in free or trial forms, so it's easy to take them for a spin and find out what works for you.
- Want your company or services to be added to this buyer’s guide? Email firstname.lastname@example.org with the URL of the buying guide in the subject line.
Quick and easy patch management
Avira Software Updater is a simple patch manager which helps you spot the latest updates for more than 150 popular applications.
Avira doesn't provide a full list of its supported applications, unfortunately, but it seems to include Microsoft Office, Chrome, Firefox, Opera, Adobe Reader, Adobe Flash, CCleaner and more.
Software Updater can also scan for out-of-date drivers, but we wouldn't recommend that. You're unlikely to see any major benefits (drivers rarely get significant security patches that Windows won't handle itself), and a failed or poorly chosen driver update can seriously mess up your PC. Leave driver updates to Windows, it's much safer.
The free version of Software Updater (available standalone, there is no need to install Avira Antivirus) scans your system on launch, displays missing patches, and – that's it. There's no automatic update option, no scheduling or anything else. Clicking a globe icon should take you to the developer's product page, so you can download it yourself, but even that doesn't always work as you expect.
The Google Chrome download link took us to Google.de, for instance, Google's German language site. That's not a big deal – Google automatically translated it for us, and the download would still have worked – but it's an example of how a software updater may use update links and files that you wouldn't see normally.
This won't be an issue for everyone. Arguably the safest way to use any software updater is to get reminders of any missing patches, but then to find and install them yourself. Your software stays current, and you don't risk problems caused by the updater using the wrong patch or not installing it properly.
If automatic updates are a must, Avira's Software Updater Pro is available for $3.99 per month, or $2.75 on the annual plan. It supports Windows updates, too, and includes unlimited customer support via a toll-free number and email.
Powerful, portable and free
Patch My PC is a free Windows program which can help you monitor over 300 popular apps, automatically detecting any updates and (optionally) silently downloading and installing any patches it finds.
The '300 apps' figure is boosted a little by the inclusion of products which are obscure, obsolete or both (Bitdefender Anti-Ransomware, Imgburn, Microsoft EMET – the full list is here). But it's still better than many competitors, especially for a free product, and geeks will appreciate some of the more technical apps it supports: Angry IP Scanner, Atom, Brackets, GIMP, Sysinternals Suite, and more.
Unusually, Patch My PC doesn't require installation, or ask you to hand over your email address or other personal details. Launch it, the program detects your installed apps (and portable versions) and displays up-to-date products in green, or any which are missing patches in red.
Patch My PC's interface is a little cluttered, and doesn't always work as you might expect. Its scan report doesn't give you a table of results you can work with individually, for instance (update these two immediately, ignore that for now, don't check these apps in future, say). The results are plain text only, and you can't do anything but look at them.
If you're more interested in speed and automation, though, the program works very well. You can have it install all missing patches with a click, for example. And a well-designed scheduler enables automatically checking for updates at your preferred time and frequency, with the option to run it again later if a check is missed (because your PC was turned off, say).
Patch My PC also works well as a simple application manager. It's easy to create a custom list of your ten favorite apps, say, and have the program set them all up for you on a new PC. And a built-in Uninstaller lets you remove multiple apps in a single operation.
An interesting range of bonus options includes the ability to cache updates in a local folder. If you're running Patch My PC on a USB key, for instance, it will save new updates to a local folder. Plug the key into other PCs, and if they need the same update, they'll use the cached copy rather than download it again.
Hassle-free automatic updates
Thor Free is the software updating module from Heimdal Security's commercial range of security suites: Thor Vigilance, Thor Foresight and Thor Premium. As the name would suggest, it’s free to download and use.
As we write, the package supports updating around 100 apps (or around 60, if we exclude those with multiple versions). The full list is available on the website.
Thor Free has the same interface as Heimdal's full-strength suites, making it a little bulkier than most of the competition. Our opening screen had four greyed-out areas with 'Upgrade' messages, for instance, and one button which led to the actual updating module, which Thor calls 'X-Ploit Resilience.'
