Deploy Tailscale on Windows using MDM

This topic contains technical information which you might find useful if you are a system administrator deploying Tailscale for Windows in a corporate environment using mobile device management (MDM).

We are actively working on providing more options for system administrators to programmatically manage their Tailscale deployments. If you are deploying Tailscale and feel the need for a specific configuration option that is currently missing in this topic, open a GitHub issue.

Registry Values

Registry values can be set manually or via MDM solutions such as Microsoft Intune, allowing you to alter the behavior of the Tailscale client.

Registry values should be stored in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Tailscale registry key.

Earlier versions of Tailscale used the HKEY_LOCAL_MACHINE\Software\Tailscale IPN key. If you still have the HKEY_LOCAL_MACHINE\Software\Tailscale IPN key, move all of your custom policy settings into the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Tailscale key, and then delete the HKEY_LOCAL_MACHINE\Software\Tailscale IPN key to ensure everything is removed from the legacy registry key.

Within the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Tailscale registry key:

  • The (Default) value is not used.

Optionally, several values can be created, all of which are of String type:

  • The LoginURL value contains the URL of the login server. The default value is https://controlplane.tailscale.com.
  • The LogTarget value contains the URL of the log server. The default value is https://log.tailscale.io.

Preference policies can be set to always, never and user-decides. If set to always or never, the options are set by the administrator and not visible in the system tray menu. If unset or set to user-decides then the option is visible in the system tray menu.

  • AllowIncomingConnections controls the Allow Incoming Connections menu option
  • UnattendedMode controls the Unattended Mode menu option

Visibility policies can be set to “hide” or “show”. If set to “hide” then the menu item is not visible. If set to “show” or unset, then the menu item is visible.

  • AdminConsole controls the Admin Console menu item
  • NetworkDevices controls the Network Devices submenu
  • TestMenu controls if the test/debug menu items are visible when opening the tray menu while pressing the shift or ctrl keys.
  • UpdateMenu controls the Update Tailscale menu item

Duration policies control a duration or timeout. The time can be set using units of hours and minutes. Examples:

  • 168h: 1 week
  • 24h: 1 day
  • 1h5m: 1 hour, 5 minutes
  • 30m: half hour
  • Smaller time units are available but unlikely to be useful. Non-negative values accepted by the Go time.ParseDuration function are supported.

Current duration policies:

  • KeyExpirationNotice controls how long before key expiry should a notice be displayed. The default is 24 hours.

For a full list of the registry values you can configure, check out our MDM configuration keys list.