May i know how to get HTML template ,which generates reports which are grouped into catagories rather than by each CVE , like if i want data of all the vulnerabilities that affect a certain product and platform.

I could not finda place to post this so I am posting this here. The developer tab has a button "Create New Key". When I am logged in and I click on the link, it redirects me to login again and after log-in takes me to "Guidance" tab. I can't generate or view my key.
Do I need a special account or something to generate a key? How do I register for such an account?

RestartRequired and the newer SubType elements are not part of the standard CVRF schema. There should be an update to the community that new types are being added to the XML and JSON feed. The swagger files have not been updated either to reflect this.

I wanted to ask this question as I've seen this a few times in response data and I want to make sure I'm not missing something.

In the case of Windows 10, various KBs are targeted to various builds, and therefore it makes sense to list versions of Windows 10 as such:

        "Windows 10 Version 1703 for 32-bit Systems": "10951",
        "Windows 10 Version 1703 for x64-based Systems": "10952",
        "Windows 10 Version 1709 for 32-bit Systems": "11453",
        "Windows 10 Version 1709 for ARM64-based Systems": "11583",
        "Windows 10 Version 1709 for x64-based Systems": "11454",
        "Windows 10 Version 1803 for 32-bit Systems": "11497",
        "Windows 10 Version 1803 for ARM64-based Systems": "11563",
        "Windows 10 Version 1803 for x64-based Systems": "11498",

But for Windows Server, things look a little different:

        "Windows Server 2012": "10378",
        "Windows Server 2012 (Server Core installation)": "10379",
        "Windows Server 2012 R2": "10483",
        "Windows Server 2012 R2 (Server Core installation)": "10543",
        "Windows Server 2016": "10816",
        "Windows Server 2016 (Server Core installation)": "10855",
        "Windows Server 2019": "11571",
        "Windows Server 2019 (Server Core installation)": "11572",
        "Windows Server, version 1709 (Server Core Installation)": "11466",
        "Windows Server, version 1803 (Server Core Installation)": "11499",
        "Windows Server, version 1903 (Server Core installation)": "11647",

What are the differences between Windows Server, version 1903 (Server Core installation) and Windows Server 2019 (Server Core installation)"?

The webside is looping. I did try to greate a new user, but i still cant get an APi key.

Is there a way of fetching the list of all Microsoft products and their Product ID rather than using the productTree list everymonth.

Various customers have update processes that identify patchable assets by the "title" column on the Microsoft Update Catalogue page. If the CVRF parsing scripts also obtained the "title" columns from the Microsoft Update Catalogue page (linked in the current CVRF dataset) and included it, it would reduce manual effort to align CVRF data with update processes that require the "title" column data.

Data from the linked page to include:

Other (This is the page to scrape the data from):

I would like to see the date field for a particular KB. For example, KB4048961 should have 14/11/2017; this would be handy for compliance data, as we can check for when the KB got released to when we should be deploying this into production.

Thank you

Apologies if this is the wrong place to report this sort of feature request. Please let me know if I should file this elsewhere.

The examples on https://portal.msrc.microsoft.com/en-us/developer don't appear to be correct.

Most of the example reference an access token, for example:

@ECHO OFF

curl -v -X GET "https://api.msrc.microsoft.com/cvrf/{id}?api-version=2016-08-01"
-H "api-key: {subscription key}"
-H "Authorization: {access token}"

But there is no information on how to obtain such a token, and the example requests work without adding the Authorization header. In addition, the accompanying documentation does not mention this token.

Within a corporate environment, where servers are restricted from accessing the internet, the cmdlets should have "out-of-the-box" support for specifying Proxy settings.

