This rule detects a Microsoft Entra ID (Azure AD) device registration event that uses ROADtools (roadtx) defaults: a CloudDeviceOSVersion of 10.0.19041.928 and a CloudDisplayName beginning with DESKTOP-. Because ROADtools uses this OS build and naming pattern for provisioning, such registrations can indicate rogue device enrollment intended to obtain a Primary Refresh Token (PRT), establish persistence, and gain trusted tenant access. While high-fidelity, the indicator is evadable due to legitimate provisioning baselines and default images. The rule focuses on an Add device operation initiated by the Device Registration Service, with modified properties showing the OS version and display name. Investigation should correlate the initiating user, the registration flow, and the source IP, and pivot across related logs (sign-ins, correlation IDs) to confirm persistence or token-based access. False positives include legitimate imaged Windows 10 20H1 devices sharing the same OS build and default name, and authorized ROADtools engagements which should be exceptioned. Remediation entails removing the device, revoking tokens, reviewing the user, and tightening device registration controls (e.g., Conditional Access and MFA requirements).