Hunt for RDP sessions to unmanaged and non TPM devices
Hunt Devices Doing Rdp To Non Tpm Device
Query
let no_tpm_devices = (
ExposureGraphNodes
// Get device nodes with their inventory ID
| where NodeLabel == "device"
| mv-expand EntityIds
| where EntityIds.type == "DeviceInventoryId"
// Get interesting properties
| extend OnboardingStatus = tostring(parse_json(NodeProperties)["rawData"]["onboardingStatus"]),
TpmSupported = tostring(parse_json(NodeProperties)["rawData"]["tpmData"]["supported"]),
TpmEnabled = tostring(parse_json(NodeProperties)["rawData"]["tpmData"]["enabled"]),
TpmActivated = tostring(parse_json(NodeProperties)["rawData"]["tpmData"]["activated"]),
DeviceName = tostring(parse_json(NodeProperties)["rawData"]["deviceName"]),
DeviceId = tostring(EntityIds.id)
// Search for distinct devices
| distinct DeviceId, DeviceName, OnboardingStatus, TpmSupported, TpmEnabled, TpmActivated
// Get Unmanaged devices and device not supporting a TPM
| where OnboardingStatus != "Onboarded" or (TpmSupported != "true" and TpmActivated != "true" and TpmEnabled != "true")
| extend TpmSupported = iff(TpmSupported == "", "unknown", TpmSupported),
TpmActivated = iff(TpmActivated == "", "unknown", TpmActivated),
TpmEnabled = iff(TpmEnabled == "", "unknown", TpmEnabled)
);
let no_tpm_device_info = (
DeviceNetworkInfo
| where Timestamp > ago(7d)
// Get latest network info for each device ID
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand todynamic(IPAddresses)
| extend IPAddress = tostring(IPAddresses.IPAddress)
// Find no TPM devices and join with their network information
| join kind=inner no_tpm_devices on DeviceId
| project DeviceId, DeviceName, MacAddress, IPAddress, OnboardingStatus, TpmActivated, TpmEnabled, TpmSupported
);
DeviceNetworkEvents
// Search for RDP connections to non-tpm devices
| where Timestamp > ago(1h)
| where ActionType == "ConnectionSuccess"
| where RemotePort == 3389
// Exclude MDI RDP Connections (known for NNR)
| where InitiatingProcessFileName !~ "microsoft.tri.sensor.exe"
| join kind=inner no_tpm_device_info on $left.RemoteIP == $right.IPAddress
| project-rename RemoteDeviceId = DeviceId1, RemoteDeviceName = DeviceName1, RemoteMacAddress = MacAddress, RemoteDeviceOnboardingStatus = OnboardingStatus, RemoteDeviceTpmActivated = TpmActivated, RemoteDeviceTpmEnabled = TpmEnabled, RemoteDeviceTpmSupported = TpmSupported
| project-away IPAddressAbout this query
Explanation
This query is designed to identify Remote Desktop Protocol (RDP) sessions that are being established to devices that are either unmanaged or do not have a Trusted Platform Module (TPM) enabled or supported. This is important because such devices may not securely store authentication credentials, posing a security risk, especially when using Windows Hello for Business.
Here's a simplified breakdown of what the query does:
-
Identify Devices Without TPM:
- The query first identifies devices that are either not managed (not onboarded) or do not support TPM (Trusted Platform Module), which is crucial for securing cryptographic operations.
- It extracts relevant properties such as device name, onboarding status, and TPM status (supported, enabled, activated).
-
Gather Network Information:
- It retrieves the latest network information for these devices over the past 7 days, including IP addresses and MAC addresses.
-
Detect RDP Connections:
- The query then looks for successful RDP connections (port 3389) made in the last hour.
- It excludes connections initiated by a known Microsoft process (
microsoft.tri.sensor.exe) to avoid false positives.
-
Match RDP Connections to Non-TPM Devices:
- It matches these RDP connections to the previously identified non-TPM devices using their IP addresses.
- The result includes details about the remote device such as its ID, name, MAC address, onboarding status, and TPM status.
This query helps in identifying potential security risks by flagging RDP sessions to devices that might not securely handle authentication credentials due to the lack of TPM support.
Details

Robbe Van den Daele
Released: April 26, 2025
Tables
Keywords
Operators