Text-based Error

PS C:\> Get-MsrcCvrfDocument -ID $monthOfInterest -ApiKey $msrcApiKey -Verbose
VERBOSE: Calling https://api.msrc.microsoft.com/cvrf/2017-Apr?api-version=2016-08-01
VERBOSE: GET https://api.msrc.microsoft.com/cvrf/2017-Apr?api-version=2016-08-01 with 0-byte payload
Get-MsrcCvrfDocument : HTTP Get failed with status code ProxyAuthenticationRequired: Proxy Authentication Required
At line:1 char:1
+ Get-MsrcCvrfDocument -ID $monthOfInterest -ApiKey $msrcApiKey -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-MsrcCvrfDocument

I'm responsible for communicating the update releases to our teams which have to assess the actions to take and things to monitor. I've automated this into a script which does not bother the desktop team with SQL updates i.e. I would also like to add the known issues for patches to this communication but this information does not seem to be part of the current dataset.
Any chances this can be added to one of the current cmdlets or possibly a seperate cmdlet?

Kind regards,
Marcel de Haas

It would be nice to have a unique ID (GUID) given to each Product. If you look at the Update Details, the URL has the unique ID : https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=d4ac6c51-424d-402e-8e4e-0598abfb7e93 I see that ProductIDs are listed separately, maybe this GUID can be part of it.

In the old excel table I can find information about KB4010318

But in the updates API it's gone (I downloaded all available crvf JSON)

2016-Apr.json.gz
2016-Aug.json.gz
2016-Dec.json.gz
2016-Jul.json.gz
2016-Jun.json.gz
2016-May.json.gz
2016-Nov.json.gz
2016-Oct.json.gz
2016-Sep.json.gz
2017-Apr.json.gz
2017-Aug.json.gz
2017-Dec.json.gz
2017-Feb.json.gz
2017-Jan.json.gz
2017-Jul.json.gz
2017-Jun.json.gz
2017-Mar.json.gz
2017-May-B.json.gz
2017-May.json.gz
2017-Nov.json.gz
2017-Oct.json.gz
2017-Sep.json.gz
2018-Apr.json.gz
2018-Aug.json.gz
2018-Dec.json.gz
2018-FEB.json.gz
2018-Jan.json.gz
2018-Jul.json.gz
2018-Jun.json.gz
2018-Mar.json.gz
2018-May.json.gz
2018-Nov.json.gz
2018-Oct.json.gz
2018-Sep.json.gz
2019-Feb.json.gz
2019-Jan.json.gz

Am I wrong?

When I view /Updates

            "ID": "2016-Aug",
            "Alias": "2016-Aug",
            "DocumentTitle": "August 2016 Security Updates",
            "Severity": null,
            "InitialReleaseDate": "2017-06-13T07:00:00Z",
            "CurrentReleaseDate": "2017-06-13T07:00:00Z",
            "CvrfUrl": "https://api.msrc.microsoft.com/cvrf/2016-Aug?api-Version=2016-01-01"

But if you go view the XML for the 2016-Aug, the Initial Date vs Current Date are different

        <cvrf:InitialReleaseDate>2016-08-09T07:00:00</cvrf:InitialReleaseDate>
        <cvrf:CurrentReleaseDate>2017-06-13T07:00:00</cvrf:CurrentReleaseDate>

I would expect the \Updates to have the correct data for Initial Release Date.

Description

When making a request for a given CVE ID, or a year (or practically any filter) using the PowerShell cmdlet of Get-MsrcSecurityUpdate or via the API explorer found at https://portal.msrc.microsoft.com/en-us/developer, filters are discarded and a list of all known CVEs are returned every time.

Steps to Reproduce

• Install the MsrcSecurityUpdates PowerShell module
• Request an API key

Get-MsrcSecurityUpdate -Year 2016 

OR

Use the API Explorer to make a request which would end up hitting this URL. https://api.msrc.microsoft.com/Updates('2016')?api-version=2020

Expected Behavior

The cmdlet should filter down to only Updates for the year 2016.

ID       DocumentTitle                  
--       -------------                  
2016-Apr April 2016 Security Updates    
2016-Aug August 2016 Security Updates   
2016-Dec December 2016 Security Updates 
2016-Jan January 2016 Security Updates  
2016-Jul July 2016 Security Updates     
2016-Jun June 2016 Security Updates     
2016-May May 2016 Security Updates      
2016-Nov November 2016 Security Updates 
2016-Oct October 2016 Security Updates  
2016-Sep September 2016 Security Updates

Actual Behavior

~52 updates, including those released this month are returned even though our filter should have restricted to year 2016. This seems to happen for all filters provided.

