4671 An application attempted to access a blocked ordinal through the TBS
A defined but never-generated event. The OS never invokes it, so it is not encountered in practice.
Overview
The subcategory is Audit Other Object Access Events. It is meant for the case where an application tries to access a blocked ordinal (function number) through the TBS (TPM Base Services: the base service for working with the TPM chip). However, as the original docs state, it is not invoked or generated on this OS.
How it is triggered
- By definition, when something tries to access a blocked ordinal through the TBS.
- In practice it does not occur.
Security review points
- Since it normally does not appear, do not make it the centerpiece of a detection rule. Scrutinize the origin only in the unlikely event it is observed.
Notes for log review
- It is effectively never recorded, so it is low priority for review. Being aware it exists is enough.
Key fields
No specific fields are documented.