Connect: read automatic updates configuration from Windows registry #63281
Merged
Connect: read automatic updates configuration from Windows registry #63281
Conversation
gzdunek
changed the title
gzdunek
requested review from
avatus and
ravicious
and removed request for
flyinghermit and
kimlisa
ravicious
reviewed
Jan 30, 2026
gzdunek
force-pushed
the
gzdunek/windows-registry-updates-config
branch
from
bc829f8 to
10a55e0
Compare
avatus
reviewed
Feb 2, 2026
avatus
approved these changes
Feb 3, 2026
ravicious
reviewed
Feb 3, 2026
Member
ravicious
left a comment
ravicious
left a comment
There was a problem hiding this comment.
I still have to go through the commit with "Use UAC updater when app is configured with env vars", but I haven't found any major issues in the code so far.
ravicious
approved these changes
Feb 4, 2026
public-teleport-github-review-bot
Bot
removed the request for review
from tangyatsu
Base automatically changed from
gzdunek/connect-dual-mode-installer
to
master
February 5, 2026 09:42
gzdunek
force-pushed
the
gzdunek/windows-registry-updates-config
branch
from
325d1a5 to
230d978
Compare
Contributor
gzdunek
added a commit
that referenced
this pull request
Mar 27, 2026
…63281) * Replace `GetDownloadBaseUrl` RPC with `GetConfig` * Implement reading ToolsVersion and CdnBaseUrl from system registry * Read values from `getConfig()` instead of `getDownloadBaseUrl` and `process.env` * Use UAC updater when app is configured with env vars * Fix typos * Handle tools version being 'off' * Safely read values from `GetConfigResponse` * Fix ordering in proto * Non-official -> Unofficial * Add TODO about docs * Use switch-case instead of if-else * Bring back if-else (cherry picked from commit 34c0795)
gzdunek
added a commit
that referenced
this pull request
Mar 30, 2026
…63281) * Replace `GetDownloadBaseUrl` RPC with `GetConfig` * Implement reading ToolsVersion and CdnBaseUrl from system registry * Read values from `getConfig()` instead of `getDownloadBaseUrl` and `process.env` * Use UAC updater when app is configured with env vars * Fix typos * Handle tools version being 'off' * Safely read values from `GetConfigResponse` * Fix ordering in proto * Non-official -> Unofficial * Add TODO about docs * Use switch-case instead of if-else * Bring back if-else (cherry picked from commit 34c0795)
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contributes to #59295
RFD #62545
This PR moves Windows configuration from the
TELEPORT_CDN_BASE_URLandTELEPORT_TOOLS_VERSIONenvironment variables to registry policies:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Teleport\TeleportConnect(Machine Policy): Takes precedence over any user-level policy.HKEY_CURRENT_USER\SOFTWARE\Policies\Teleport\TeleportConnect(User Policy): Applies only to per-user installations when no machine policy is defined. Ignored in per-machine installations.Note
The registry keys differ slightly from what was described in the RFD. Previously, the path was
Policies\TeleportConnect, but it is nowPolicies\Teleport\TeleportConnect. I made this adjustment because registry policies are typically structured as<company-name>\<app-name>.To do this, I replaced the
GetDownloadBaseUrlRPC with a newGetConfigRPC that returns both the CDN base URL and the tools version. This required some other, minor changes:Previously,
GetDownloadBaseUrlwould throw an error in OSS builds whenTELEPORT_CDN_BASE_URLwas not set. Since auto-updates may be disabled in this case (TELEPORT_TOOLS_VERSION=off), we should first check whether updates are enabled and only require the CDN base URL if they are. However, sinceGetConfigmust return both values together, I chose to return an emptycdnBaseUrland let the client infer the cause (OSS build). This also improves local development: Connect no longer shows an auto-update error whencdnBaseUrlis missing, auto-updates are now disabled instead.After finishing the implementation, I noticed that
GetConfigalways returnedtoolsVersion: 'off'. This happens because whentshruns as a daemon, auto-updates must be disabled, and we enforce that by launching it withTELEPORT_TOOLS_VERSION=off. To work around this (and ensure consistent behavior forGetConfigacross platforms), I introducedFORWARDED_TELEPORT_TOOLS_VERSION, which passes through the realTELEPORT_TOOLS_VERSIONvalue totsh.changelog: The
TELEPORT_CDN_BASE_URLandTELEPORT_TOOLS_VERSIONenvironment variables are deprecated for configuring Teleport Connect automatic updates on Windows. These settings must now be managed via the system policy registry keys underHKEY_LOCAL_MACHINEorHKEY_CURRENT_USER\SOFTWARE\Policies\Teleport\TeleportConnect. Legacy environment variables will prevent per-machine updates from installing silently.Docs will be updated in a separate PR.