Available RealmJoin Policies

The following article shows you a list of possible RealmJoin Client settings/policies. These can be configured and assigned per user or group.

Allow users to access RealmJoin LAPS for their devices

Users may access different LAPS types for devices owned by visiting the RealmJoin portal.

Key

Allow.SelfLAPS

Value

"true"|"false"

or per account type

{
  "EmergencyAccount": true,
  "SupportAccount": true,
  "PrivilegedAccount": true
}

Allow users to access Intune LAPS for their devices

Users may access and rotate the LAPS password for their devices.

Key

Allow.SelfLAPSIntune

Value

"true"|"false"

or specifically:

{
  "CanReadPassword": true,
  "CanRotatePassword": false
}

Configure BranchCache for RJ packages

This setting changes BranchCache mode for new clients.

Key BranchCache.Mode

Value

"Distributed"|"Undefined"

Configure DomainConnect for Legacy Domains

The following settings configure DomainConnect for legacy domains.

Key DomainConnect.CredentialName

Value

"RealmJoin (domain)"

Key DomainConnect.Domain

Value

"domain.contoso.net"

Key DomainConnect.NetBIOS

Value

"contoso"

Configure RealmJoin release channel

This setting changes the user's / user group's channel with the next update of the RealmJoin Client.

Key Environment.Channel

Value

"release" | "beta" | "canary"

Configure RealmJoin ESP

Change if the default reboot after initial RealmJoin agent installation.

Key

FirstRun.AfterSuccessAction

Value

"none" | "logoff" | "restart"

Change if the RJ ESP is displayed.

If the deployment screen needs to be disabled for secondary users, the system variable $env:RjDisableSecondaryInitialDeployment = 1 has to be set before the first SU login.

Key

FirstRun.DisableDeploymentScreen

Value

"true" | "false"

Show deployment screen on restricted or secure desktop.

Key

FirstRun.EnableSecureDesktop

Value

"true" | "false"

Allow downgrade of packages

Allows downgrade of already installed applications via auto upgrade, if the version number is changed. Applies to all packages assigned to users receiving the policy via group or user settings.

Key

SoftwarePackaging.AutoUpgradeCanDowngrade

Value

"true" | "false"

AnyDesk Feature

This setting enables or disables the AnyDesk feature.

Key Integration.AnyDesk

Value

{
"Enabled": true | false,
"BootstrapperUrl": "https://.../.../AnyDesk.exe"
}

ExecutionMonitor Feature

This setting enables or disables the ExecutionMonitor Feature.

Key Integration.ExecutionMonitor

Value

{
"Enabled": true | false,
"UpdateInterval": "08:00"
}

Notifier Feature

This setting enables or disables the Notifier feature and it also activates or deactivates the editor UI.

Key Integration.Notification

Value

{
"Enabled": true | false,
"SourceUrl": "URL_PROVIDED_BY_GK",
"FallbackCulture": "en"
}

LocalAdminManagement Features

This section shows you all necessary settings for the LocalAdminManagement features. For more details about this feature read the Local Admin Password Solution article.

Key LocalAdminManagement.Inactive

Value

false

Key LocalAdminManagement.CheckInterval

Value

"00:05"

Key LocalAdminManagement.EmergencyAccount

Value

{
    "MaxStaleness": "00:45",
    "NamePattern": "ADM-{HEX:4}",
    "Display": "Local Emergency Account",
    "PasswordCharSet": "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
    "PasswordLength": 14
}

Key LocalAdminManagement.SupportAccount

{
    "MaxStaleness": "00:45",
    "NamePattern": "ADM-{HEX:4}",
    "DisplayName": "Local Support Administrator",
    "PasswordCharSet": "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
    "PasswordLength": 14,
    "OnDemand": true | false
}

Weblinks for RealmJoin Tray

The following setting generates a weblink in the tray.

Key WebLinks

Value

[
  {
    "Name": "My Azure Account",
    "Target": "https://account.activedirectory.windowsazure.com/r/#/profile",
    "Platform": "any"
  },
  {
    "Name": "Outlook Web Access",
    "Target": "https://outlook.office365.com/owa/?realm=contoso.onmicrosoft.com",
    "Platform": "any"
  }
]

Access Restrictions

Currently only LAPS is supported

Key Restrict.LAPS

Value

{
  "Admin": [
    "11-cf35-49dd-a862-123123",
    "11-2ec2-47ee-8cb8-123123"
  ],
  "Supporter": [
    "23-cf35-49dd-a862-231"
  ],
  "Deny": []
}

Attach Restriction: keys of targeted user groups. This list is inclusive: Only the listed Admin and Support groups are allowed to use LAPS. Additionally user groups can be excluded from the list.

Various Toggles

This section shows you four policies for RealmJoin.

Key Policies.DisableNetworkLocationWizard

Value

true | false

Key Policies.RequireSecurityFeatures.BitlockerEnabled

Value

true | false

Key Policies.SetCurrentUserAdministrator

Value

true | false

Key Policies.SetTimeserver

Value

["time.windows.com", "time.apple.com", "pool.ntp.org"]

Last updated 19 days ago

Was this helpful?

Good night

hashtagAllow users to access RealmJoin LAPS for their devices

hashtagAllow users to access Intune LAPS for their devices

hashtagConfigure BranchCache for RJ packages

hashtagConfigure DomainConnect for Legacy Domains

hashtagConfigure RealmJoin release channel

hashtagConfigure RealmJoin ESP

hashtagAllow downgrade of packages

hashtagAnyDesk Feature

hashtagExecutionMonitor Feature

hashtagNotifier Feature

hashtagLocalAdminManagement Features

hashtagWeblinks for RealmJoin Tray

hashtagAccess Restrictions

hashtagVarious Toggles

Allow users to access RealmJoin LAPS for their devices

Allow users to access Intune LAPS for their devices

Configure BranchCache for RJ packages

Configure DomainConnect for Legacy Domains

Configure RealmJoin release channel

Configure RealmJoin ESP

Allow downgrade of packages

AnyDesk Feature

ExecutionMonitor Feature

Notifier Feature

LocalAdminManagement Features

Weblinks for RealmJoin Tray

Access Restrictions

Various Toggles