RealmJoin Docs

Administrative users have access to the RealmJoin administrator console. As RealmJoin is highly compatible with Microsoft Intune and Microsoft Azure, it incorporates the same group based user and policy management experience and uses the Azure AD defined groups as basis for software deployment. The default interval for group synchronization between Azure AD and RealmJoin is 15 minutes, while only groups with a defined prefix are taken into consideration. Only groups with at least one assigned user are syncronized, and the syncronization interval can be adjusted.

User Client

The RealmJoin client is enrolled on evey Windows 10 device. RealmJoin seamlessly fits into the modern workplace with its focus on user self-service and mobility. Using the RealmJoin client module, the user may install provided software, get basic information on the device and membership in the tenant domain wihout the need of contact an IT administrative.

Initial Start

When RealmJoin is enrolled and started for the first time, it asks for the User-Identity and then calls to the cloud Service for a policy.


RealmJoin “Security Requirement” assessment does some pre-checks (Encryption, Patch Level, Firewall, Anti-Virus, etc. – this is optional and can be replaced in parts by Intune-Health-Check).

RJ Sec Check

If no error ocurs during deployment, RealmJoin is ready to use.

Client usage

After being successfully installed, RealmJoin is automatically started on the user login and is permanent active in the background. It is represented with an ID card icon. Clicking on the icon opens up the RealmJoin client menu. It contains basic information in the lower and a number of links in the upper part. The selector Software Packages opens a second context menu with all the software packages that are allocated to the user.

RJ Tray

If a user wishes to install any of the listed software, he/she is only required to select the package to start the installation.

RJ Add Package

The installation mode depends on the packages selected: If those are only user mode packages, they are installed immediately. In case of a higher permission level, RealmJoin starts a service (realmjoinservice.exe) and installs the packages with the SYSTEM user account.

Debug Modus

If neccessary, a debug window can be opened by clicking on the RealmJoin icon while pressing Shift+Strg on the keyboard. This reveals a new entry in the context menu listed as Show Debug Window. This window offers seven different diagnostic tools. If a device is not able to be addressed by the server or can not connect to the backend, this tool will provide the user with the tools for the first steps of diagnosis. Another new tray menu entry showing up in debug mode is Retry base installation, which allows the user to reinstall the RealmJoin client. Additionally, when the client tray menu is opened in debug mode, all packages are shown with the package version number.

RJ Debug Menu

Collect Logs is a quick way to access all log files, which will be saved in a zip-file to the users desktop. See chapter troubleshooting for a detailed description of the RealmJoin debug window and its features.

Admin Console

Device provisioning and RealmJoin configuration is done with the RealmJoin Admin Console. Designed to mirror the style of the new Microsoft administration services, it is the main tool for the management of the RealmJoin clients and users. The web application can be reached under

RJ Dashboard

The dashboard provides a quick and beneficial overview. All sections can be accessed by either clicking on the corresponding number or selecting the section in the toolbar on the left.


RJ clientsicon
The clients tab gives you a transparent overview over all enrolled devices as well as the respective primary user. To enter the devices’ states (see section States) or associate users, just click on the green numbers on the right.


RJ rj-ac-usersicon
A list of all users assigned to the tenant. The selectable details on the right include states, group membership, installed software packages, client devices and (to come…) individual settings. Users can’t be added or assigned to groups using RealmJoin, the management of users and groups has to be done in Azure AD. Selecting a user opens up the users detail page, which contains information gathered by RealmJoin using the Microsoft Graph API.

User settings

RJ usersettingsicon
Configurable group settings and policies. See chapter Policies for a list of implemented features.


RJ rj-ac-groupsicon
All in this tenant registered user groups. RealmJoin syncronizes groups from Azure Active Directory into the RealmJoin backend. The details on the right contain users within the individual group, packages that are assigned to a group as well as group settings. Since not all users in Azure AD might be equipped with RealmJoin, only a specified range of groups are transfered into RealmJoin (depending on the group name…..). The groups can not be added or altered within RealmJoin, therefore the group naming conventions have to be established in advance.

While there are not strict naming pattern requirements in RealmJoin, we recommend the following convention:




The synchronization time schedule and the prefixes that are taken into account might be configured from the settings control panel or individually implemented by the developer.

User settings

RJ rj-ac-groupsettingsicon
Configurable group settings and policies. See chapter Policies for a list of implemented features.

Software Packages

RJ rj-ac-packagesicon
A list of all added packages. The detail list contains the package version, install order, auto upgradibility and user/group assignment.

Add packages

The administrator is able to add created craft and choco packages to RealmJoin using the Add Choco / Add Craft buttons. This open the package setup window.

RJ rj-ac-packages

There are two ways to add the neccessary information: Entering the required fields Name, Version, Chocolatey Package ID (Chocolatey packages only), ID (Chocolatey Package ID and ID are usually similar), Location, Hash and Scope (all three craft packages only) manually or pasting the JSON code, which can be found in the corresponding package repository (pipeline).

RJ package-json-pipeline

While adding a package the following configuration entries are available:

NOTE: Do not edit assigned packages in the way, that you change the package name or ID (version number is fine). If you need a package in a different flavour, please add a new package and delete the obsolete one.

Assign Packages

Similar to the profile management with Microsoft Azure AD, packages can be assigned to groups and individual users. To assign a package, enter the group or user detail for the package in the package control panel. There are four options to override the package configuration when assigning, if in conflict with the package settings, the assignment settings override:

RJ rj-ac-packageoverrides


RJ rj-ac-statesicon
The states detail of the client or user control panel provides a list of the devices of the user and how frequent data was upstreamed. The Branch Cache column indicates, how much this client has contributed to the package distribution over the Branch Cache feature (see chapter Infrastructure). Selecting the white arrow in the green circle gives away the complete upstream file. It contains all the information about the device, OS, Defender Pattern States and installed packages that are transfered to the backend, where some of it is evaluated.