Tagging my friend who is also curious about this @waingrositblog

Hello,

What is the meaning of 2 or 5 or other values in the Type field of $cvrfDoc.Vulnerability.Remediations ?

Thanks

Following the directions, open the Swagger demo, place the link to the swagger definition (in this case JSON) and explore, causes an error to be thrown by the swagger app "Failed T Load Spec".

Details shows:
{"messages":["malformed or unreadable swagger supplied"],"schemaValidationMessages":[{"level":"error","domain":"validation","keyword":"type","message":"instance type (string) does not match any allowed primitive type (allowed: [\"object\"])","schema":{"loadingURI":"#","pointer":""},"instance":{"pointer":""}}]}

When I try running this : https://api.msrc.microsoft.com/Updates?api-version=2019&$filter=CurrentReleaseDate gt 2019-10-01
it returns
{ "error": { "code": "", "message": "OData URI failed validation" } }
This was working fine, but have noticed this week the failure.
Swagger and documentation on the API mentioned that OData is supported

Hi MSRC Team,

We're interested in integrating this API in our security systems. The content provided by this API is well-structured and will help us with vulnerability management. We had a few questions about MSRC's support of this API:

What are the plans for long term support of this API?
Does this API follow a versioning scheme?
Are there any other APIs available for security information from Microsoft?

Thanks,
Alex

cc: @wedge206 @mdressman

Have also been using the API's for a while now, however today (8/7/2020) I have been getting 500 HTTP codes back. Haven't changed my apikey and can't seem to understand what's wrong.

Hello, I'm working with a project team who is building a security/compliance app that takes details of applicable KBs for (usually Windows Server) systems from WSUS and/or SCCM, and uses that export as input to call Security Update API. In general, this process works, but the team will have a consisten number (about 45) updates that are determined to be applicable, and these updates are not found when calling the Security Update API.

Can the forum moderator help us identify why these particular KBs are not being found?
There is bit in of a pattern as 25 of the 50 "missing KBs" look to be related to .NET Framework updates, and there are at least 4 related to servicing stack updates, but remainder, on surface, don't appear to have any specific pattern.

Compared the missing updates to another post from this forum in 2018, and there were no common KBs (from the 2018 post), so curious if someone who directly supports the Security Update API is able to repro independently and then confirm what behavior is expected and whether we have possible fixes or mitigations.

MissingKBsv2.xlsx
SecurityUpdateGuideSupersedence.docx

Cross referencing the total number of KBs and CVEs discovered through these APIs, there appears to be missing information and such is the case shown here....
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

That CVE is in reference to March 23, 2020 for CVE ADV990001, where ADV990001 is suppose to contain all the Servicing Stack Updates. However this CVE is not contained the API response for 2020-Mar. Is there a reason why this information is missing?

Apologies if this is the wrong place to report this sort of feature request. Please let me know if I should file this elsewhere.

It would be very useful if the API endpoints supported CORS, as this would allow data to be easily consumed by client-side web applications.

As things currently stand attempting to use an XMLHttpRequest requires adding the api-key header which (at least in Chome) triggers an a pre-flight OPTIONS request. This returns a 404 status, and does not contain an Access-Control-Allow-Origin header, which blocks further requests from being made.

Here's the chrome console when this occurs:

Here's an example OPTIONS request which fails:

$ curl "https://api.msrc.microsoft.com/Updates?api-version=2016-08-01" -H 'api-key: xxxx' -X OPTIONS
{ "statusCode": 404, "message": "Resource not found" }

It would be great if you would consider adding support for this.

$KBArticleObject | 
        ForEach-Object {
            $kb = $_
            #In older months, there won't be a subtype. Handle this so there are not empty ()'s
            if($kb.SubType){
                $HTML_TO_RETURN += $('<a href="{0}" >{1} ({2})' -f $kb.URL, $kb.ID, $kb.SubType)
            } else {
                $HTML_TO_RETURN += $('<a href="{0}" >{1}' -f $kb.URL, $kb.ID)
            }

This script under Process takes data from Get-MSrcCVRFAffectedSoftware, where $KB = $_ .However there does not exist a $KB.subtype, as $KB is a sub object under Get-MsrcCVRFAffectedSoftware output object.

