Deploy Tailscale on Windows using MDM
This topic contains technical information which you might find useful if you are a system administrator deploying Tailscale for Windows in a corporate environment using mobile device management (MDM).
Tailscale v1.78 allows certain policy settings, such as UI customizations, to target users and devices. Tailscale v1.76 supports device system policies only.
The most recent Tailscale ADMX and ADML files that can be used with both Group Policy and MDM solutions, such as Microsoft Intune, are available from the Tailscale repository.
We are always working on providing more options for system administrators to programmatically manage their Tailscale deployments. If you are deploying Tailscale and feel the need for a specific configuration option that is currently missing in this topic, contact our support team.
Registry Values
Registry values can be set manually or via MDM solutions such as Microsoft Intune, allowing you to alter the behavior of the Tailscale client.
Registry values should be stored in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Tailscale
registry key.
Earlier versions of Tailscale used the HKEY_LOCAL_MACHINE\Software\Tailscale IPN
key. If
you still have the HKEY_LOCAL_MACHINE\Software\Tailscale IPN
key, move all of your custom policy settings into the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Tailscale
key, and then delete the HKEY_LOCAL_MACHINE\Software\Tailscale IPN
key to ensure everything is removed from the legacy registry key.
Within the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Tailscale
registry key:
- The
(Default)
value is not used.
Optionally, several values can be created, all of which are of String type:
- The
LoginURL
value contains the URL of the login server. The default value ishttps://controlplane.tailscale.com
. - The
LogTarget
value contains the URL of the log server. The default value ishttps://log.tailscale.io
.
Preference policies can be set to always
, never
and user-decides
. If set to always
or never
, the options are
set by the administrator and not visible in the system tray menu. If unset or set to user-decides
then the option is
visible in the system tray menu.
AllowIncomingConnections
controls the Allow Incoming Connections menu optionUnattendedMode
controls the Unattended Mode menu option
Visibility policies can be set to “hide” or “show”. If set to “hide” then the menu item is not visible. If set to “show” or unset, then the menu item is visible.
AdminConsole
controls the Admin Console menu itemNetworkDevices
controls the Network Devices submenuTestMenu
controls if the test/debug menu items are visible when opening the tray menu while pressing theshift
orctrl
keys.UpdateMenu
controls the Update Tailscale menu item
Duration policies control a duration or timeout. The time can be set using units of hours and minutes. Examples:
168h
: 1 week24h
: 1 day1h5m
: 1 hour, 5 minutes30m
: half hour- Smaller time units are available but unlikely to be useful. Non-negative values accepted by the Go time.ParseDuration function are supported.
Current duration policies:
KeyExpirationNotice
controls how long before key expiry should a notice be displayed. The default is 24 hours.
For a full list of the registry values you can configure, check out our MDM configuration keys list.