Connect: switch Windows installer to dual mode#62910
Merged
Conversation
…tallations if update is triggered from per-user instance
Reading Program Files path should be done using Windows API instead of env var that can be overridden.
ravicious
reviewed
Jan 19, 2026
ravicious
reviewed
Jan 20, 2026
ravicious
reviewed
Jan 22, 2026
ravicious
approved these changes
Jan 23, 2026
Member
ravicious
left a comment
ravicious
left a comment
There was a problem hiding this comment.
Added some further suggestions but it looks good.
# Conflicts: # lib/vnet/install_service_windows.go # lib/vnet/service_windows.go
Contributor
Author
|
Friendly ping @nklaassen :) |
avatus
approved these changes
Feb 3, 2026
public-teleport-github-review-bot
Bot
removed the request for review
from nklaassen
Contributor
ravicious
reviewed
Feb 5, 2026
Member
There was a problem hiding this comment.
Should this PR have closed #53171? It's still going to take some time until we release the dual mode installer, no? I mean at least I was under the impression that it needs to wait for the privileged update service.
Contributor
Author
There was a problem hiding this comment.
Yeah, it will be released along with the privileged update service. I will keep the issue open for now.
2 tasks
gzdunek
added a commit
that referenced
this pull request
Mar 27, 2026
* Switch installer to dual-mode * Customize NSIS updater to disallow attempts to update per-machine installations if update is triggered from per-user instance * Make `assertTshInProgramFiles` more strict Reading Program Files path should be done using Windows API instead of env var that can be overridden. * Add RPC to check if VNet service is installed * Show warning and disable auto-start if there is no VNet service * `GetWindowsSystemService` -> `CheckPreRunRequirements` * `CheckPreRunRequirements` -> `CheckInstallTimeRequirements` * Customize `forAll` option with VNet message * Check for per-machine installation in system registry * Fix vars with PreRun in the name * Link to source file from the electron-builder repo, add commit hash * Read per-machine location from Go instead of via PowerShell * `IsPerMachineInstallResponse` -> `GetInstallationMetadataResponse` * Define `GetInstallationMetadata` handler in separate file * Fix tests failing on "updates not wrapped into act" (cherry picked from commit 336379e)
gzdunek
added a commit
that referenced
this pull request
Mar 30, 2026
* Switch installer to dual-mode * Customize NSIS updater to disallow attempts to update per-machine installations if update is triggered from per-user instance * Make `assertTshInProgramFiles` more strict Reading Program Files path should be done using Windows API instead of env var that can be overridden. * Add RPC to check if VNet service is installed * Show warning and disable auto-start if there is no VNet service * `GetWindowsSystemService` -> `CheckPreRunRequirements` * `CheckPreRunRequirements` -> `CheckInstallTimeRequirements` * Customize `forAll` option with VNet message * Check for per-machine installation in system registry * Fix vars with PreRun in the name * Link to source file from the electron-builder repo, add commit hash * Read per-machine location from Go instead of via PowerShell * `IsPerMachineInstallResponse` -> `GetInstallationMetadataResponse` * Define `GetInstallationMetadata` handler in separate file * Fix tests failing on "updates not wrapped into act" (cherry picked from commit 336379e)
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #53171
The RFD 0242 is still in review, but I'm sharing how the dual mode installer will look like.
To support per-user mode, we switch the installer from the "one-click" setup to the installation wizard. If the user chooses the "Only for me" option, the VNet service will not be installed.
To improve user experience, the app checks if the VNet service is installed. If not, it shows a warning and disables the VNet auto-start.
You might be wondering what happens if the same app is installed in both modes. My observation is that the latest installation wins: it replaces the Start Menu and Desktop shortcuts, and only that instance appears in the Installed Apps list. The other instance can only be accessed by locating it manually on disk.
Having both per-machine and per-user instances installed can cause issues with the updater. Initially, I assumed that per-user updates would work with the existing NSIS updater without any changes. However, when the same app is installed for both scopes, NSIS's internal update logic detects the per-machine instance first, which triggers a request for elevated privileges. The workaround is to customize the updater to pass the
/currentuserflag, forcing it to target the per-user installation.The app distinguishes between these modes by checking if its install directory matches Connect's
InstallLocationin HKLM.changelog: Restored support for per-user installation of Teleport Connect on Windows, eliminating the need for elevated privileges. VNet is not available in this mode.
I will prepare and publish some dev builds to allow testing this change.
This PR will be backported once the Update Service is added to keep these changes together.