Example of one output object of Get-MsrcCVRFAffectedSoftware

FullProductName : Windows Server 2008 for x64-based Systems Service Pack 2
KBArticle : @{ID=4131188; URL=https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4131188; SubType=Security Update}
CVE : CVE-2018-8120
Severity : Important
Impact : Elevation of Privilege
RestartRequired : Yes
Supercedence : 4093224
CvssScoreSet : @{base=7.00; temporal=6.30; vector=CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C}

Hence the line $KB = $_ should actually be $kb = $_.KBArticle

Dataset 2016-Oct and 2017-May-B has no Vulnerabilities field, why do you keep it here O_O

e.g

{
  "DocumentTitle": {
    "Value": "May 8 2017 Security Updates"
  },
  "DocumentType": {
    "Value": "Security Update"
  },
  "DocumentPublisher": {
    "ContactDetails": {
      "Value": "[email protected]"
    },
    "IssuingAuthority": {
      "Value": "The Microsoft Security Response Center (MSRC) identifies, monitors, resolves, and responds to security incidents and Microsoft software security vulnerabilities. For more information, see http://www.microsoft.com/security/msrc."
    },
    "Type": 0
  },
  "DocumentTracking": {
    "Identification": {
      "ID": {
        "Value": "2017-May-B"
      },
      "Alias": {
        "Value": "2017-May-B"
      }
    },
    "Status": 2,
    "Version": "1.0",
    "RevisionHistory": [
      {
        "Number": "1",
        "Date": "2017-05-08T07:00:00",
        "Description": {
          "Value": "May 8 2017 Security Updates"
        }
      }
    ],
    "InitialReleaseDate": "2017-05-08T07:00:00",
    "CurrentReleaseDate": "2017-05-08T07:00:00"
  },
  "DocumentNotes": [
    {
      "Title": "Release Notes",
      "Audience": "Public",
      "Type": 1,
      "Ordinal": "1",
      "Value": "<p>The May security release consists of security updates for the following software:</p>\n<ul>\n<li>Microsoft Forefront</li>\n<li>Windows Defender</li>\n</ul>\n<p>&nbsp;</p>\n<p>&nbsp;</p>\n<p><u>Known Issues</u></p>\n<p>&nbsp;</p>"
    },
    {
      "Title": "Legal Disclaimer",
      "Audience": "Public",
      "Type": 5,
      "Ordinal": "2",
      "Value": "The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply."
    }
  ],
  "ProductTree": {
    "Branch": [
      {
        "Type": 0,
        "Name": "Microsoft"
      }
    ]
  }
}

Supersede is a commonly misspelled word and has been misspelled in the swagger files

With the next minor patch release (as this is an API breaking change), can we fix this?

Sorry about being a grammar nazi 😄

hi ！
I wonder how to get the Authorization， the api key is clearly， but the way to get access token is obscure，Did I be a vip or ? Please tell me, Thanks

I welcome being mistaken, but it doesn't appear that the master KB is attainable unless I scrape it out of the URL field of the "Known Issue" property of a vulnerability remediation.

Is there an easier way to get the master KB?

The "type" field in the cvrf doc is not user friendly.

instead of:
$cvrfDoc.Vulnerability.Remediations | Where Type -EQ 2

we should have something like:
$cvrfDoc.Vulnerability.Remediations | Where Type -EQ $Msrc-vendorFix

adding this to my backlog.

There's no clue on https://portal.msrc.microsoft.com/en-us/security-guidance

PS C:\WINDOWS\system32> Get-MsrcCvrfDocument -ID '2017-Apr'
Get-MsrcCvrfDocument : Cannot retrieve the dynamic parameters for the cmdlet. Unable to get online
the list of CVRF ID
At line:1 char:1

• Get-MsrcCvrfDocument -ID '2017-Apr'

•   + CategoryInfo          : InvalidArgument: (:) [Get-MsrcCvrfDocument], ParameterBindingExcepti
   on
    + FullyQualifiedErrorId : GetDynamicParametersException,Get-MsrcCvrfDocument
  

Hi , i am getting the same error from the last 3days...please help to solve this asap...

