Key vault extension not setting CertificateServicesClient-Lifecycle-System 1001

Peter Harris 1 Reputation point

The VM key vault extension, kvvm, is installed on a VM. It is watching a certificate in a key vault.
When that certificate is updated, kvvm correctly notices and correctly installs the certificate
on the VM.

However, the Replace trigger, Path='Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational' EventID=1001 is not triggered
even though the old and new certificates have the same Subject Alternative Name.

How can I get the Replace trigger to fire so that actions in the Task Scheduler will run?

Here are the settings for kvvm
from C:\Packages\Plugins\Microsoft.Azure.KeyVault.KeyVaultForWindows\1.0.1409.21\RuntimeSettings\0.settings

"runtimeSettings": [
"handlerSettings": {
"publicSettings": {
"secretsManagementSettings": {
"pollingIntervalInS": "43200",
"linkOnRenewal": true,
"certificateStoreName": "MY",
"certificateStoreLocation": "LocalMachine",
"observedCertificates": [
"<certificate path>"

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,159 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 16,931 Reputation points Microsoft Employee

    Hello @Peter Harris ,

    Thanks for your time and patience, I was able to view this. I did review the settings you have posted and they look inline with Extension schema. However could you please validate the following:

    • Your observed certificates URLs should be of the form
    • The 'authenticationSettings' property is required for VMs with any user assigned identities. Even if you want to use a system-assigned identity, this is still required; otherwise the VM extension will not know which identity to use. Without this section, a VM with user-assigned identities will result in the Key Vault extension failing and being unable to download certificates. It specifies identity to use for authentication to Key Vault.
    • If you specify the 'msiClientId', then the 'msiEndpoint' property is required. Usually the value should be set to

    Please follow steps as per give answer to renew the cert:

    Renew a machine cert manually via MMC.


    Let me know if you have any queries in the comments section.

    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well.

    0 comments No comments