Connection to from local port 3389

Stef Collart 0 Reputation points


While looking for inbound RDP connections coming from external devices, I noticed one log entry that has is described in the table below.

I can find a lot of information about a connection made to/from (without aad in front) during the Windows Autopilot Deployment.

Either the Microsoft domain makes a connection to the device on the default RDP port (3389). If so, why?


The device makes a connection to the Microsoft domain with the default RDP port (3389) as local port. The reason why I think this is because the device timeline events seem to indicate that the connection initiation is done by the device and not the remote domain. However, when a device makes a TCP/IP connection, it should use a random high port (Microsoft documentation). Older OS's don't use a high port but this device is W10 so that doesn't apply.

Advanced Hunting table: DeviceNetworkEvents

Column name Value
ActionType ConnectionSuccess
RemotePort 443
LocalIP 10.x.x.x
LocalPort 3389

Can anybody provide an explanation on why this connection happens? Why is it using port 3389?

Me & my colleagues can not figure it out what exactly causes this.

Best regards,


Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
406 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,231 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 4,275 Reputation points


    Based on the information you provided, we can see that the local device appears to have initiated a connection from port 3389 to the Azure AD server (via HTTPS port 443). This substandard network behavior may be due to a specific configuration or software behavior.

    To investigate this further, consider the following steps:

    Confirm device status: Check whether the device is running the RDP service and whether a connection should be initiated from this port.

    Check software configuration: See if any software or services on your device are configured to use port 3389 for outbound connections.

    View network traffic: Use network monitoring tools to observe network traffic on the device to see if there are other unusual connections or behaviors.

    Check for security events: Check the security log or event viewer to see if there are any security warnings or errors related to this connection.

    0 comments No comments