This is for March -2019

below is the error :
Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Get-MsrcSecurityBulletinHtml -Verbose | Out-File c:\temp\MSRCMarchSecurityUpdates.html
Get-MsrcCvrfDocument : Cannot retrieve the dynamic parameters for the cmdlet. Unable to get online the list of CVRF ID
At line:1 char:1

Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Get-MsrcSecurity ...

• CategoryInfo : InvalidArgument: (:) [Get-MsrcCvrfDocument], ParameterBindingException
• FullyQualifiedErrorId : GetDynamicParametersException,Get-MsrcCvrfDocument

Hi everyone,

do you know how can I get the last update instead of -ID of the month ?

Thanks a lot,
Yonatan

What can I use in the API for /cvrf/ID to translate the returned Product ID to a product name? If the ability doesn't currently exist, can it be added?

For this month, Jun-2017 module Get-MsrcSecurityBulletinHtml throws an error it doesn't for earlier months, e.g., April.

PS C:\temp> Install-Module MSRCSecurityUpdates -Force
PS C:\temp> Set-MSRCApiKey -ApiKey "[REDACTED]" -Verbose
VERBOSE: Performing the operation "Set item" on target "[REDACTED]".
VERBOSE: Successfully set your API Key required by cmdlets of this module. Calls to the MSRC APIs will now use your API key.
VERBOSE: Successfully defined a msrcApiUrl global variable that points to https://api.msrc.microsoft.com
VERBOSE: Successfully defined a msrcApiVersion global variable that points to api-version=2016-08-01
PS C:\temp> $monthOfInterest = '2017-Jun'
PS C:\temp> Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Get-MsrcSecurityBulletinHtml -Verbose | Out-File c:\temp\MSRCSecurityUpdates-${monthOfInterest}.html
VERBOSE: Calling https://api.msrc.microsoft.com/cvrf/2017-Jun?api-version=2016-08-01
VERBOSE: GET https://api.msrc.microsoft.com/cvrf/2017-Jun?api-version=2016-08-01 with 0-byte payload
VERBOSE: received 2183597-byte response of content type application/json; charset=utf-8
Get-MsrcSecurityBulletinHtml : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:54

• Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Get-MsrcSecurityBulletinHtm ...

•                                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: ({
    "DocumentT...
    }
    ]
    }:PSObject) [Get-MsrcSecurityBulletinHtml], ParameterBindingException
  • FullyQualifiedErrorId : InputObjectNotBound,Get-MsrcSecurityBulletinHtml

PS C:\temp> Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Out-File c:\temp\foo.txt
VERBOSE: Calling https://api.msrc.microsoft.com/cvrf/2017-Jun?api-version=2016-08-01
VERBOSE: GET https://api.msrc.microsoft.com/cvrf/2017-Jun?api-version=2016-08-01 with 0-byte payload
VERBOSE: received 2183597-byte response of content type application/json; charset=utf-8

The output for June is different, as shown below.

PS C:\temp> Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Out-File c:\temp\foo-Apr.txt
VERBOSE: Calling https://api.msrc.microsoft.com/cvrf/2017-Apr?api-version=2016-08-01
VERBOSE: GET https://api.msrc.microsoft.com/cvrf/2017-Apr?api-version=2016-08-01 with 0-byte payload
VERBOSE: received 898987-byte response of content type application/json; charset=utf-8
PS C:\temp> $monthOfInterest
2017-Apr
PS C:\temp> $monthOfInterest = '2017-Jun'
PS C:\temp> Get-MsrcCvrfDocument -ID $monthOfInterest -Verbose | Out-File c:\temp\foo-Jun.txt
VERBOSE: Calling https://api.msrc.microsoft.com/cvrf/2017-Jun?api-version=2016-08-01
VERBOSE: GET https://api.msrc.microsoft.com/cvrf/2017-Jun?api-version=2016-08-01 with 0-byte payload
VERBOSE: received 2183597-byte response of content type application/json; charset=utf-8
PS C:\temp> gc C:\temp\foo-Apr.txt | select -first 10

