Defguard 1.6 release - Zero-touch Enrollment at Enterprise Scale for WireGuard
Hi,
First and foremost, thank you for your interest in Defguard and your support in 2025!
As the year ends, we are excited to release Defguard v1.6.0, advancing our enterprise WireGuard VPN solution with zero-touch enrollment, provisioning, and additional enhancements.
TL;DR:
- π Pre-logon VPN - use it to eg. Connect to AD before Windows login
- β‘ Zero-touch Enrollment - Automate user provisioning at scale
- π macOS App Store - Native Swift VPN with system integration
- πͺ Windows MSI - Enterprise deployment via Intune/GPO
- π MTU Settings - Fix connectivity on restrictive networks
π° Full Defguard Release v1.6.0 blog post
Whatβs new in Defguard 1.6
π Secure connectivity before user login (Windows)
Defguard now supports pre-logon WireGuard tunnels on Windows through Service Locations, enabling remote authentication against AD or EntraID without exposing domain controllers to the internet.
For environments requiring stronger enforcement, always-on VPN mode ensures device traffic remains protected on untrusted networks.
π Zero-touch deployment at scale
Client enrollment can now be automated using:
- Windows MSI installers
- macOS App Store distribution
- File-based enrollment tokens
This enables fast, repeatable onboarding while reducing configuration drift across large device fleets.
On Windows Defguard supports provisioning with Active Directory or EntraID. Client can automatically fetch enrollment configuration (URL and token) from AD/EntraID during installation.
βοΈ Enterprise-ready clients
- The Windows client now uses WireGuardNT (in-kernel), allowing deployment through Intune, GPO, and standard MSI workflows.
- The macOS client has been rewritten in native Swift for improved stability and system VPN integration.
π Improved reliability on mobile networks
Manual MTU configuration is now available across all platforms, helping maintain stable connectivity on LTE/5G and constrained networks.
π‘ Our security approach
As always, everything delivered with ultimate security and privacy in mind:
- Fully self-hosted with no SaaS dependency
- Open-source and auditable
- Continuous SBOM monitoring and dependency scanning
- Regular penetration testing and transparent vulnerability disclosure
- Full ownership of keys, identity data, and logs
β οΈ Upgrade notes
- Windows users should uninstall legacy clients before installing the new MSI.
- Both server and clients must be upgraded to 1.6 to use the new features.
Read upgrading guide from 1.5.x -> 1.6.0
π’ Try Defguard 1.6.0
Start your Defguard 1.6 trial and simplify enterprise VPN management. Deploy always-on, pre-logon WireGuard tunnels, automate enrollment, and keep full ownership of your infrastructure and data.
- Run Defguard with our one-line install script - no license required, enterprise features limited to 5 users
- Enroll into Defguard Enterprise PoC for 14 days evaluation license key with no limits.
All the best to you in the new year!
Defguard Team
π Release notes: https://defguard.net/blog/defguard-16-release-notes/
π Security approach: https://defguard.net/security/
π Documentation: https://docs.defguard.net
π Source code: https://github.com/DefGuard
Add a comment: