RealmJoin Docs

After installing the RealmJoin client on the device, a configuration is saved locally. This configuration is encrypted and can not be modified by the user. RealmJoin compares the hash value of the local configuration to the hash value of the configuration for this user on the backend. If the hash deviats, the confifguration is re-synced from the server to the local device. The configuration is signed with the servers public key, therefore the local RealmJoin client can validate the configuration.

Delivery Optimization for Windows Update

Windows Update Delivery Optimization, or WUDO is a self organised solution for distributed caches for Windows Updates. In default mode, WUDO identifies peers as part of a WAN based on their external IP. In case of streched out WANs with just one breakout point, this leads to a high network load and a bottleneck. To improve the handling, Microsoft Intune can be used to set WUDO to download mode 2, where peers are grouped by a groupID. The ID is set for each device using network fingerprinting and the MAC address of the default gateway and therefore creating a more localized group. RealmJoin is used to set the groupID for each client.

Two registry keys are updated when the mode 2 delivery optimization is used:

Set Download Mode = 2


Network-Fingerprint-GUID in Reg-Key


If WUDO is activated on a device using BranchCache, WUDO is used for Windows Updates over WSUS with BranchCache.
For a more on WUDO see the Microsoft WUDO documentation (DE).


Bitlocker enforcement

It is possible to force Bitlocker encryption for OS volumes. The configuration file (see chapter Policies) allows to set the switch BitlockerEnabled to true. If the device is equipped with a ready state TPM chip the encryption is activated. To allow the Bitlocker enforcement, the registry key HKLM\SYSTEM\CurrentControlSet\Control\BitLocker:PreventDeviceEncryption is set to false. For virtual machines the encryption is only enforced, if the virtual machine variable $env:RjDisableVmDetection=1 is set.

Bitlocker recovery key

If the client device is Azure AD joined, RealmJoin uploads the Bitlocker recovery key to Azure AD. If the upload is not successfull in the first try, it will be retried. If the upload can not be performed successfully, the RealmJoin rollout failed. In case of a not-AAD-joined device, the Bitlocker recovery key is not secured.

Domain Passwort expiry

RealmJoin uses the Azure AD attribute msDS-UserPasswordExpiryTimeComputed to check if the user passwort is expired.

Other Configuration Settings



The IsPrimaryOfUser attribute is set when the RealmJoin client on the device contacts the backend for the first time. The user who is signed on during this process is registered as primary user of the device. Mandatory packages will only be installed when the primary user is logged in. If the makeAdmin property is set in the user/group settings, the primary user is promoted to administrator. It is possibly to manually set another user to the primary of the device. If a device is decomissioned and given another user without changing the primary, the old primary user might persist in the backend.


RealmJoin provides Outlook with signature files. Those files can be found in:

The following fields for signatures are extracted from the Microsoft Graph API and may be used: