Event ID 4910 - Group policy settings were changed for TBS.
|Description||This event logs every change made to the TPM configurations through Group Policy object settings.|
|Subcategory||Other Policy Change Events|
Trusted Platform Module (TPM) and Trusted Base Services (TBS) provide an interface to manage the TPM chip mounted on the computer for hardware authentication. These services can be controlled by Group Policy settings or Local Policy settings.The Group Policy settings for TPM is located in: Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\.
Reasons to monitor this event:
The TBS Group policy settings enlist the TPM commands (a.k.a. ordinals) blocked by Windows to ensure integrity of operations. The event logs the following information:
|Old blocked ordinals||Commands blocked before this event|
|New blocked ordinals||Commands blocked after this event|
If the settings are disabled, Windows will block the list of commands in the default list or local list. Modifying these settings can lead to the following changes:
|Ignore the default list of blocked TPM commands||<Old value>
|Ignore the local list of blocked TPM commands||<Old value>
- ADAudit Plus helps you avoid GPO monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain or OU.
- The advanced Group Policy settings real-time audit reports emphasize the elusive details in changes made and give a detailed report on the modifications along with the old and new values of the attributes.
Event 4910 applies to the following operating systems:
- Windows Server 2008 R2 and 7
- Windows Server 2012 R2 and 8.1
- Windows Server 2016 R2 and 1
Related events - Event ID 4909 logs the changes made to TPM configuration through local policy settings.