Forum Discussion
How is the software inventory created in MDATP?
Can anyone tell me exactly how the software inventory is created in MDATP? We have about 600 packaged applications, but only 200 are shown in the software inventory. When I look at the software inventory directly on a client, everything is correct. But I noticed that the global software inventory only shows applications that have a "Product Code (CPE)". How is this product code generated or where does it come from? And why do only about one third of my applications have this code? Even many Microsoft products do not have this code.
- NiklasMBrass Contributor
philippwreeI am not 100% sure about the functionality, so I also hope for a deep dive answer.
But as far as I understood from documentation and the last webinars is, that the software inventory depends on the EDR system.
Defender ATP is a discovery and not a scanning system, which means, that software can only be detected if the software produces an event in your logs.
The Docs also tell this a little bit, but not clear enough: https://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#funktionsweisehow-it-worksSo if you are missing a software maybe it was not used yet. But if you use the software on a daily basis, than Microsoft should clarify this.
- philippwreeCopper Contributor
NiklasM Thanks, I'll check it out.
- philippwreeCopper Contributor
Unfortunately this was not the solution. I have used some of the missing applications extensively, but they were still not listed in the software inventory.
Additionally I noticed that the product code (CPE) in the individual software inventory of a device is set to "not available", but when I export the software inventory the product code is available.
Dashboard:
Export:
- Tomer TellerMicrosoft
philippwree - Thank you for the feedback. Your analysis is accurate.
We currently do not reflect Non-CPE products in the main software inventory page, this is planned to be fixed in the upcoming months.
- SerggIron Contributor
Tomer Tellersorry for chasing you, but can you please explain if few more sentences the ent-to-end process of https://securitycenter.microsoft.com/software-inventory and https://securitycenter.microsoft.com/vulnerabilities get collected? Frequency, timeouts, does it uses Windows Update or registry, etc.
Is there a blog or webinar from the Microsoft explaining this subject so you do not repeat the information? We have customer questions while official Microsoft documentation does not have any details at all. Best regards Serg.
- byertjamesCopper ContributorIs there any update to OP's question? Maybe in the official documentation or forum?
I have the same questions for our environment. I have applications I've updated, removed etc and am wondering how quickly and how these changes corelate with discovered vulnerabilities.
If software is updated or removed then I expect the discovered vulnerabilities to update within a time frame.
If software is added, updated, removed then I expect the software inventory and security recommendations list to reflect the changes within a time frame
- philippwreeCopper ContributorNow 14 months have passed. Is there any new status for reflect Non-CPE products in the main software inventory page?
- Tomer TellerMicrosoft
philippwree - While this capability was indeed deferred in previous releases the good news that it will land in this Q4.