diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index 58cd4025f..a6e3f1952 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -1082,7 +1082,6 @@ func stripKeysFromPrefs(p ipn.PrefsView) ipn.PrefsView {
 	}
 
 	p2 := p.AsStruct()
-	p2.Persist.LegacyFrontendPrivateMachineKey = key.MachinePrivate{}
 	p2.Persist.PrivateNodeKey = key.NodePrivate{}
 	p2.Persist.OldPrivateNodeKey = key.NodePrivate{}
 	p2.Persist.NetworkLockKey = key.NLPrivate{}
@@ -3343,11 +3342,6 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		return nil
 	}
 
-	var legacyMachineKey key.MachinePrivate
-	if p := b.pm.CurrentPrefs().Persist(); p.Valid() {
-		legacyMachineKey = p.LegacyFrontendPrivateMachineKey()
-	}
-
 	keyText, err := b.store.ReadState(ipn.MachineKeyStateKey)
 	if err == nil {
 		if err := b.machinePrivKey.UnmarshalText(keyText); err != nil {
@@ -3356,9 +3350,6 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		if b.machinePrivKey.IsZero() {
 			return fmt.Errorf("invalid zero key stored in %v key of %v", ipn.MachineKeyStateKey, b.store)
 		}
-		if !legacyMachineKey.IsZero() && !legacyMachineKey.Equal(b.machinePrivKey) {
-			b.logf("frontend-provided legacy machine key ignored; used value from server state")
-		}
 		return nil
 	}
 	if err != ipn.ErrStateNotExist {
@@ -3368,12 +3359,8 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 	// If we didn't find one already on disk and the prefs already
 	// have a legacy machine key, use that. Otherwise generate a
 	// new one.
-	if !legacyMachineKey.IsZero() {
-		b.machinePrivKey = legacyMachineKey
-	} else {
-		b.logf("generating new machine key")
-		b.machinePrivKey = key.NewMachine()
-	}
+	b.logf("generating new machine key")
+	b.machinePrivKey = key.NewMachine()
 
 	keyText, _ = b.machinePrivKey.MarshalText()
 	if err := ipn.WriteState(b.store, ipn.MachineKeyStateKey, keyText); err != nil {
diff --git a/ipn/ipnlocal/state_test.go b/ipn/ipnlocal/state_test.go
index ef4b0ed62..1b3b43af6 100644
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -949,8 +949,6 @@ func TestEditPrefsHasNoKeys(t *testing.T) {
 		Persist: &persist.Persist{
 			PrivateNodeKey:    key.NewNode(),
 			OldPrivateNodeKey: key.NewNode(),
-
-			LegacyFrontendPrivateMachineKey: key.NewMachine(),
 		},
 	}).View(), ipn.NetworkProfile{})
 	if p := b.pm.CurrentPrefs().Persist(); !p.Valid() || p.PrivateNodeKey().IsZero() {
@@ -977,10 +975,6 @@ func TestEditPrefsHasNoKeys(t *testing.T) {
 		t.Errorf("OldPrivateNodeKey = %v; want zero", p.Persist().OldPrivateNodeKey())
 	}
 
