I'm looking for recommendations on tools that can automate patching for third-party applications, ideally with minimal manual intervention, and that also meet security standards like ISO27001, NIST, or Cyber Essentials in the UK. We currently use Qualys for scanning and a Kaseya RMM, but I'm exploring Qualys's patching capabilities. I also use Datto's patch management, which only covers Windows patches and hasn't been very reliable. My goal is to find a dependable solution that can efficiently patch thousands of endpoints within 14 days of a critical CVE being reported.
10 Answers
I recommend using Microsoft Configuration Manager along with PatchMyPC Enterprise. The patch catalog is extensive and continually expands, and their customer support is quick and helpful. A big advantage is that it automatically creates installation objects, so when users install from Software Center, they always get up-to-date apps. My system imaging also pulls the latest apps from the day before, so it's all automated!
We stick with Ivanti EPM for patching. It has its critics, but it gets the job done for us without much hassle.
We had a tough time with Qualys, especially because of customer service issues, so we switched to Action1 and have been much happier. Plus, managing Apple computers was a challenge with Qualys, but Action1 has worked seamlessly for us.
I really like NinjaOne for our needs! If I could choose our RMM freely, this would be my pick. Sadly, we’re stuck with Kaseya for now.
For OS and third-party patching, we're using Ansible/AWX. It's worked quite well for our needs!
We utilize Tanium for our patching, focusing on the Deploy module. They have prebuilt packages for popular software, and we often create our own to ensure everything is up to date.
For patching both Windows and third-party applications, we've switched to Action1. It has a broad library of supported applications right out of the box, plus it’s easy to configure. The best part? You can manage up to 200 endpoints for free! Definitely worth a look if you haven't checked it out yet.
Thanks, I’ll check this out.
We’re using PDQ Deploy, although we have had to set up wrappers for some apps because their version entries weren’t accurate. Overall, it’s been a solid solution for managing our patching processes. We just schedule updates after hours to minimize disruption!
We’ve transitioned from an on-prem PDQ Deploy to PDQ Connect, and it’s been fantastic! As long as the endpoints have internet access, they stay patched. The automation features and CVE patching for many applications have been particularly useful, especially for urgent VPN client patches. You might want to consider it!
Anyone here still using Chocolatey? I found it pretty reliable for third-party patching back in the day, but I've been looking for updates since I'm dealing with similar issues as the original poster. Curious if it's still a good option!
Yeah, I hear you, it's frustrating to be tied down!