How is the software inventory created in MDATP?

Highlighted
New Contributor

Can anyone tell me exactly how the software inventory is created in MDATP? We have about 600 packaged applications, but only 200 are shown in the software inventory. When I look at the software inventory directly on a client, everything is correct. But I noticed that the global software inventory only shows applications that have a "Product Code (CPE)". How is this product code generated or where does it come from? And why do only about one third of my applications have this code? Even many Microsoft products do not have this code.

 

SoftwareInventoryMDATP.PNG

6 Replies
Highlighted

@philippwreeI am not 100% sure about the functionality, so I also hope for a deep dive answer.
But as far as I understood from documentation and the last webinars is, that the software inventory depends on the EDR system.
Defender ATP is a discovery and not a scanning system, which means, that software can only be detected if the software produces an event in your logs.

The Docs also tell this a little bit, but not clear enough: https://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/tvm-softw...

 

So if you are missing a software maybe it was not used yet. But if you use the software on a daily basis, than Microsoft should clarify this.

Highlighted

@NiklasM Thanks, I'll check it out.

Highlighted

Unfortunately this was not the solution. I have used some of the missing applications extensively, but they were still not listed in the software inventory.

 

Additionally I noticed that the product code (CPE) in the individual software inventory of a device is set to "not available", but when I export the software inventory the product code is available.

 

Dashboard:

DashboardDashboard

 

Export:

ExportExport

Highlighted

@Gilad_Mittelman @Tomer Teller @Efrat Kliger Maybe you can assist here? Or you have an Microsoft college with the appropriate information.

Highlighted

@philippwree - Thank you for the feedback. Your analysis is accurate.

We currently do not reflect Non-CPE products in the main software inventory page, this is planned to be fixed in the upcoming months. 

 

 

Highlighted

@Tomer Tellersorry for chasing you, but can you please explain if few more sentences the ent-to-end process of https://securitycenter.microsoft.com/software-inventory and https://securitycenter.microsoft.com/vulnerabilities get collected? Frequency, timeouts, does it uses Windows Update or registry, etc.

Is there a blog or webinar from the Microsoft explaining this subject so you do not repeat the information? We have customer questions while official Microsoft documentation does not have any details at all. Best regards Serg.