Many companies still do not have fully automated patch management - they install patches manually, without a schedule, or wait for "someone to do it". Every unpatched machine is a potential entry path for an attacker. On top of that, in September 2024 Microsoft announced that WSUS - the traditional update distribution tool - is a deprecated product: it still works and is supported but no longer receives new features. That pushes companies to consider more modern solutions. ManageEngine Endpoint Central automates patch management - downloading, testing, deploying and reporting patches on 50-5000+ computers. In this article I show how to configure it from scratch.
What is ManageEngine Endpoint Central?
Endpoint Central is a system for managing computers on a network (Endpoint Management) - with a focus on patch management. It is not the same as Intune - Endpoint Central is on-premise (on your server) or cloud, but more configurable than Microsoft's cloud solutions.
Main capabilities:
- Patch Management - automatic Windows/Office patch download, deployment scheduling, monitoring.
- Software Deployment - installing software on machines (MSI, EXE, PowerShell scripts).
- Inventory Management - hardware records (CPU, RAM, disk), software (installed programs, versions), licenses.
- Remote Access - access to machines on the network (RDP-like), technical support.
- Security & Compliance - vulnerability reporting (CVE), compliance checks (PCI-DSS, HIPAA), antivirus status.
ITSM implementation for your company - start with needs analysis.
Endpoint Central setup with no commitment - 30 minutes online.
Book 30 min →How automatic patch management works in Endpoint Central
The process looks like this:
- An agent is installed on the machine - a simple MSI that talks to the Endpoint Central server every 1-4 hours.
- The server fetches patches from the Microsoft source - not from WSUS, directly from the vendor (or from an offline copy if your machines have no internet access).
- Patches are verified and categorized - Security (critical), Updates (regular), Preview (test). The administrator decides which categories to roll out.
- Scheduling policy - for example "Security patches every other Tuesday at 23:00, with a 30-minute window; if not installed, retry at 2:00".
- Rollback-aware rollout - if the machine fails to start after patching, it can roll back automatically.
- Reporting - the dashboard shows: how many machines patched, how many in the queue, how many errors. Detailed logs per machine.
The result: instead of running WSUS manually every month and hoping everything installs, you have full automation.
Configuring patching policies - step by step
Practical setup for a company of 200 machines:
Click "Add Patch Policy" and the wizard appears.
Step 2: Name the policy and pick patch categories
Example: "Security & Critical Patches"
Categories: Security Updates, Critical Updates. Leave the regular Updates for a second policy.
Step 3: Set the deployment schedule
Frequency: Every 2 weeks
Day: Tuesday (because Microsoft releases patches on Tuesday UTC)
Time: 23:00 (evening, to avoid disrupting work)
Installation window: 30 minutes (the machine has 30 minutes to install, otherwise it times out)
Reboot behavior: "Allow reboot if required" - if the patch requires a reboot, the machine restarts automatically after a 15-minute warning.
Step 4: Assign machines to the policy
You can pick individual computers, Active Directory groups (for example OU=Office, OU=Production), or all machines. If you have critical machines (servers), you can exclude them from automation - patch manually.
Step 5: Testing
Before you push the policy to all machines, run it on a test group (for example 10 machines). Monitor the report for 2 weeks - did all the machines install without errors? Did any "break"? If OK, push to the whole network.
Inventory and compliance: what Endpoint Central sees on the network
Once the Endpoint Central agent is installed, the server automatically collects from each machine:
- Hardware: manufacturer, model, CPU (type, cores), RAM, disk (type, capacity), network card.
- Operating system: Windows 10/11 version, build, install date, last reboot.
- Software: every installed program (name, version, install date). Important for checking whether the machine has a version of Excel with a known vulnerability.
- Security: antivirus (installed, last update), firewall (on/off), Windows Defender status.
- Compliance datasets: PCI-DSS (does the machine meet card data requirements?), HIPAA, GDPR (disk encryption).
The Compliance Report dashboard shows: how many machines have current patches, how many have unlicensed software installed, how many have antivirus disabled. Very valuable for audits and NIS2 compliance.
Endpoint Central vs WSUS vs Microsoft Intune - table
| Criterion | Endpoint Central | WSUS (EOL) | Microsoft Intune |
|---|---|---|---|
| Deployment model | On-Premise or Cloud | On-Premise only | Cloud SaaS (Microsoft Azure) |
| Vendor support | Active (Zoho) | Deprecated since 2024 - works, no new features | Active (Microsoft) |
| Patch Management | Advanced, schedules | Basic, limited | Advanced + mobile |
| Software Deployment | MSI, EXE, scripts, AppX | None | Limited (LOB apps) |
| Hardware inventory | Detailed (CPU, RAM, disk, MAC) | Basic | Detailed + mobile devices |
| Compliance Reporting | PCI-DSS, HIPAA, SOC2, GDPR | None | Advanced, Defender integration |
| Pricing model | Annual or perpetual license - quote based on machine count | Role built into Windows Server (no separate fee) | Part of Microsoft 365 / Intune subscription |
| Intuitiveness | Modern UI, simple setup | Old UI, hard | Intuitive (Microsoft 365 admin center) |
| Offline support | Possible (offline repo) | Online only | No (cloud only) |
| Recommendation for 50-500 machines | Good choice - advanced patch management | Works, but plan a successor | Sensible if you already have M365 E3+ |
FAQ - ManageEngine Endpoint Central
What is ManageEngine Endpoint Central used for?
Endpoint Central is a system for managing updates (patch management), software deployment, configuration and security on all computers on the network. It automates Windows patch rollout, manages Windows on 50-5000+ machines, oversees compliance, reports vulnerabilities.
Does Endpoint Central replace WSUS?
Endpoint Central can serve as a more modern alternative to WSUS. Both manage Windows patches, but Endpoint Central offers a richer interface, schedules, support for third-party applications and compliance reporting. Microsoft announced WSUS as a deprecated product in September 2024 - WSUS still works and is supported but does not receive new features, so it is worth planning a move to Endpoint Central or Microsoft Intune.
How do I configure a patch management policy in Endpoint Central?
In Endpoint Central: Admin > Patch Management > Patch Policies. Define a policy (for example Security & Critical: every 2 weeks on Sunday 23:00 with a 24h rollback window). Attach computers to the policy (via OU, AD groups or manual tags). Endpoint Central automatically fetches patches from the Microsoft source, verifies them and deploys them on schedule. The dashboard shows % of machines patched, install queue, errors.
What is a Patch Deployment Schedule in Endpoint Central?
A Patch Deployment Schedule is a deployment timetable for a group of computers. Example: security patches every 2 weeks in a 23:00-23:30 window (because vendors release patches on Tuesday, American time). You can set a roll-out: 10% of machines on Monday, 50% on Wednesday, 100% on Friday - to reduce risk across the whole infrastructure.
Related articles
NIS2 and ITSM - security requirements CMDB instead of Excel - 7 signs it is time to switch Help desk for 50+ employees - 7 selection criteriaIs your network up to date?
Rotech Group will scan your infrastructure and check how many machines have current patches. Report + Endpoint Central implementation quote - no commitment.
Book a free consultation →