Patch Management Tools

[Rendog]

Hi All,

Can you guys recommend what Patch Management tools you use to remotely push out updates/patches (Microsoft & non-Microsoft) to both client machines and especially servers?

I've used WSUS however I think I'd like to be able to push and install from a central location instead of logging into each server and installing updates and rebooting that way.

The cheaper the better, I doubt there are many free tools that can do this. I have been doing some research but feel it's always best to ask those that have had experience with these tools.

Cheers!

 

[GDL]

Group policy with autoinstall options set WMI filtered to AD Groups.
Server groups in wsus with the machines in.

Gives you the central location with autoreboot when you want.

EG:
WSUS server group with server 'FS01' in.
GPO set to autodownload and install then reboot on friday @ 7am. - WMI filtered to the ADgroup Friday-Patches. Add the computer account of FS01 to that group.

 

[Burnsy2023]

If you're using Redhat based linux machines, look at SpaceWalk.

 

[Deleted member 138126]

How many servers?

 

[AndrewP]

If you're using Redhat based linux machines, look at SpaceWalk.

I wouldn't recommend going with Spacewalk/Satellite 5 for a new platform, Katello/Satellite 6 are where things are heading now.

 

[Deleted member 138126]

Heh Linux feels like a never-ending parade of "don't use this old crappy thing, this is the new shiny thing"...

 

[Ev0]

How many machines need to be managed, what sort of budget if any?

 

[SMN]

Puppet, Chef, Ansible?

 

[DustyMiller]

Columbus from Brainware Group is what we went with. Really good price, and great functionality.

 

[Lanz]

Shavlik, its the best tool for what you need but isn't exactly cheap.

 

[PAz]

SCCM

 

[Yamahahahahaha]

Assuming you have a fairly normal Windows environment, a few sites and up to about 1000 users I'd recommend WSUS and PDQ Deploy. Do your reboots remotely with Powershell. Any clustered servers should use Cluster Aware Updating.

Above that you need to start looking at lifecycle management (SCCM etc) because administering that many machines is beyond a full time job.

 

[Ev0]

SCCM and IEM (Bigfix) are the two main ones I see around if you're going over and above just using any inbuilt AD/GPO capability.

 

[ecksmen]

GFI languard is very cheap for patch management alone ignoring its complete feature set (which may / may not be of use). It also supports a lot of application stacks as well beyond Microsoft; very good in single AD topologies, less good in multi tenancy environments but still workable.

 

[warnox]

From what I can see with GPO there is no option to install updates and not reboot, then schedule a reboot when suitable to finish the install.

 

[Lanz]

Talking of windows updates - Its becoming quite tiresome, I only updated our VM template in May and I noticed today there's 27 new updates! - Terrible really, its a full time job to keep servers patched

 

[kefkef]

SCCM and PDQ Deploy.

 

[ruffneck]

Secunia

 

[m4cc45]

LANGuard is also fine for deploying patches for Windows / Adobe / Etc.



M.

 

[nam]

Tivoli EndPoint management used to be called BigFix, very easy to setup and use and great reporting