Windows Managed Devices

The Twingate Windows Client is distributed in both an EXE and MSI package format, allowing organizations to choose the method of device deployment that works best for them.

Both formats support the same command line parameters, the difference is that the EXE package also contains the required .NET Runtime prerequisite, and will install it automatically. This is the recommended method for distributing the Windows Client. If you decide to distribute the MSI instead please be aware that you may need to also distribute the appropriate .NET 8 Runtime.

You can download the EXE release for the latest Client version here which you can download and configure in your MDM solution (for example, Microsoft InTune).

If you need the MSI release then you can download it here.

We also maintain a historical public changelog of prior releases.

.NET Prerequisite

The MSI installer does not include the .NET Desktop Runtime. When installing the Client via the MSI, you must manually install .NET Desktop Runtime alongside the Client if not already installed.

Versions of the Windows Client from November 2024 onward require the .NET Desktop Runtime 8.0 (x64) or higher. It is recommended to install this version of the runtime in order to support all versions of the Twingate Windows Client.

You can download the .NET 8.0 Desktop Runtime x64 directly from Microsoft.

Command Line Deployment Options

Both the EXE and MSI packages support a number of command line options that are useful for automated deployments:

Silent installation. The /qn option will suppress the installation dialog and automatically accept the user terms of service.
Pre-configure the Twingate Network. The network= option allows pre-configuring the Twingate Network name so that users do not have to enter this information.
Automatically reconnect after an update. The auto_update= option will tell the Client to reconnect using the existing Twingate Network session, avoiding the need for the user to log back in after an update.
Disable user triggered updates. Setting no_optional_updates=true will disable optional updates. See the next section for more information on why you might want to do this.
Configure NCSI global DNS. Setting ncsi_global_dns=true will enable NCSI_GlobalDns. Enable this option if users are experiencing a false “No internet” NCSI while Twingate is running.

Example

In this example, this will install the Twingate Windows Client, setting the Twingate Network to beamreach.twingate.com and disable optional updates.

TwingateWindowsInstaller.exe /qn network=beamreach.twingate.com no_optional_updates=true auto_update=true

When that command is run on a system that already has the Twingate Client installed, it will attempt to perform an in-place update over top of the existing installation, and because of the auto_update=true option being set once complete it should log the user back in to their existing session.

Should you use the `no_optional_updates` option?

Usually, yes, but this depends on whether you allow users to have local admin rights on their Windows PC. User-triggered updates cannot be installed without the local user providing administrator authorization, so if you do not allow local admin rights, you should disable local user-triggered updates. The command line option allows flexibility for different user groups depending on their local admin permissions.

In summary:

If you allow local admin rights: We recommend you leave user-triggered updates enabled (this is the default). Users will be prompted when an update is available and asked to update the Twingate Client.
If you do not allow local admin rights: You should disable user-triggered updates. This is because, if optional updates are enabled, users will receive update availability prompts but will not be able to update the Client. New versions of the Twingate Windows Client must instead be pushed to users via your MDM solution.

Remember, Clients older than 12 months are not supported and will not be able to connect to the Twingate service. If you disable user-triggered updates, you should ensure that you have a process in place to update the Client on user devices on a regular basis.

Microsoft Intune and Endpoint Manager

Microsoft Intune and Endpoint Manager are popular solutions for managing Windows devices. You can deploy the Twingate Windows Client using Microsoft Intune by following the steps outlined in the Microsoft Intune & Endpoint Manager guide.

Third-party MDM solutions

If you use a third-party MDM solution, you can deploy the Twingate Windows Client using the EXE or MSI package and the command line options described above. Consult your MDM documentation for instructions on how to deploy software packages.

If custom PowerShell scripts are supported, you can follow the instructions in the Microsoft Intune custom script guide. This guide provides an example script that downloads both the .NET Runtime and the Twingate Client MSI installer and installs it on the device.

Chocolatey

Early Access

Chocolatey packages are not currently updated as part of our automated release pipeline so package updates may be subject to delayed release.

Chocolatey is a package manager for Windows that allows easy installation and updates of thousands of software packages. Installation instructions are available on Chocolatey’s website.

With Chocolatey installed, Twingate can be installed with a single command:

choco install twingate

Last updated 2 days ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls