Forum Discussion

philippwree's avatar
philippwree
Copper Contributor
Jun 08, 2020

How is the software inventory created in MDATP?

Can anyone tell me exactly how the software inventory is created in MDATP? We have about 600 packaged applications, but only 200 are shown in the software inventory. When I look at the software inventory directly on a client, everything is correct. But I noticed that the global software inventory only shows applications that have a "Product Code (CPE)". How is this product code generated or where does it come from? And why do only about one third of my applications have this code? Even many Microsoft products do not have this code.

 

  • NiklasM's avatar
    NiklasM
    Brass Contributor

    philippwreeI am not 100% sure about the functionality, so I also hope for a deep dive answer.
    But as far as I understood from documentation and the last webinars is, that the software inventory depends on the EDR system.
    Defender ATP is a discovery and not a scanning system, which means, that software can only be detected if the software produces an event in your logs.

    The Docs also tell this a little bit, but not clear enough: https://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#funktionsweisehow-it-works

     

    So if you are missing a software maybe it was not used yet. But if you use the software on a daily basis, than Microsoft should clarify this.

      • philippwree's avatar
        philippwree
        Copper Contributor

        Unfortunately this was not the solution. I have used some of the missing applications extensively, but they were still not listed in the software inventory.

         

        Additionally I noticed that the product code (CPE) in the individual software inventory of a device is set to "not available", but when I export the software inventory the product code is available.

         

        Dashboard:

        Dashboard

         

        Export:

        Export

  • philippwree - Thank you for the feedback. Your analysis is accurate.

    We currently do not reflect Non-CPE products in the main software inventory page, this is planned to be fixed in the upcoming months. 

     

     

    • Sergg's avatar
      Sergg
      Iron Contributor

      Tomer Tellersorry for chasing you, but can you please explain if few more sentences the ent-to-end process of https://securitycenter.microsoft.com/software-inventory and https://securitycenter.microsoft.com/vulnerabilities get collected? Frequency, timeouts, does it uses Windows Update or registry, etc.

      Is there a blog or webinar from the Microsoft explaining this subject so you do not repeat the information? We have customer questions while official Microsoft documentation does not have any details at all. Best regards Serg.

      • byertjames's avatar
        byertjames
        Copper Contributor
        Is there any update to OP's question? Maybe in the official documentation or forum?
        I have the same questions for our environment. I have applications I've updated, removed etc and am wondering how quickly and how these changes corelate with discovered vulnerabilities.

        If software is updated or removed then I expect the discovered vulnerabilities to update within a time frame.

        If software is added, updated, removed then I expect the software inventory and security recommendations list to reflect the changes within a time frame

    • philippwree's avatar
      philippwree
      Copper Contributor
      Now 14 months have passed. Is there any new status for reflect Non-CPE products in the main software inventory page?
      • Tomer Teller's avatar
        Tomer Teller
        Icon for Microsoft rankMicrosoft

        philippwree - While this capability was indeed deferred in previous releases the good news that it will land in this Q4.

Resources