-	if !p.Persist().LegacyFrontendPrivateMachineKey().IsZero() {
-		t.Errorf("LegacyFrontendPrivateMachineKey = %v; want zero", p.Persist().LegacyFrontendPrivateMachineKey())
-	}
-
 	if !p.Persist().NetworkLockKey().IsZero() {
 		t.Errorf("NetworkLockKey= %v; want zero", p.Persist().NetworkLockKey())
 	}
diff --git a/ipn/prefs_test.go b/ipn/prefs_test.go
index 31671c0f8..91b835e3e 100644
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -467,13 +467,6 @@ func TestPrefsPretty(t *testing.T) {
 			"darwin",
 			`Prefs{ra=false dns=false want=true tags=tag:foo,tag:bar url="http://localhost:1234" update=off Persist=nil}`,
 		},
-		{
-			Prefs{
-				Persist: &persist.Persist{},
-			},
-			"linux",
-			`Prefs{ra=false dns=false want=false routes=[] nf=off update=off Persist{lm=, o=, n= u=""}}`,
-		},
 		{
 			Prefs{
 				Persist: &persist.Persist{
@@ -481,7 +474,7 @@ func TestPrefsPretty(t *testing.T) {
 				},
 			},
 			"linux",
-			`Prefs{ra=false dns=false want=false routes=[] nf=off update=off Persist{lm=, o=, n=[B1VKl] u=""}}`,
+			`Prefs{ra=false dns=false want=false routes=[] nf=off update=off Persist{o=, n=[B1VKl] u=""}}`,
 		},
 		{
 			Prefs{
diff --git a/types/persist/persist.go b/types/persist/persist.go
index 8b555abd4..d888a6afb 100644
--- a/types/persist/persist.go
+++ b/types/persist/persist.go
@@ -21,17 +21,6 @@ import (
 type Persist struct {
 	_ structs.Incomparable
 
-	// LegacyFrontendPrivateMachineKey is here temporarily
-	// (starting 2020-09-28) during migration of Windows users'
-	// machine keys from frontend storage to the backend. On the
-	// first LocalBackend.Start call, the backend will initialize
-	// the real (backend-owned) machine key from the frontend's
-	// provided value (if non-zero), picking a new random one if
-	// needed. This field should be considered read-only from GUI
-	// frontends. The real value should not be written back in
-	// this field, lest the frontend persist it to disk.
-	LegacyFrontendPrivateMachineKey key.MachinePrivate `json:"PrivateMachineKey"`
-
 	PrivateNodeKey    key.NodePrivate
 	OldPrivateNodeKey key.NodePrivate // needed to request key rotation
 	UserProfile       tailcfg.UserProfile
@@ -95,8 +84,7 @@ func (p *Persist) Equals(p2 *Persist) bool {
 		return false
 	}
 
-	return p.LegacyFrontendPrivateMachineKey.Equal(p2.LegacyFrontendPrivateMachineKey) &&
-		p.PrivateNodeKey.Equal(p2.PrivateNodeKey) &&
+	return p.PrivateNodeKey.Equal(p2.PrivateNodeKey) &&
 		p.OldPrivateNodeKey.Equal(p2.OldPrivateNodeKey) &&
 		p.UserProfile.Equal(&p2.UserProfile) &&
 		p.NetworkLockKey.Equal(p2.NetworkLockKey) &&
@@ -106,18 +94,14 @@ func (p *Persist) Equals(p2 *Persist) bool {
 
 func (p *Persist) Pretty() string {
 	var (
-		mk     key.MachinePublic
 		ok, nk key.NodePublic
 	)
-	if !p.LegacyFrontendPrivateMachineKey.IsZero() {
-		mk = p.LegacyFrontendPrivateMachineKey.Public()
-	}
 	if !p.OldPrivateNodeKey.IsZero() {
 		ok = p.OldPrivateNodeKey.Public()
 	}
 	if !p.PrivateNodeKey.IsZero() {
 		nk = p.PublicNodeKey()
 	}
-	return fmt.Sprintf("Persist{lm=%v, o=%v, n=%v u=%#v}",
-		mk.ShortString(), ok.ShortString(), nk.ShortString(), p.UserProfile.LoginName)
+	return fmt.Sprintf("Persist{o=%v, n=%v u=%#v}",
+		ok.ShortString(), nk.ShortString(), p.UserProfile.LoginName)
 }
diff --git a/types/persist/persist_clone.go b/types/persist/persist_clone.go
index 95dd65ac1..680419ff2 100644
--- a/types/persist/persist_clone.go
+++ b/types/persist/persist_clone.go
@@ -25,12 +25,11 @@ func (src *Persist) Clone() *Persist {
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _PersistCloneNeedsRegeneration = Persist(struct {
-	_                               structs.Incomparable
-	LegacyFrontendPrivateMachineKey key.MachinePrivate
-	PrivateNodeKey                  key.NodePrivate
-	OldPrivateNodeKey               key.NodePrivate
-	UserProfile                     tailcfg.UserProfile
-	NetworkLockKey                  key.NLPrivate
-	NodeID                          tailcfg.StableNodeID
-	DisallowedTKAStateIDs           []string
+	_                     structs.Incomparable
+	PrivateNodeKey        key.NodePrivate
+	OldPrivateNodeKey     key.NodePrivate
+	UserProfile           tailcfg.UserProfile
+	NetworkLockKey        key.NLPrivate
+	NodeID                tailcfg.StableNodeID
+	DisallowedTKAStateIDs []string
 }{})
diff --git a/types/persist/persist_test.go b/types/persist/persist_test.go
index 6b159573d..dbf2a6d8c 100644
--- a/types/persist/persist_test.go
+++ b/types/persist/persist_test.go
@@ -21,13 +21,12 @@ func fieldsOf(t reflect.Type) (fields []string) {
 }
 
