Collection Rule for event with source CertificationAuthority and ID 81

Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.81 (Rule)

Certificate Services key archival is not supported on this version of Windows Server.

Knowledge Base article:


Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.


Use a version of Windows Server 2008 that supports AD CS key archival

Key archival is available only with certification authorities (CAs) that are installed on computers running the Windows Server 2008 Enterprise operating system or the Windows Server 2008 Datacenter operating system.

Confirm that the CA you are using is installed on a computer running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

To identify the Windows edition:


To confirm that key archival and recovery is working properly:

Element properties:

Event SourceMicrosoft-Windows-CertificationAuthority
Alert GenerateFalse
Event LogApplication

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
WriteToCertSvcEvents WriteAction Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.81" Enabled="onEssentialMonitoring" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.6.3" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
<Value Type="UnsignedInteger">81</Value>
<XPathQuery Type="String">PublisherName</XPathQuery>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>