Building the drive
The USB recovery drive is a FAT32-formatted stick with a small kit of files that, run together, install DisplaySync and bring a kiosk onto the tailnet in one shot. This page is the build checklist: format, copy files, edit config, validate.
Plan on 20-30 minutes for the first drive. Subsequent drives are faster — most of the prep work transfers.
What you need
- A USB stick, 16 GB or larger, you don't mind reformatting
- A Windows or macOS computer with USB
- The kit files (below)
- A Tailscale auth key — see Tailscale integration → Mint the auth key
File inventory
The drive's root needs these files:
<usb-drive>/
├── setup.bat # Double-click entry point
├── setup.ps1 # Tailscale + watchdog setup
├── config.json # Tailscale auth key + options
├── README.txt # Tech-facing instructions
├── tailscale-setup.exe # You provide
└── DisplaySync-Sign-x.y.z-x64.exe # You provide
The first four files (setup.bat, setup.ps1, config.json, README.txt) come from the DisplaySync repo at desktop-sign/usb-setup/. Copy the whole directory contents to the drive's root — the directory structure isn't preserved; the files live at the root of the USB.
Step 1 — Format FAT32
Format the drive as FAT32 so it works on any Windows machine without driver fuss.
Windows:
# Identify the drive letter — be sure you have the right one
Get-Volume
# Format (this wipes the drive)
Format-Volume -DriveLetter <letter> -FileSystem FAT32 -NewFileSystemLabel "DSYNC-RECOVERY"
macOS:
Disk Utility → select the drive → Erase → Format: MS-DOS (FAT) → Scheme: Master Boot Record → Erase.
If the drive is over 32 GB, Windows refuses to format it as FAT32 by default — use a third-party tool (rufus, mkfs.vfat) or partition it down. exFAT works as a fallback but some legacy Windows kiosks may not mount it cleanly.
Step 2 — Copy the kit files
# From the displaysync-app repo, copy the USB setup contents
Copy-Item -Path .\desktop-sign\usb-setup\* `
-Destination <usb-drive-letter>:\ -Recurse
That copies setup.bat, setup.ps1, config.json, and README.txt to the drive root.
Step 3 — Add the Tailscale installer
Download the Windows Tailscale installer from tailscale.com/download — the file you want is tailscale-setup-<version>.exe.
Rename it to tailscale-setup.exe (drop the version) and copy it to the drive's root. The setup script looks for that exact filename.
Step 4 — Add the DisplaySync installer
Get the DisplaySync Sign installer. Production and staging builds are distributed via the updates.displaysync.live channel — ask the engineering team for the current download URL for the channel you need. The installer asset is named DisplaySync-Sign-<version>-x64.exe.
Copy it to the drive's root with the original DisplaySync-Sign-<version>-x64.exe filename intact. The setup script doesn't care about the version suffix; it finds the file by pattern.
Step 5 — Edit config.json
Open config.json on the drive in any text editor:
{
"tailscaleAuthKey": "tskey-auth-REPLACE_ME",
"environment": "production",
"freshConfig": false
}
Fields:
| Field | Purpose | Values |
|---|---|---|
tailscaleAuthKey | The pre-authorized auth key for your tailnet | tskey-auth-<...> from the Tailscale admin console |
environment | Logged for diagnostics; not enforced | "production" or "staging" |
freshConfig | Wipe DisplaySync's local config before launch | true to reset identity, false to preserve |
For a fresh recovery (the typical case), "freshConfig": true ensures the kiosk regenerates its sign ID on first launch — important if you're recovering a device that already had stale identity.
For preserving an existing claim (rare; only when you've literally just had to reinstall the OS and the kiosk's previous claim is still valid in the dashboard), "freshConfig": false.
Auth key handling
The auth key is a credential. The drive containing it is a credential too. Treat it like a production secret — don't email it, don't loan the drive long-term, and rotate the key after the event if external techs handled the drive. See Tailscale integration → Auth key handling.
Step 6 — Validate the drive
Before sending the drive into the field, do a dry-run on a test machine:
- Plug the drive into a clean Windows 10/11 Pro machine.
- Open the drive — confirm 6 files at the root:
setup.bat,setup.ps1,config.json,README.txt,tailscale-setup.exe,DisplaySync-Sign-<ver>-x64.exe. - Read
config.jsonone more time — confirm the auth key is filled in (not the placeholder). - Run the recovery flow end-to-end as documented in Field recovery playbook.
- Confirm the test machine ends up with: DisplaySync running, Tailscale-tagged, dashboard showing it as Unclaimed (or claimed if you didn't set
freshConfig: true). - Confirm
setup.logwas written next tosetup.ps1on the USB drive — that's your diagnostic artifact for any issue in the field.
If the dry-run completes cleanly, the drive is ready to ship.
Multiple drives for a single event
For tier-1 events with many kiosks, build multiple identical drives — typically one drive per 5-10 kiosks, depending on team size. Hand them to the techs walking the floor; the drive lives with them, not with a specific kiosk.
All drives can share the same auth key (it's reusable). One key, one rotation cycle, simpler key management.
Drive lifecycle
A drive is an event-scope artifact, not a permanent tool:
- Pre-event: build, validate, label with the event name and current date.
- Event: lives with the on-call tech.
- Post-event: wipe the drive (or at minimum, edit
config.jsonto remove the auth key) and rotate the Tailscale key.
A drive that walks out of an event with an unrotated auth key on it is the most common Tailscale credential leak we hear about. Rotate.
See also
- Setup script reference — what
setup.ps1actually does, parameter by parameter - Field recovery playbook — the tech-facing walkthrough
- Tailscale integration — auth keys and ACLs in detail