RJ rj-ac-states


List of states

Information on the Windows Device:
  "Type": "win",
  "ClientID": "75cf4d56-0676-ae02-73ad-a1af9b89f269",
  "VersionTray": "4.9.15-canary+14869.bf207295",
  "VersionService": "4.9.15-canary+14869.bf207295",
  "OperatingSystem": {
    "Name": "Windows 10 Enterprise",
    "Edition": "Enterprise",
    "CompositionEdition": "Enterprise",
    "Version": "10.0.14393.0",
    "ReleaseID": "1607",
    "BuildBranch": "rs1_release",
    "Build": 14393,
    "BuildRevision": 0,
    "InstallDate": "2017-08-16T12:53:01Z",
    "Bits": 64,
    "Activated": false
  "MachineName": "DESKTOP-VH66R7X",
  "DomainName": "LEGACYDOMAIN",
  "JoinedDomainName": "legacydomain.local",
  "HostName": "DESKTOP-VH66R7X",
  "Timestamp": "2017-09-14T07:07:39.2543111+00:00",
  "User": {
    "LocalName": "JONDOE",
    "LocalLogonAt": "2017-09-14T07:07:06.3167385+00:00",
    "IsAdministrator": false
  "Firewall": {
    "ProfileStates": [
  "AvProducts": {
    "Installed": [
        "Name": "Windows Defender",
        "State": 397568,
        "Details": {
          "AMEngineVersion": "1.1.14003.0",
          "AMProductVersion": "4.10.14393.0",
          "AMServiceEnabled": true,
          "AMServiceVersion": "4.10.14393.0",
          "AntispywareEnabled": true,
          "AntispywareSignatureAge": 29,
          "AntispywareSignatureLastUpdated": "2017-08-15T14:37:45+00:00",
          "AntispywareSignatureVersion": "1.249.1077.0",
          "AntivirusEnabled": true,
          "AntivirusSignatureAge": 29,
          "AntivirusSignatureLastUpdated": "2017-08-15T14:37:46+00:00",
          "AntivirusSignatureVersion": "1.249.1077.0",
          "BehaviorMonitorEnabled": true,
          "ComputerID": "829DE85B-7B39-4093-85F1-6AEF62AC65DD",
          "ComputerState": 0,
          "FullScanAge": 4294967295,
          "FullScanEndTime": null,
          "FullScanStartTime": null,
          "IoavProtectionEnabled": true,
          "LastFullScanSource": 0,
          "LastQuickScanSource": 0,
          "NISEnabled": true,
          "NISEngineVersion": "2.1.13804.0",
          "NISSignatureAge": 0,
          "NISSignatureLastUpdated": "2017-09-14T07:06:25.604+00:00",
          "NISSignatureVersion": "",
          "OnAccessProtectionEnabled": true,
          "QuickScanAge": 4294967295,
          "QuickScanEndTime": null,
          "QuickScanStartTime": null,
          "RealTimeProtectionEnabled": true,
          "RealTimeScanDirection": 0,
          "PSComputerName": null
  "Bitlocker": {
    "DriveStates": [
        "ComputerName": "DESKTOP-VH66R7X",
        "MountPoint": "C:",
        "EncryptionMethod": 0,
        "AutoUnlockEnabled": null,
        "AutoUnlockKeyStored": null,
        "MetadataVersion": 0,
        "VolumeStatus": 0,
        "ProtectionStatus": 0,
        "LockStatus": 0,
        "EncryptionPercentage": 0,
        "WipePercentage": 0,
        "VolumeType": 0,
        "CapacityGB": 59.50976,
        "KeyProtector": []
  "OsUpdates": {
    "RefreshTime": "2017-08-16T14:38:44.1388364+00:00",
    "PendingUpdates": {},
    "Settings": {
      "DeferQualityUpdates": 1,
      "DeferQualityUpdatesPeriodInDays": 21,
      "BranchReadinessLevel": 32,
      "DeferFeatureUpdates": 1,
      "DeferFeatureUpdatesPeriodInDays": 60
  "BranchCache": {
    "DataCacheCurrentActiveCacheSize": 1424903614,
    "CurrentClientMode": "DistributedCache"
  "Chocolatey": {
    "RequiredVersion": "0.10.3",
    "InstalledVersion": "0.10.3",
    "Status": "Ready"
  "SoftwarePackages": {
    "Installed": [
        "ID": "chocolatey",
        "Version": "0.10.3",
        "ArgsHash": null
        "ID": "realmjoin-core.extension",
        "Version": "",
        "ArgsHash": null
        "ID": "contoso-adobe-reader-dc-classic",
        "Version": "15.6.30306.0",
        "ArgsHash": null
        "ID": "contoso-fonts",
        "Version": "",
        "ArgsHash": null
        "ID": "contoso-microsoft-office-2016-proplus-x64-en-de",
        "Version": "",
        "ArgsHash": null
        "ID": "contoso-office-templates-de",
        "Version": "",
        "ArgsHash": null
  "DeliveryOptimization": {
    "DefaultGatewayDiscovered": null,
    "GroupID": "00099099-0000-0000-0000-802cc8f1c3bd"

Package upload

RJ rj-ac-uploadericon
To request new packages to be provided by G&K, use the uploader in the RealmJoin admin console. Please provide the necessary binaries as well as all installation requirements and additional information as a Readme.txt. After submitting the information (please do not forget a contact person!), you will be able to upload your zip file containing the binaries and the additional information. This will trigger a packaging request in the G&K ticketing system.

RJ rj-ac-uploader