Unpatched software is one of the most consistently exploited attack vectors in enterprise environments. Industry data shows that over 60 percent of successful breaches involved vulnerabilities for which a patch was already available but had not been applied. In organizations with hundreds or thousands of endpoints, managing patches manually is not just inefficient — it is effectively impossible to do with any consistency. ManageEngine Patch Manager Plus closes this gap by automating the entire patch lifecycle: scanning endpoints for missing patches, testing and approving updates, deploying them on a flexible schedule, and reporting on compliance status — all from a single centralized console, across Windows, macOS, Linux, and more than 850 third-party applications.
Developed by ManageEngine (a division of Zoho Corporation), Patch Manager Plus is available as both a standalone on-premises installation and a cloud-hosted SaaS service. It serves organizations of all sizes — from small businesses managing a handful of endpoints to large enterprises with thousands of devices across multiple locations.
What Is ManageEngine Patch Manager Plus?
Patch Manager Plus is a purpose-built patch management solution that automates every phase of the patch management process from a single interface. It supports all three major operating systems and extends its coverage beyond the OS to include third-party application updates — the category most often overlooked in manual patching processes and the source of a significant share of exploitable vulnerabilities. The platform integrates with Active Directory, supports remote and off-network endpoints, and generates compliance reports suitable for regulatory audits.
Key Features of ManageEngine Patch Manager Plus
1. Automated Patch Deployment (APD)
The core engine of Patch Manager Plus is its Automated Patch Deployment system. Once configured, it continuously scans enrolled endpoints, identifies missing patches, downloads updates from verified sources, and deploys them according to administrator-defined policies — without manual intervention. IT teams configure policies once, and the system handles everything from that point forward. This shift from reactive to proactive patch management eliminates the weeks-long gaps that leave organizations exposed.
2. Cross-Platform Support
Patch Manager Plus manages all three major platforms from a single console:
- Windows: All versions from Windows 7 / Server 2008 onward, including Feature Updates for Windows 10 and 11
- macOS: OS-level and application patches for Apple endpoints
- Linux: Ubuntu, CentOS, RHEL, Debian, Fedora, SUSE, and other major distributions
- Third-Party Applications: 850+ applications including Adobe Reader/Acrobat, Java, Chrome, Firefox, Teams, Zoom, 7-Zip, VLC, WinRAR, and many more
3. Patch Testing & Approval Workflow
Deploying patches directly to production systems without testing carries risk. Patch Manager Plus supports a structured test-before-deploy workflow: patches are first applied to a designated test group of machines. If no issues are detected, they are automatically approved for broader deployment. This process significantly reduces the risk of a faulty patch causing unexpected problems in production environments — a common concern in environments with legacy applications or custom software.
4. Flexible Deployment Policies
Every organization has different operational requirements. Patch Manager Plus lets administrators define granular deployment policies covering installation schedules (off-hours, weekends), reboot behavior (immediate, delayed, or user-deferred), installation sequencing, and bandwidth limits for patch downloads. This flexibility ensures that patches are applied without disrupting business operations or overwhelming network links.
5. Patch Decline & Rollback
Not every patch should be deployed everywhere. Administrators can decline specific patches for legacy applications, incompatible configurations, or policy reasons. If a deployed patch causes unexpected issues, the rollback capability allows systems to be reverted to their pre-patch state. This level of control is essential in environments where stability is a priority alongside security.
6. Distribution Servers
In organizations with multiple offices or constrained WAN links, having every endpoint download patches directly from the internet is impractical. Distribution Servers in Patch Manager Plus act as local repositories — patches are downloaded once to the distribution server, then distributed to endpoints across the local network. This dramatically reduces internet bandwidth consumption and speeds up deployment in distributed environments.
7. Remote & Off-Network Patching
Patch Manager Plus can manage and patch endpoints across LAN, WAN, and DMZ environments. Remote workers and laptops outside the corporate network are supported through the Secure Gateway feature, enabling patch management without requiring VPN connections. This capability has become increasingly critical as remote and hybrid work arrangements have become standard.