Even the main Thor Free module isn't as straightforward as usual. There's no Scan button, and we had to check a 'Monitor' option before Thor Free looked for updates. And once you get the report, all you can do is tell Thor Free to automatically update that package in future, or leave it up to you.
There's not a lot of power or configurability here, then, but the few features you do get seem to work very well. Once we checked the Monitor and AutoUpdate boxes for our chosen apps, Thor Free automatically detected updates, downloaded and silently installed them in the background, without hassling us in any way.
Network patch management from a central web console
Security vendor Avast has interesting software update tools covering three levels of user.
Bargain hunters and beginners can install Avast Free Antivirus to get its basic Software Updater. This scans for missing patches, includes a 'What's changed?' link (where possible) to explain what's in an update, and can download and silently install your chosen updates with a click.
Avast's Premier and Ultimate security suites add the ability to automatically install updates as they're detected.
Top of the range, though, is Avast's Business Patch Management. Deploy this with one of Avast's managed antivirus products (Antivirus, Antivirus Pro, Antivirus Pro Plus) across your network, and it allows you to check the update status for a vast range of Windows apps from 100 top vendors: Adobe, Google, Microsoft (Windows and applications), Mozilla, Piriform, WinZip and more.
Avast says there's support for thousands of applications, but keep in mind that as with many competitors, this includes multiple versions. Firefox is counted 72 times, for instance. For a more realistic view of the total, take a look at this PDF of the full application list.
You get vast control over how and when the scan and patching process works. Instead of being forced to scan your entire network at the same time, you're able to set up special rules for each device, or define particular apps or vendors you'd like to exclude. You can choose when to deploy patches (immediately, on a schedule, manually) and decide what should happen afterwards (ask the user, request or even force a reboot).
Comprehensive reports help you see exactly what's going on across your network, covering everything from the most patched applications to details on patches which haven't deployed (important information if the same update is regularly failing across your network).
Avast Business Patch Management is very fairly priced, with $37.49 covering a single device for a year, rising to $55.99 for two years, and $78.49 for three. There's no minimum number of devices, making the package suitable for any small business, or maybe even a home network. And if any of this sounds interesting, a free trial gives you 30 days to find out more.
A patch management powerhouse for demanding businesses
GFI LanGuard is a comprehensive patch manager for businesses, or anyone with 10 or more systems to protect.
The tool is designed to cover your entire network, and can handle updates for multiple operating systems, including Windows 7-10, Windows Server 2003-2012, along with Mac and assorted Linux distros.
If you prefer to leave your OS to handle its own updates, that could be wise, but GFI LanGuard also supports more than 80 third-party apps.
Although we're mostly interested in patch management, GFI LanGuard also includes industrial-strength network auditing and vulnerability scans. Reports might highlight issues with installed applications, your security tools, mobile devices connecting to your network, open ports, file shares, and more.
Start to install GFI LanGuard and it's immediately obvious that this isn't a product for beginners. It prompted us to install SQL server, then a web server, and even when it was running, it took us a while to find out how to do as much as run a scan.
However, put in the effort and you'll get some very impressive results. Items are organized into lists of missing security updates, non-security updates and Windows service packs and update rollups. You can also view recently installed updates, a handy way to see that all is well. All updates have descriptions, notes on severity, and even a link to the developer's website where you can find out more.
You can opt to update some or all missing patches, either immediately or at a specific time. If you're deploying patches to another computer on your network, you can choose to warn the user beforehand, as well as what happens afterwards (do nothing, shut down, reboot and so on).
Prices start at a reasonable $26 per node per year for 10-49 nodes, and drop substantially for larger networks (you can cover 250-2999 nodes for $10 each per year).
A free 30-day trial provides a risk-free way to explore what's on offer. Beware, though, that's not as generous as it sounds: GFI LanGuard comes so crammed with functionality you'll probably wish the test period was longer.