DisplaySync

Building the drive

The USB recovery drive is a FAT32-formatted stick with a small kit of files that, run together, install DisplaySync and bring a kiosk onto the tailnet in one shot. This page is the build checklist: format, copy files, edit config, validate.

Plan on 20-30 minutes for the first drive. Subsequent drives are faster — most of the prep work transfers.

What you need

File inventory

The drive's root needs these files:

<usb-drive>/
├── setup.bat                          # Double-click entry point
├── setup.ps1                          # Tailscale + watchdog setup
├── config.json                        # Tailscale auth key + options
├── README.txt                         # Tech-facing instructions
├── tailscale-setup.exe                # You provide
└── DisplaySync-Sign-x.y.z-x64.exe     # You provide

The first four files (setup.bat, setup.ps1, config.json, README.txt) come from the DisplaySync repo at desktop-sign/usb-setup/. Copy the whole directory contents to the drive's root — the directory structure isn't preserved; the files live at the root of the USB.

Step 1 — Format FAT32

Format the drive as FAT32 so it works on any Windows machine without driver fuss.

Windows:

# Identify the drive letter — be sure you have the right one
Get-Volume

# Format (this wipes the drive)
Format-Volume -DriveLetter <letter> -FileSystem FAT32 -NewFileSystemLabel "DSYNC-RECOVERY"

macOS:

Disk Utility → select the drive → Erase → Format: MS-DOS (FAT) → Scheme: Master Boot Record → Erase.

If the drive is over 32 GB, Windows refuses to format it as FAT32 by default — use a third-party tool (rufus, mkfs.vfat) or partition it down. exFAT works as a fallback but some legacy Windows kiosks may not mount it cleanly.

Step 2 — Copy the kit files

# From the displaysync-app repo, copy the USB setup contents
Copy-Item -Path .\desktop-sign\usb-setup\* `
  -Destination <usb-drive-letter>:\ -Recurse

That copies setup.bat, setup.ps1, config.json, and README.txt to the drive root.

Step 3 — Add the Tailscale installer

Download the Windows Tailscale installer from tailscale.com/download — the file you want is tailscale-setup-<version>.exe.

Rename it to tailscale-setup.exe (drop the version) and copy it to the drive's root. The setup script looks for that exact filename.

Step 4 — Add the DisplaySync installer

Get the DisplaySync Sign installer. Production and staging builds are distributed via the updates.displaysync.live channel — ask the engineering team for the current download URL for the channel you need. The installer asset is named DisplaySync-Sign-<version>-x64.exe.

Copy it to the drive's root with the original DisplaySync-Sign-<version>-x64.exe filename intact. The setup script doesn't care about the version suffix; it finds the file by pattern.

Step 5 — Edit config.json

Open config.json on the drive in any text editor:

{
  "tailscaleAuthKey": "tskey-auth-REPLACE_ME",
  "environment": "production",
  "freshConfig": false
}

Fields:

FieldPurposeValues
tailscaleAuthKeyThe pre-authorized auth key for your tailnettskey-auth-<...> from the Tailscale admin console
environmentLogged for diagnostics; not enforced"production" or "staging"
freshConfigWipe DisplaySync's local config before launchtrue to reset identity, false to preserve

For a fresh recovery (the typical case), "freshConfig": true ensures the kiosk regenerates its sign ID on first launch — important if you're recovering a device that already had stale identity.

For preserving an existing claim (rare; only when you've literally just had to reinstall the OS and the kiosk's previous claim is still valid in the dashboard), "freshConfig": false.

Auth key handling

The auth key is a credential. The drive containing it is a credential too. Treat it like a production secret — don't email it, don't loan the drive long-term, and rotate the key after the event if external techs handled the drive. See Tailscale integration → Auth key handling.

Step 6 — Validate the drive

Before sending the drive into the field, do a dry-run on a test machine:

  1. Plug the drive into a clean Windows 10/11 Pro machine.
  2. Open the drive — confirm 6 files at the root: setup.bat, setup.ps1, config.json, README.txt, tailscale-setup.exe, DisplaySync-Sign-<ver>-x64.exe.
  3. Read config.json one more time — confirm the auth key is filled in (not the placeholder).
  4. Run the recovery flow end-to-end as documented in Field recovery playbook.
  5. Confirm the test machine ends up with: DisplaySync running, Tailscale-tagged, dashboard showing it as Unclaimed (or claimed if you didn't set freshConfig: true).
  6. Confirm setup.log was written next to setup.ps1 on the USB drive — that's your diagnostic artifact for any issue in the field.

If the dry-run completes cleanly, the drive is ready to ship.

Multiple drives for a single event

For tier-1 events with many kiosks, build multiple identical drives — typically one drive per 5-10 kiosks, depending on team size. Hand them to the techs walking the floor; the drive lives with them, not with a specific kiosk.

All drives can share the same auth key (it's reusable). One key, one rotation cycle, simpler key management.

Drive lifecycle

A drive is an event-scope artifact, not a permanent tool:

  • Pre-event: build, validate, label with the event name and current date.
  • Event: lives with the on-call tech.
  • Post-event: wipe the drive (or at minimum, edit config.json to remove the auth key) and rotate the Tailscale key.

A drive that walks out of an event with an unrotated auth key on it is the most common Tailscale credential leak we hear about. Rotate.

See also