DocumentTitle : @{Value=April 2017 Security Updates}
DocumentType : @{Value=Security Update}
DocumentPublisher : @{ContactDetails=; IssuingAuthority=; Type=0}
DocumentTracking : @{Identification=; Status=2; Version=1.0; RevisionHistory=System.Object[];
InitialReleaseDate=2017-04-11T07:00:00; CurrentReleaseDate=2017-04-11T07:00:00}
DocumentNotes : {@{Title=Release Notes; Audience=Public; Type=1; Ordinal=1; Value=

The April security
release consists of security updates for the following software:

PS C:\temp> gc C:\temp\foo-Jun.txt | select -first 10
{
"DocumentTitle": {
"Value": "June 2017 Security Release"
},
"DocumentType": {
"Value": "Security Update"
},
"DocumentPublisher": {
"ContactDetails": {
"Value": "[email protected]"

Dear all,

I'm responsible to debug for the python program to retrieve data of "Patch Tuesday" for Microsoft updates. The most serious problems are

• Impact of the vulnerability for the product contains NONE
• Some KB links have no description
• Some KB links have wrong matches i.e. the URL for the KB does not match the KB's title

So, I wish to know what the problem is related to? Thanks!

I'm seeing duplicate ProductIDs for ProductStatuses. For example in April 2017 for CVE: CVE-2017-0158
I see duplicating ProductIDs. This was not the case when I originally saved the XML in April

The API does not return data for single CVEs when called as described in the swagger.yaml:
curl -X GET "https://api.msrc.microsoft.com/Updates(''CVE-2020-1594'')?api-version=2019" -H "accept: application/json" -H "api-key: 0a48f51b0cf3482097257edfbdd7b844"
Returns 404 (The resource you are looking for has been removed, had its name changed, or is temporarily unavailable)

With CVE-2019-1448
KB product IDs are different but have the same URL link.
I think this is an API bug.
Have you considered helping.
Details of attached file.

Some other CVE-IDs are similar.
Microsoft-API_2019-nov.xlsx

Get-CVRFID is failing, so Get-MsrcCvrfDocument fails to generate the dynamic parameters.
Get-CVRFID sends the following request:

GET https://api.msrc.microsoft.com/Updates?api-version=2016-08-01 HTTP/1.1
Accept: application/json
Api-Key: <myapikey>
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1
Host: api.msrc.microsoft.com
Connection: Keep-Alive

And gets a 500 error with no detail.

Hi MSRC team,
Is the API currently down? I just test the API and it is returning Internal Server Error 500.
Is there any maintenance running?
url: https://api.msrc.microsoft.com/cvrf/2020-jul?api-version=2016
I can verify that the api key sent in the request header is valid.

The update API has some glitches but generally works. I can find KB id in it, but no MSXX-XX field in it, e.g MS17-023

Am I wrong?

We've been using the MSRC Security Updates API for a while to get security updates information. However, the API has been returning 'Internal Server Error' 500 since today (04/23/2020).

Is the API down? Has there been any change recently in usage instructions? Any other ideas why this error might be thrown?

url: https://api.msrc.microsoft.com/cvrf/2020-apr?api-version=2016

We've verified that the api key sent in the request header is valid.

Seeing error Set-MSRCApiKey : The term 'Set-MSRCApiKey' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At SecurityUpdates:3 char:3
+
+ CategoryInfo : ObjectNotFound: (Set-MSRCApiKey:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
even though the module is deployed

The output of Get-MsrcCvrfDocument cmdlet is with key as CVE number. This is good from a security point of view that all CVE's are covered. However, for a WSUS Admin point of view, it would KBs that are more important.

A particular KB has more than one CVE linked to it. Hence, we should have a cmdlet which generates report per KBnumber with information on the CVEs covered by it.

