This rule detects the first observed Entra ID (Azure AD) device in the Entity Analytics inventory whose host name matches the default ROADtools pattern (DESKTOP-<8 chars>) and whose OS build is 10.0.19041.928. ROADtools uses this default OS build and naming convention when registering devices, and rogue devices may leverage this to obtain a Primary Refresh Token (PRT) and persist token-based access. The alert fires on the first match within the Entra ID Entity Analytics device dataset, indicating a newly observed rogue device rather than a normal real-time registration. It emphasizes high fidelity but recognizes evasion risk by relying on a known default build and naming pattern; baselines and approved device inventories should be used to validate and tune exceptions. The rule supports triage steps including cross-referencing host.name, host.os.version, entityanalytics_entra_id.device.display_name/id, and registration metadata, correlating with Azure AD device registration events and sign-ins, and potentially cross-checking with other related rules for ROADtools activity. Remediation includes device removal, token revocation, credential resets, and tightening of device registration controls via Conditional Access and MFA requirements. False positives are acknowledged for unmanaged/imaged Windows 10 20H1 hosts with the same fingerprint and for authorized security engagements using ROADtools that should be exceptioned.