Merge pull request #3607 from MicrosoftDocs/mdvm-software

MDVM software inventory -- software version normalization

Author: Ruchika-mittal01

defender-vulnerability-management/tvm-software-inventory.md

@@ -12,7 +12,7 @@ ms.collection:
   - Tier1
 ms.topic: concept-article
 search.appverid: met150
-ms.date: 03/05/2025
+ms.date: 04/29/2025
 #customer intent: To learn about the software inventory page in Microsoft Defender for Endpoint's Vulnerability Management.
 ---
 
@@ -36,20 +36,18 @@ You can remove the **CPE Available** filter to gain further visibility and incre
 
 In the field of discovery, we're using the same set of signals that is responsible for detection and vulnerability assessment in [Microsoft Defender for Endpoint detection and response capabilities](/defender-endpoint/overview-endpoint-detection-response).
 
-Since it's real time, in a matter of minutes, you see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
+Since it's real time, in a matter of minutes, you see vulnerability information as it's discovered. The engine automatically grabs information from multiple security feeds. In fact, you see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
 
 ## Navigate to the Software inventory page
 
-Access the software inventory page by signing in to the [Microsoft Defender portal](https://security.microsoft.com) and navigating to **Endpoints** > **Vulnerability management** > **Inventories**, which opens to the **Software** tab.
+In the [Microsoft Defender portal](https://security.microsoft.com), in the navigation pane, go to **Endpoints** > **Vulnerability management** > **Inventories**, and then select the **Software** tab.
 
 > [!NOTE]
-> If you search for software using the the Microsoft Defender portal global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write `windows_10` or `windows_11` instead of `Windows 10` or `Windows 11`.
+> If you search for software using the Microsoft Defender portal global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write `windows_10` or `windows_11` instead of `Windows 10` or `Windows 11`.
 
 ## Software inventory overview
 
-The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags.
-
-The data is updated every three to four hours. There's currently no way to force a sync.
+The **Software inventory** lists software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. The data is updated every three to four hours. There's currently no way to force a sync.
 
 :::image type="content" alt-text="Example of the landing page for software inventory." source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-main-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-main.png":::
 
@@ -74,7 +72,7 @@ Here's how to tell whether software isn't supported:
 
 ## Software inventory on devices
 
-1. Sign in to the Microsoft Defender portal. Navigate to **Assets** > **Devices** to open the **Device inventory** page.
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Assets** > **Devices** to open the **Device inventory** page.
 
 2. Select the name of a device to open its device page.
 
@@ -86,45 +84,53 @@ Software might be visible at the device level, even if it's currently not suppor
 
 ### Software evidence
 
-See evidence of where we detected a specific software on a device from the registry, disk, or both. You can find it on any device in the device software inventory.
+See evidence of where specific software was detected a device in the registry, on the disk, or both. You can find this information on any device in the device software inventory.
 
-Select a software name to open the flyout, and look for the section called **Software Evidence**.
+Select a software name to open its flyout, and look for the section called **Software Evidence**.
 
 :::image type="content" alt-text="Software evidence example of Microsoft Edge showing evidence registry path as seen on a device page" source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-evidence-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-evidence.png":::
 
 ## Software pages
 
-You can view software pages a few different ways:
+You can view software pages in the [Microsoft Defender portal](https://security.microosft.com) a few different ways:
 
-- **Endpoints** > **Vulnerability management** > **Inventories** > Select a software name > Select **Open software page** in the flyout
-- [Security recommendations page](tvm-security-recommendation.md) > Select a recommendation > Select **Open software page** in the flyout
-- [Event timeline page](threat-and-vuln-mgt-event-timeline.md) > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the **Related component** section in the flyout
+- Go to **Endpoints** > **Vulnerability management** > **Inventories**, and select the **Software** tab. Select a software name, and then, in the flyout, select **Open software page**.
+- Go to **Endpoints** > **Vulnerability management** > **Recommendations**. Select a recommendation, and in the flyout, select **Open software page**. (See [Security recommendations page](tvm-security-recommendation.md).)
+- Go to **Endpoints** > **Vulnerability management** > **Event timeline**. Select an event, and then, in the **Related components** section, select the link for the software name. (See [Event timeline page](threat-and-vuln-mgt-event-timeline.md).)
 
- A full page appears with all the details of a specific software and the following information:
+ The software page provides details about specific software with the following information:
 
 - Overview with vendor information, exploits available, and impact rating 
 - Data visualizations showing the number of and severity of discovered weaknesses, exposed devices, software's usage in the past 30 days, and the top events in the last seven days.
-- Tabs showing information such as:
-  - Corresponding security recommendations for the weaknesses and vulnerabilities identified.
-  - Named CVEs of discovered vulnerabilities.
-  - Devices that have the software installed (along with device name, domain, OS, and more).
-  - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
-  - Event timeline
-  - Browser extensions (if applicable)
+- Tabs showing information, such as:
+   - Corresponding security recommendations for the weaknesses and vulnerabilities identified.
+   - Named CVEs of discovered vulnerabilities.
+   - Devices that have the software installed (along with device name, domain, OS, and more).
+   - Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).
+   - Event timeline
+   - Browser extensions (if applicable)
+
+:::image type="content" alt-text="Software example page for Microsoft Edge with the software details, weaknesses, exposed devices, and more." source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage.png":::
+
+## Normalized software versions
 
-    :::image type="content" alt-text="Software example page for Microsoft Edge with the software details, weaknesses, exposed devices, and more." source="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage-small.png" lightbox="/defender/media/defender-vulnerability-management/tvm-sw-inventory-softpage.png":::
+For some software, normalized versions might be displayed in the Microsoft Defender portal. For example, suppose a device has [SQL Server 2016, version 13.0.7016.1](/troubleshoot/sql/releases/download-and-install-latest-updates#sql-server-2016) installed. However, in the [Microsoft Defender portal](https://security.microsoft.com), SQL Server 2016 is listed as `13.3.7016.1`, a normalized version of SQL Server. In this case, `13.3.7016.1` is functionally equivalent to `13.0.7016.1`.
+
+Defender Vulnerability Management applies version normalization rules to ensure better cross-device correlation and more accurate vulnerability assessments. Version normalization is intentional and valid, and is used consistently to streamline detection logic and align with internal data models.
 
 ## Report inaccuracy
 
 Report an inaccuracy when you see vulnerability information and assessment results that are incorrect.
 
-1. Open the software flyout on the Software inventory page.
-2. Select **Report inaccuracy**.
-3. From the flyout pane, choose an issue to report from:
+1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Endpoints** > **Vulnerability management** > **Inventories**, and select the **Software** tab. 
+
+2. Select a software name to open its flyout, and then select **Report inaccuracy**.
+
+3. From the flyout pane, choose an issue. Examples include:
 
-    - a software detail is wrong
-    - the software isn't installed on any device in my org
-    - the number of installed or exposed devices is wrong
+   - A software detail is wrong
+   - The software isn't installed on any device in my org
+   - The number of installed or exposed devices is wrong
 
 4. Fill in the requested details about the inaccuracy.