Edit

Share via

Software inventory

  • Article

Applies to:

The software inventory in Microsoft Defender Vulnerability Management is a list of known software in your organization. The default filter on the software inventory page displays all software with official Common Platform Enumerations (CPE). The view includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.

You can remove the CPE Available filter to gain further visibility and increase your search scope across all installed software in your organization. When you clear this filter, all software, including software without a CPE, displays in the software inventory list.

Note

CPEs are used by vulnerability management to identify software and any vulnerabilities. Software products without a CPE are shown in the software inventory page, but they're not supported by vulnerability management. Information like exploits, number of exposed devices, and weaknesses aren't available for software products without a CPE.

How it works

In the field of discovery, we're using the same set of signals that is responsible for detection and vulnerability assessment in Microsoft Defender for Endpoint detection and response capabilities.

Since it's real time, in a matter of minutes, you see vulnerability information as it's discovered. The engine automatically grabs information from multiple security feeds. In fact, you see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.

Navigate to the Software inventory page

In the Microsoft Defender portal, in the navigation pane, go to Endpoints > Vulnerability management > Inventories, and then select the Software tab.

Note

If you search for software using the Microsoft Defender portal global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write windows_10 or windows_11 instead of Windows 10 or Windows 11.

Software inventory overview

The Software inventory lists software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. The data is updated every three to four hours. There's currently no way to force a sync.

Example of the landing page for software inventory.

You can filter the list view based on product code (CPE), OS platform, weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support.

Screenshot of available filters in the software inventory page.

Select the software that you want to investigate. A flyout pane opens with a more compact view of the information on the page. You can either dive deeper into the investigation and select Open software page, or flag any technical inconsistencies by selecting Report inaccuracy.

Software that isn't supported

Software that isn't currently supported by vulnerability management might be present in the software inventory page. Because it isn't supported, only limited data are available. Filter by unsupported software with the Not available option in the Weakness section.

Unsupported software filter

Here's how to tell whether software isn't supported:

  • The Weaknesses field shows Not available
  • The Exposed devices field shows a dash
  • Informational text is added in the side panel and in the software page
  • The software page doesn't have security recommendations, discovered vulnerabilities, or event timeline sections

Software inventory on devices

  1. In the Microsoft Defender portal, go to Assets > Devices to open the Device inventory page.

  2. Select the name of a device to open its device page.

  3. Select the Inventories tab. Under Software, you can see a list of all the known software present on the device.

  4. Select a specific software entry to open the flyout with more information.

Software might be visible at the device level, even if it's currently not supported by vulnerability management. However, only limited data is available. You know if software is unsupported because it has Not available listed in the Weakness column. Software with no CPE can also show up under this device-specific software inventory.

Software evidence

See evidence of where specific software was detected a device in the registry, on the disk, or both. You can find this information on any device in the device software inventory.

Select a software name to open its flyout, and look for the section called Software Evidence.

Software evidence example of Microsoft Edge showing evidence registry path as seen on a device page

Software pages

You can view software pages in the Microsoft Defender portal a few different ways:

  • Go to Endpoints > Vulnerability management > Inventories, and select the Software tab. Select a software name, and then, in the flyout, select Open software page.
  • Go to Endpoints > Vulnerability management > Recommendations. Select a recommendation, and in the flyout, select Open software page. (See Security recommendations page.)
  • Go to Endpoints > Vulnerability management > Event timeline. Select an event, and then, in the Related components section, select the link for the software name. (See Event timeline page.)

The software page provides details about specific software with the following information:

  • Overview with vendor information, exploits available, and impact rating
  • Data visualizations showing the number of and severity of discovered weaknesses, exposed devices, software's usage in the past 30 days, and the top events in the last seven days.
  • Tabs showing information, such as:
    • Corresponding security recommendations for the weaknesses and vulnerabilities identified.
    • Named CVEs of discovered vulnerabilities.
    • Devices that have the software installed (along with device name, domain, OS, and more).
    • Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
    • Event timeline
    • Browser extensions (if applicable)

Software example page for Microsoft Edge with the software details, weaknesses, exposed devices, and more.

Normalized software versions

For some software, normalized versions might be displayed in the Microsoft Defender portal. For example, suppose a device has SQL Server 2016, version 13.0.7016.1 installed. However, in the Microsoft Defender portal, SQL Server 2016 is listed as 13.3.7016.1, a normalized version of SQL Server. In this case, 13.3.7016.1 is functionally equivalent to 13.0.7016.1.

Defender Vulnerability Management applies version normalization rules to ensure better cross-device correlation and more accurate vulnerability assessments. Version normalization is intentional and valid, and is used consistently to streamline detection logic and align with internal data models.

Report inaccuracy

Report an inaccuracy when you see vulnerability information and assessment results that are incorrect.

  1. In the Microsoft Defender portal, go to Endpoints > Vulnerability management > Inventories, and select the Software tab.

  2. Select a software name to open its flyout, and then select Report inaccuracy.

  3. From the flyout pane, choose an issue. Examples include:

    • A software detail is wrong
    • The software isn't installed on any device in my org
    • The number of installed or exposed devices is wrong

  4. Fill in the requested details about the inaccuracy.

    Report inaccuracy

  5. Select Submit. Your feedback is immediately sent to the vulnerability management experts.

Software inventory APIs

You can use APIs to view information on the software installed in your organization. The information returned by the APIs includes the devices it's installed on, software name, software publisher, installed versions, and number of weaknesses. For more information, see: