Event ID 4673 for Teams.exe and msedge.exe

asked 2022-12-28T15:43:29.953+00:00
Brandon Hofmann 121 Reputation points

We have turned on auditing for Sensitive Privilege Use (both Success and Failure), per STIG V-220770. However, this has led to hundreds of Audit Failures per minute on nearly every endpoint. When checking the Event Viewer I see it's mainly for Teams and Edge (errors below).

These logs are filling up a lot of space in Splunk, and so our security asked us to track down the cause. I've seen this come up a lot online, but the only real solutions I've seen is to turn off auditing, but that will then flag us for not following STIG.

Hoping someone has found a proper resolution to this issue, thank you!

Teams

A privileged service was called.

Subject:
Security ID: domain\user (omitted for security)
Account Name: user
Account Domain: domain
Logon ID: 0x13FE27

Service:
Server: Security
Service Name: -

Process:
Process ID: 0x3e54
Process Name: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe

Service Request Information:
Privileges: SeProfileSingleProcessPrivilege

Edge

A privileged service was called.

Subject:
Security ID: domain\user (omitted for security)
Account Name: user
Account Domain: domain
Logon ID: 0x13FE27

Service:
Server: Security
Service Name: -

Process:
Process ID: 0x5a98
Process Name: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Service Request Information:
Privileges: SeProfileSingleProcessPrivilege

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
1,330 questions
Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
5,275 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,133 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2023-01-18T19:16:09.68+00:00
    Brandon Hofmann 121 Reputation points

    Just wanted to provide an update - had a ticket with Microsoft, below is there exact response. So it seems there is no fix, and ignoring it is basically our best option.

    Here is the information that I wanted to discuss with you today:
    After researching the issue, my team and I have found that this is a known issue that is not unique to Teams or Edge. This issue occurs with Chrome and Chromium applications. The issue occurs with Chromium-based applications if their default configurations are changed. 

     

    At this time, there are three options to move forward:

    1. You can permit SeProfileSingleProcessPrivilege for users.
    2. You can disable the failure audits.
    3. You can continue to monitor with the high volume of events being generated.
    No comments