Microsoft-Windows-KdsSvc
13 events across 1 channel
Event ID 4001: Group Key Distribution Service failed to start.
#Event ID 4002: Group Key Distribution Service started.
#Description
Group Key Distribution Service started.
Message #
Event ID 4003: Group Key Distribution Service stopped.
#Description
Group Key Distribution Service stopped.
Message #
Event ID 4004: Group Key Distribution Service created a master root key in AD.
#Description
Group Key Distribution Service created a master root key in AD. The key ID is MRKID.
Message #
Fields #
| Name | Description |
|---|---|
MRKID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-KdsSvc",
"event_id": 4004,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-03-17T19:54:31.2905965+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-KdsSvc/Operational"
},
"event_data": {
"MRKID": "8a921fa4-b627-210c-8e00-7f44dec454da"
}
}
Event ID 4005: Group Key Distribution Service failed to create a master root key in AD.
#Event ID 4006: Group Key Distribution Service has encountered an invalid master root key.
#Description
Group Key Distribution Service has encountered an invalid master root key. The key ID is MRKIDGUID. AttrName is the name of the wrong configuration. If this master root key is the current key in use, Group Key Distribution Service will not be able to provide any new keys. If key generation issue is encounted, please contact administrators to generate a new valid master root key.
Message #
Fields #
| Name | Description |
|---|---|
MRKIDGUID GUID | |
AttrName UnicodeString |
Event ID 4007: Group Key Distribution Service cannot connect to the domain controller on local host.
#Event ID 4008: Group Key Distribution Service cannot start the work thread to read new data from AD periodically.
#Description
Group Key Distribution Service cannot start the work thread to read new data from AD periodically. Status ErrorCode. Group Key Distribution Service cannot be started because of the error. Please contact administrators to resolve the issue.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode HexInt32 |
Event ID 4009: Group Key Distribution Service failed to generate key using master root key MRKID.
#Event ID 4010: Group Key Distribution Service configuration is using some invalid value.
#Description
Group Key Distribution Service configuration is using some invalid value. The invalid attribute is AttrName. As a result, Group Key Distribution Service cannot generate any new key using this configuration. Please contact administrators to resolve the issue.
Message #
Fields #
| Name | Description |
|---|---|
AttrName UnicodeString |
Event ID 4011: Group Key Distribution Service successfully loaded all root keys (Integer) from the local domain controller.
#Event ID 4012: Group Key Distribution Service failed to load root keys from the local domain controller.
#Event ID 4013: Group Key Distribution Service received a root key container change notification from the local domain controller.
#Description
Group Key Distribution Service received a root key container change notification from the local domain controller.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 89203471-d554-47d4-bde4-7552ec219999
Defined in KdsCli.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4647, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02