diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index fedd48bd3..351bf6aaa 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -396,11 +396,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			b.prefs.Persist = st.Persist.Clone()
 		}
 	}
-	if temporarilySetMachineKeyInPersist() && b.prefs.Persist != nil &&
-		b.prefs.Persist.LegacyFrontendPrivateMachineKey.IsZero() {
-		b.prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
-		prefsChanged = true
-	}
 	if st.NetMap != nil {
 		if b.findExitNodeIDLocked(st.NetMap) {
 			prefsChanged = true
@@ -665,12 +660,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 
 	b.mu.Lock()
 	prefs := b.prefs.Clone()
-
-	if temporarilySetMachineKeyInPersist() && prefs.Persist != nil &&
-		prefs.Persist.LegacyFrontendPrivateMachineKey.IsZero() {
-		prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
-	}
-
 	b.mu.Unlock()
 
 	blid := b.backendLogID
@@ -970,17 +959,6 @@ func (b *LocalBackend) popBrowserAuthNow() {
 // b.stateKey should be set too, but just for nicer log messages.
 // b.mu must be held.
 func (b *LocalBackend) initMachineKeyLocked() (err error) {
-	if temporarilySetMachineKeyInPersist() {
-		defer func() {
-			if err != nil {
-				return
-			}
-			if b.prefs != nil && b.prefs.Persist != nil {
-				b.prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
-			}
-		}()
-	}
-
 	if !b.machinePrivKey.IsZero() {
 		// Already set.
 		return nil
@@ -1991,23 +1969,6 @@ func (b *LocalBackend) TestOnlyPublicKeys() (machineKey tailcfg.MachineKey, node
 	return tailcfg.MachineKey(mk), tailcfg.NodeKey(nk)
 }
 
-// temporarilySetMachineKeyInPersist reports whether we should set
-// the machine key in Prefs.Persist.LegacyFrontendPrivateMachineKey
-// for the frontend to write out to its preferences for use later.
-//
-// TODO: remove this in Tailscale 1.3.x (so it effectively always
-// returns false). It just exists so users can downgrade from 1.2.x to
-// 1.0.x.  But eventually we want to stop sending the machine key to
-// clients. We can't do that until 1.0.x is no longer supported.
-func temporarilySetMachineKeyInPersist() bool {
-	switch runtime.GOOS {
-	case "darwin", "ios", "android":
-		// iOS, macOS, Android users can't downgrade anyway.
-		return false
-	}
-	return true
-}
-
 func (b *LocalBackend) WaitingFiles() ([]WaitingFile, error) {
 	b.mu.Lock()
 	apiSrv := b.peerAPIServer