Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Patch management tools: Different types, different approaches

Patch management tools seem pretty simple, but there are a couple different types with unique functionalities. Contributor Serdar Yegulalp takes a look at different types of tools and offers advice to companies trying to settle on a single product.

An organization with more than a few workstations or servers needs some kind of automated way to handle patch management, and there is a plethora of such programs to choose from. Because there's more than one way to accomplish patch management, it's not uncommon for two or more parts of the same organization to be updated and managed using different applications.

You can find that situation in environments where a branch office or division of a company is moved or acquired. Suddenly, what worked before is not what works for the new parent. In this and almost all other cases, the best approach is to pick one system and consolidate on it as aggressively as possible.

There are two basic categories of patch management tools that I'll tell you about here, which do markedly different things in different ways.

Reporting tools:

These tools scan local machines or computers on a network, audit whatever's in reach and then produce detailed summaries or digests about what is installed where as well as what might need to be installed or updated. They do the research and make recommendations, but they don't make any actual changes.

Management or deployment tools:

(There are others, but I have covered Service Pack Manager and Patch Manager before in detail)

For more information
Learning guide: Patch management

Recommended patch management tools

These programs do the actual work of downloading and applying patches to local or remote machines. In many cases, they are also reporting tools -- they audit computers to see what's installed and what's needed, then download the needed updates and push them out according to an administrator's directives.

If you use multiple auditing or reporting tools, one caveat is that if there are inconsistencies between the depth or breadth of reporting provided by each tool, you should be aware of that ahead of time so you're not thrown off. That way you won't think you're missing something, and you won't feel compelled to try to fix something that isn't even really broken.

If you are using multiple patch management or deployment tools, the problem isn't so much that one tool duplicates or undoes the work of another, but that the administrator (or administrators) becomes confused by the presence of multiple tools to get the same job done. That's a short road to user error -- at best a situation where one person could duplicate or even undo another person's work (or even his own) and, at worst, it develops into a case where real damage can be done.

In the long run, the best thing to do is settle on one method of management to avoid confusion -- not just for yourself, but also for the person who might inherit your job.

Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

Dig Deeper on Windows 10 security and management