Settings reference

This reference documents Docker Desktop settings that administrators can configure using Settings Management. Use this page to understand which settings are available, their accepted values, platform compatibility, and which configuration methods apply.

Note

This page only covers configurable settings for administrators who are deploying Docker Desktop to their organization. For the full list of Docker Desktop user-facing settings, see Change settings.

General

Send usage statistics

Controls whether Docker Desktop collects and sends local usage statistics and crash reports to Docker. Does not affect server-side telemetry collected via Docker Hub or other backend services such as sign in timestamps, pulls, or builds.

Note

Organizations using the Insights Dashboard may need this setting enabled to ensure that developer activity is fully visible. If users opt out and the setting is not locked, their activity may be excluded from analytics views.

Automatically check for updates

Controls whether Docker Desktop checks for and notifies users about available updates. When set to true, update checks and notifications are disabled.

Note

In hardened environments, enable this setting and lock it. This guarantees that only internally vetted versions are installed.

Automatically update components

Allows Docker Desktop to automatically update components that do not require a restart, such as Docker Compose, Docker Scout, and the Docker CLI.

Enable Gordon

Important

Docker Business customers must set this to "Enabled" or "Always Enabled" in the Admin Console. Setting to "User Defined" alone will not activate Gordon.

Block docker load

Prevents users from loading local Docker images using the docker load command, enforcing image provenance by requiring all images to come from registries.

Note

In hardened environments, enable and lock this setting. This forces all images to come from your secure, scanned registry.

Hide onboarding survey

Prevents the onboarding survey from being shown to new users.

Enable Docker terminal

Allows or restricts access to the built-in terminal for host system interaction. When set to false, users cannot use the Docker terminal to interact with the host machine or execute commands directly from Docker Desktop.

Expose Docker API on TCP 2375 Windows only

Exposes the Docker API over an unauthenticated TCP socket on port 2375. Only recommended for isolated and protected environments. Supports legacy integrations that require TCP API access.

Note

In hardened environments, disable and lock this setting. This ensures the Docker API is only reachable via the secure internal socket.

Extensions

Enable Docker extensions

Controls whether users can install and run Docker Extensions.

Note

In hardened environments, disable and lock this setting. This prevents third-party or unverified plugins from being installed.

Allow only extensions distributed through the Docker Marketplace

Prevents installation of third-party or locally developed extensions.

Enable a private marketplace

Ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker Marketplace.

AI

Enable Docker Model Runner

Enables Docker Model Runner functionality for running AI models in containers.

Enable host-side TCP support

Enables TCP connectivity for Docker Model Runner services, allowing external applications to connect to Model Runner via TCP.

Port

Specifies the port used for Model Runner TCP connections.

CORS Allowed Origins

Controls cross-origin resource sharing for Model Runner web integration.

Enable GPU-backed inference Windows only

Enables GPU-backed inference. Additional components will be downloaded to ~/.docker/bin/inference.

File sharing and emulation

File sharing directories

Defines which host directories containers can access for development workflows.

VirtioFS Mac only

Uses VirtioFS for fast, native file sharing between host and containers. If both VirtioFS and gRPC FUSE are set to true, VirtioFS takes precedence.

gRPC FUSE Mac only

Enables gRPC FUSE for macOS file sharing.

Rosetta Mac only

Uses Rosetta for x86_64/amd64 emulation on Apple Silicon.

Scout

Enable Scout image analysis

Turns on vulnerability scanning and software bill of materials (SBOM) analysis for container images.

Enable background Scout SBOM indexing

Keeps image metadata current by indexing during idle time or after image operations.

Proxy

Embedded PAC script

Specifies an embedded Proxy Auto-Config (PAC) script. For example: "embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }".

PAC file URL

Specifies a PAC file URL for Docker Desktop to use when routing network traffic. For example: "pac": "http://proxy/proxy.pac".

Override Windows "dockerd" port Windows only

Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port.

Enable Kerberos and NTLM authentication

Enables enterprise proxy authentication support for Kerberos and NTLM protocols.

Proxy bypass

Defines network addresses that containers should bypass when using proxy settings.

Containers proxy

Air-gapped container proxy

Configures an HTTP/HTTPS proxy for containers in air-gapped environments, providing controlled network access in offline or restricted network environments.

"containersProxy": {
  "locked": true,
  "mode": "manual",
  "http": "",
  "https": "",
  "exclude": [],
  "pac": "",
  "transparentPorts": ""
}

For more information, see Air-gapped containers.

LinuxVM

Enable WSL engine Windows only

When set to true, Docker Desktop uses the WSL 2 based engine. Overrides any backend flag set at installation using --backend=<backend name>.

Docker daemon options

Overrides the Docker daemon configuration used in containers, without modifying local configuration files.

VPNKit CIDR Mac only

Sets the network subnet used for Docker Desktop's internal VPNKit DHCP/DNS services. Prevents IP address conflicts in environments with overlapping network subnets.

Windows containers

Docker daemon options

Overrides the Docker daemon configuration used in Windows containers, without modifying local configuration files.

Kubernetes

Enable Kubernetes

Enables the local Kubernetes cluster integration with Docker Desktop.

Show system containers

Controls visibility of Kubernetes system containers in the Docker Desktop Dashboard.

Kubernetes image repository

Specifies a registry used for Kubernetes control plane images instead of Docker Hub. Overrides the [registry[:port]/][namespace] portion of image names. Images must be mirrored from Docker Hub with matching tags.

Note

Images must be mirrored from Docker Hub with matching tags. Required images depend on the cluster provisioning method.

Important

When using custom image repositories with Enhanced Container Isolation, add these images to the ECI allowlist: [imagesRepository]/desktop-cloud-provider-kind:* and [imagesRepository]/desktop-containerd-registry-mirror:*.

Cluster provisioning method

Controls Kubernetes cluster topology and node configuration.

Node version

Pins the Kubernetes version used for cluster nodes.

Nodes count

Sets the number of nodes in multi-node Kubernetes clusters.

Features in development

Access beta features

Controls whether users can access all Docker Desktop features that are in public beta.

Enable Docker MCP Toolkit (Beta)

Enables Docker MCP Toolkit in Docker Desktop for AI model development workflows.

Enhance container isolation

Enable Enhanced Container Isolation

Prevents containers from modifying Docker Desktop VM configuration or accessing sensitive host areas.

Docker socket access control (ECI exceptions)

Defines specific images and commands allowed to use the Docker socket when Enhanced Container Isolation is active. Supports tools like Testcontainers, LocalStack, or CI systems that need Docker socket access while maintaining security.

"enhancedContainerIsolation": {
  "locked": true,
  "value": true,
  "dockerSocketMount": {
    "imageList": {
      "images": [
        "docker.io/localstack/localstack:*",
        "docker.io/testcontainers/ryuk:*"
      ]
    },
    "commandList": {
      "type": "deny",
      "commands": ["push"]
    }
  }
}

Network

Networking mode

Sets the default IP protocol used when Docker creates new networks.

For more information, see Networking.

Inhibit DNS resolution for IPv4/IPv6

Filters unsupported DNS record types to improve reliability in environments where only IPv4 or IPv6 is supported. Requires Docker Desktop 4.43 and later.

For more information, see Networking.

Port binding behavior

Specify how port bindings are handled for new containers.

Other

Enable Docker Offload

Controls Docker Offload availability. When enabled, users see the Docker Offload toggle in the Docker Desktop header.

Note

This setting is only available when Docker Offload capability is enabled for the organization.