8. Compliance Reporting & Auditing
The platform generates detailed, real-time reports on patch compliance across all managed endpoints. The central dashboard provides an at-a-glance view of the organization’s overall compliance posture. Specific reports cover vulnerable systems, missing patches, systems pending reboot, patches awaiting approval, and historical deployment records. Reports can be scheduled for automatic delivery to stakeholders and are formatted to support regulatory compliance audits (ISO 27001, PCI DSS, HIPAA, GDPR).
9. Vulnerability Scanning Integration
Patch Manager Plus continuously scans endpoints to identify outdated and vulnerable software. The platform integrates natively with Tenable Vulnerability Management and Tenable Security Center, enabling correlation between vulnerability data and patch status. This integration gives security teams a unified view of where risk is concentrated and which patches will have the greatest security impact.
10. Server & Server Application Patching
Beyond workstations and laptops, Patch Manager Plus manages patches for servers and server-side applications including IIS, SQL Server, and Exchange. Separate deployment policies can be defined for servers, allowing tighter change control in production server environments while maintaining automated patching for less sensitive systems.
11. Active Directory Integration
Patch Manager Plus integrates directly with Active Directory, allowing administrators to define patch deployment policies based on AD organizational units (OUs) or security groups. For example, a separate patching policy can be applied to finance department workstations, production servers, or executive laptops — each with different schedules, reboot behaviors, and approval requirements.
12. Self-Service Portal for End Users
The Enterprise edition includes a self-service portal where end users can voluntarily install optional patches and updates on their own schedule. This reduces disruption from forced reboots during work hours and increases user buy-in for patch adoption.
Editions & Pricing
Free Edition
Patch Manager Plus is permanently free for up to 25 endpoints (workstations and servers combined). The free edition includes all core patch management features and never expires. It is a genuine production-ready option for small teams, not just a trial.
Professional Edition — On-Premises
Starting at $245/year for 50 endpoints. Covers automated patch deployment, cross-platform support, distribution servers, remote patching, compliance reporting, and Active Directory integration. Suitable for organizations that want to host the solution on their own infrastructure.
Enterprise Edition — On-Premises
Starting at $345/year for 50 endpoints. Adds the Self-Service Portal, advanced enterprise features, and expanded support for larger environments on top of all Professional capabilities.
Professional Edition — Cloud
Starting at $345/year for 50 endpoints. Same feature set as the on-premises Professional edition, hosted by ManageEngine with no server infrastructure required. The patch database is always synchronized automatically.
Enterprise Edition — Cloud
Starting at $445/year for 50 endpoints. The most comprehensive option for organizations wanting cloud deployment with full enterprise feature access.
All editions include a 30-day free trial with access to all features. Perpetual license options are available alongside annual subscriptions. Pricing scales with endpoint count and ManageEngine offers custom quotes for large deployments.
Patch Manager Plus vs. WSUS
Many organizations currently use Windows Server Update Services (WSUS) for patch management. Patch Manager Plus extends well beyond what WSUS offers. WSUS covers only Windows OS patches and requires significant administrative overhead for configuration and maintenance. Patch Manager Plus adds macOS and Linux support, third-party application patching for 850+ apps, a substantially simpler administration interface, advanced reporting and compliance dashboards, remote endpoint patching without VPN, and rollback capabilities. For organizations running mixed-OS environments or needing to patch third-party software, Patch Manager Plus effectively replaces and supersedes WSUS.
Patch Manager Plus vs. Endpoint Central
ManageEngine also offers Endpoint Central, a comprehensive unified endpoint management platform that includes patch management alongside device management, software deployment, remote control, mobile device management, and more. Patch Manager Plus is the right choice for organizations whose primary need is automated patching and who do not require the broader UEM capabilities of Endpoint Central. If patch management is one of several endpoint management requirements, Endpoint Central may be the more efficient investment.
Compliance Standards Supported
Patch Manager Plus generates reports and maintains audit trails that support compliance with major regulatory and security frameworks including ISO 27001, PCI DSS, HIPAA, GDPR, NIST, and SOX. The platform’s ability to demonstrate patch compliance at the individual endpoint level — with historical records of when patches were applied, by whom, and to which systems — is a key asset during external security audits and regulatory assessments.
System Requirements (On-Premises)
- OS: Windows Server 2012 R2 or later
- CPU: Minimum 2 cores (4 cores recommended)
- RAM: Minimum 4 GB (8 GB recommended)
- Disk: Minimum 40 GB (additional space recommended for patch storage)
- Database: Bundled MySQL or Microsoft SQL Server
- Browser: Chrome, Firefox, Edge (latest versions)
- Endpoints: Windows 7+, macOS 10.10+, major Linux distributions
Frequently Asked Questions (FAQ)
Does Patch Manager Plus patch only Windows systems?
No. Patch Manager Plus supports Windows, macOS, and Linux from a single console. It also patches more than 850 third-party applications across all supported platforms — a capability that WSUS does not provide at all.
Is an agent required on each endpoint?
Yes. A lightweight agent is installed on each managed endpoint. The agent handles patch status reporting and deployment execution. Agent deployment can be automated through Group Policy, login scripts, or software distribution tools for bulk enrollment.
Can Patch Manager Plus patch endpoints that are not on the corporate network?
Yes. The Secure Gateway feature enables patch management for remote endpoints outside the corporate network without requiring a VPN connection. This is essential for managing laptops used by remote workers.
What happens if a patch causes a problem after deployment?
Administrators can decline patches before deployment or roll back applied patches if issues occur. The test group workflow also provides a structured way to validate patches before rolling them out to the full endpoint fleet, reducing the likelihood of problems in production.
Can different patch policies be applied to different groups of machines?
Yes. Deployment policies can be defined based on Active Directory organizational units, security groups, or manually created custom groups. This allows differentiated patching strategies for workstations, servers, executive devices, or department-specific machines.
Does Patch Manager Plus support patch management for servers?
Yes. Server patching is supported alongside workstation patching. Separate policies can be configured for servers to enforce stricter change control, separate approval workflows, and maintenance window scheduling.
How does the Distribution Server reduce bandwidth consumption?
Instead of every endpoint downloading patches directly from the internet or the central Patch Manager Plus server, a Distribution Server acts as a local cache. Patches are downloaded once to the Distribution Server, which then serves them to all local endpoints over the LAN. This is particularly valuable for branch offices with limited WAN bandwidth.
Are compliance reports suitable for regulatory audits?
Yes. Patch Manager Plus generates detailed compliance reports showing patch status per endpoint, deployment history, missing patches, and vulnerability exposure. These reports are designed to satisfy auditing requirements for ISO 27001, PCI DSS, HIPAA, GDPR, and similar frameworks.
Is a perpetual license available?
Yes. Patch Manager Plus is available under both annual subscription and perpetual license models. The perpetual license is a one-time purchase with an annual maintenance and support fee for continued updates and support.
Can Patch Manager Plus patch custom or in-house applications?
For applications not covered by the built-in catalog of 850+ supported apps, the platform includes a Custom Patch capability in advanced editions, allowing administrators to package and deploy updates for proprietary or internally developed software.
Conclusion
ManageEngine Patch Manager Plus delivers a comprehensive, automated patch management solution at a price point that is accessible to organizations of virtually any size. Its cross-platform coverage, third-party application support, flexible deployment policies, and compliance-grade reporting make it a practical replacement for WSUS-only environments and a competitive alternative to more expensive enterprise patching tools. The permanently free edition for 25 endpoints makes it straightforward to evaluate in a real environment before committing to a paid tier. For IT teams looking to move from reactive, manual patching to a systematic, policy-driven approach, Patch Manager Plus provides a clear and proven path.
To obtain a genuine Patch Manager Plus license with full support, contact us for pricing and purchasing assistance.
Get a license — free consultation
Pricing depends on version and number of users. Message us on Telegram and we’ll reply with an exact quote — no commitment required.
|
✓
20+ years experience
Software engineers with a long track record
|
⚡
Delivered within 24h
Your license is sent within one business day
|
↩
Money-back guarantee
If the license doesn’t work, we refund in full
|
Usually reply within a few hours — free consultation, no upfront payment
