Query Details
DISCOVERY Obsolete Device Connecting To Entra
Query
// DISCOVERY: Obsolete device connecting to Entra // https://www.linkedin.com/posts/activity-7222163567834230785-BgVr/ // Detect unpatched Windows 10 and 11 clients connecting to your Entra tenant via AADSTS5000611 (Symmetric Key Derivation Function version 'KDFV1' is invalid) union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs | where ResultType != 0 and ResultDescription == "Other" | where ResultType == "500061" | distinct Category, Identity
Explanation
This query is designed to identify unpatched Windows 10 and 11 devices that are connecting to your Entra tenant and encountering a specific error related to an invalid Symmetric Key Derivation Function version (KDFV1). Here's a simplified breakdown:
- Data Sources: The query looks at two types of logs:
SigninLogsandAADNonInteractiveUserSignInLogs. - Error Filtering: It filters out logs where the result type is not zero (indicating an error) and the result description is "Other".
- Specific Error Code: It further narrows down to logs where the result type is "500061", which corresponds to the specific KDFV1 error.
- Distinct Results: Finally, it selects distinct entries based on the
CategoryandIdentityfields.
In summary, this query helps you find unique instances of unpatched Windows 10 and 11 devices that are failing to connect to your Entra tenant due to an invalid key derivation function version.
Details
Steven Lim
Released: August 2, 2024
Tables
SigninLogsAADNonInteractiveUserSignInLogs
Keywords
DevicesEntraWindowsClientsTenant
Operators
unionisfuzzywhere!===distinct