Manage Learn to apply best practices and optimize your operations.

Desktop patch management software features: A checklist

Desktop patch management is a critical function, but the amount of patch management software can be overwhelming. Focus on the most important patch management software features.

Choosing the right desktop patch management software can be an arduous task.

Many vendors design their software to automatically download and install patches, but allowing each desktop in an enterprise to download its own patches could lead to Internet bandwidth congestion. Uncontrolled patch deployments can also lead to version inconsistencies and problems related to buggy patches. With so many desktop patch management products available, how do you choose? This patch management checklist has some important patch management software features to look for.

Multivendor support

Plenty of patch management software offers patching for Windows and Microsoft Office, but most organizations also need support for third-party products such as Adobe Acrobat Reader, Mozilla Firefox and Adobe Flash Player.

Centralized control

Although some offerings manage patches at the desktop level rather than from a centralized location,  patch management software should ideally offer a centralized management console.


The websites of many desktop patch management vendors include lists of the applications they support. While having guaranteed compatibility with an application set is nice, extensibility is even more important. The particular application set an organization uses today may not be the same six months from now. You need a way to manage patches for new applications, even if the patch management software does not have built-in support for that specific application.

Watch out for how patch management software provides extensibility. Although many desktop patch management tools will allow you to deploy patches for just about any application through a graphical user interface without a lot of effort, some require scripting to support new applications.


Most vendors include some sort of reporting in their patch management software features, but it is worth taking the time to make sure that the product's reporting capabilities meet your needs. At the very least, the reporting engine should be able to tell you which patches have been deployed to which desktops. Ideally, the reporting engine should also be able to alert you if a desktop goes for an extended period of time without communicating with the patch management software. That way, you can address any agent problems rather than assuming that each desktop is being patched.

Desktop patch management grouping

Another feature to look for when selecting a desktop patch management product is the ability to create groups of desktops and deploy patches on a per-group basis. This is important for two reasons.

More on desktop patch management software:

Patch management guide for Windows desktops

Desktop audit checklist: Five steps to a successful desktop audit

Structuring patch management in seven steps

Free open source security tools for finding and fixing Windows flaws

Best practices: Standardizing client deployment

First, in most organizations, there is no such thing as a universal desktop. Application sets usually vary by department. For example, the finance department might use an accounting app that no other department uses. If all of the desktops are simply lumped together into a common group, then you could end up pushing patches for software that's not even installed on some desktops.

The other reason why desktop grouping is important is because it allows you to create test groups. That way, you can deploy a patch on a limited basis and make sure that it works before you roll it out to the entire organization.

Patch removal

The ability to centrally remove a patch should also be on your list of important patch management software features. Software companies occasionally release buggy patches. Theoretically, you should be able to avoid problems by testing the patches before you deploy them. Sometimes, however, a problem may not become apparent until later on. When this happens, it is essential to be able to quickly and easily recall the patch.

As you can see, there are a number of things to look for in desktop patch management software. Keep in mind as you shop that most of the desktop patch management products on the market are actually desktop management products that include patch management features, as opposed to strictly being patch management tools. Even so, it is worth spending some time checking out the non-patch management software features in case there is something that you can use. Some of the features that are commonly included in desktop management products include network endpoint discovery, hardware and software inventory, security and standardization features and remote access for the help desk staff.

Brien Posey
is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator at some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Patches, alerts and critical updates

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.