When I click on Create New Key on the API site, I'm directed to login with my microsoft account (using a corporate account), which I do, and then I get redirected back to the "Create New Key" page, and nothing seems to have happened

Monthly Security Only updates seems to be missing ProductID values in the Vulnerability object.

For example:

$Document = Get-MsrcCvrfDocument -Id '2017-May'
$Vulnerability = $Document.Vulnerability |? {$_.CVE -Eq 'CVE-2017-0077'}
$Vulnerability.Remediations |? {$_.Description.Value -In @(4019264, 4019263)}

Output:

Description     : @{Value=4019264}
URL             : https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019264
Supercedence    : 4015549
ProductID       : {10047}
Type            : 2
DateSpecified   : False
AffectedFiles   : {}
RestartRequired : @{Value=Yes}

Description     : @{Value=4019264}
URL             : https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019264
Supercedence    : 4015549
ProductID       : {10048, 10049, 10051}
Type            : 2
DateSpecified   : False
AffectedFiles   : {}
RestartRequired : @{Value=Yes}

Description     : @{Value=4019264}
URL             : https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019264
Supercedence    : 4015549
ProductID       : {10050}
Type            : 2
DateSpecified   : False
AffectedFiles   : {}
RestartRequired : @{Value=Yes}

Description     : @{Value=4019263}
URL             : https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019263
Type            : 2
DateSpecified   : False
AffectedFiles   : {}
RestartRequired : @{Value=Yes}

Description     : @{Value=4019263}
URL             : https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019263
Type            : 2
DateSpecified   : False
AffectedFiles   : {}
RestartRequired : @{Value=Yes}

Description     : @{Value=4019263}
URL             : https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4019263
Type            : 2
DateSpecified   : False
AffectedFiles   : {}
RestartRequired : @{Value=Yes}

Where KB4019264 is 'May 9, 2017—KB4019264 (Monthly Rollup)' for W7, W2008R2 and
KB4019263 is 'KB4019263 (Security-only update)' for W7, W2008R2.

The KB4019263 update also gets dropped from the result of: Get-MsrcCvrfAffectedSoftware and MsrcVulnerabilityReportHtml

Since there is one/more Product ID with every KB:

example:

10521 Microsoft Office 2010 Service Pack 2 (32-bit editions)

My question is how this "10521" calculated? Is it from the GUID "{90140000-0016-0409-0000-0000000FF1CE}"?

I need to convert all the GUID to Product ID to map all affected products on my system.

THANK YOU

On Windows 7 with PowerShell 3 I get the following error:

Get-MsrcCvrfDocument "2016-Aug" -Verbose

Get-MsrcCvrfDocument : Cannot retrieve the dynamic parameters for the cmdlet. Unable to get online the list of CVRF ID

Presumably that is because Invoke-RestMethod doesn't accept the "Accept" header.

Invoke-RestMethod -Uri 'https://api.msrc.microsoft.com/Updates?api-Version=2016-08-01' -Headers @{ 'Api-Key' = 'x' 'Accept' = 'application/json' }

Invoke-RestMethod : The 'Accept' header must be modified using the appropriate property or method.
Parameter name: name

Edit:
On Windows 2012 R2 with PowerShell 5.0 i get the same error for Get-MsrcCvrfDocument but Invoke-RestMethod is working. Please note that I'm behind a proxy and set the proxy configuration as $PSDefaultParameterValues (see #5 ). Might also be related to that.

I would like to request a complete ProductTree list with all possible ProductNames and their ProductID's. The ability to get this list through the API would be preferable but a static list kept up to date would be sufficient.

From looking at the few available document id's, it seems the ProductID values of different products in
(Get-MsrcCvrfDocument -Id $ID).ProductTree.FullProductName are constant. The ID's seems like a better way of identifying which products a certain vulnerability or update is for than trying to parse it out of the actual product name, especially in cases where it's an update for an application on a specific operating system.

For example:

ProductID   Value                                                                                                                       
---------   -----                                                                                                                       
10384-10729 Adobe Flash Player on Windows 10 for 32-bit Systems                                                                         

Where 10384 seems to represent Adobe Flash Player and 10729 represents Windows 10 for 32-bit Systems