 func TestPersistEqual(t *testing.T) {
-	persistHandles := []string{"LegacyFrontendPrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "UserProfile", "NetworkLockKey", "NodeID", "DisallowedTKAStateIDs"}
+	persistHandles := []string{"PrivateNodeKey", "OldPrivateNodeKey", "UserProfile", "NetworkLockKey", "NodeID", "DisallowedTKAStateIDs"}
 	if have := fieldsOf(reflect.TypeFor[Persist]()); !reflect.DeepEqual(have, persistHandles) {
 		t.Errorf("Persist.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, persistHandles)
 	}
 
-	m1 := key.NewMachine()
 	k1 := key.NewNode()
 	nl1 := key.NewNLPrivate()
 	tests := []struct {
@@ -39,17 +38,6 @@ func TestPersistEqual(t *testing.T) {
 		{&Persist{}, nil, false},
 		{&Persist{}, &Persist{}, true},
 
-		{
-			&Persist{LegacyFrontendPrivateMachineKey: m1},
-			&Persist{LegacyFrontendPrivateMachineKey: key.NewMachine()},
-			false,
-		},
-		{
-			&Persist{LegacyFrontendPrivateMachineKey: m1},
-			&Persist{LegacyFrontendPrivateMachineKey: m1},
-			true,
-		},
-
 		{
 			&Persist{PrivateNodeKey: k1},
 			&Persist{PrivateNodeKey: key.NewNode()},
diff --git a/types/persist/persist_view.go b/types/persist/persist_view.go
index ce600be3e..55eb40c51 100644
--- a/types/persist/persist_view.go
+++ b/types/persist/persist_view.go
@@ -62,9 +62,6 @@ func (v *PersistView) UnmarshalJSON(b []byte) error {
 	return nil
 }
 
-func (v PersistView) LegacyFrontendPrivateMachineKey() key.MachinePrivate {
-	return v.ж.LegacyFrontendPrivateMachineKey
-}
 func (v PersistView) PrivateNodeKey() key.NodePrivate    { return v.ж.PrivateNodeKey }
 func (v PersistView) OldPrivateNodeKey() key.NodePrivate { return v.ж.OldPrivateNodeKey }
 func (v PersistView) UserProfile() tailcfg.UserProfile   { return v.ж.UserProfile }
@@ -76,12 +73,11 @@ func (v PersistView) DisallowedTKAStateIDs() views.Slice[string] {
 
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _PersistViewNeedsRegeneration = Persist(struct {
-	_                               structs.Incomparable
-	LegacyFrontendPrivateMachineKey key.MachinePrivate
-	PrivateNodeKey                  key.NodePrivate
-	OldPrivateNodeKey               key.NodePrivate
-	UserProfile                     tailcfg.UserProfile
-	NetworkLockKey                  key.NLPrivate
-	NodeID                          tailcfg.StableNodeID
-	DisallowedTKAStateIDs           []string
+	_                     structs.Incomparable
+	PrivateNodeKey        key.NodePrivate
+	OldPrivateNodeKey     key.NodePrivate
+	UserProfile           tailcfg.UserProfile
+	NetworkLockKey        key.NLPrivate
+	NodeID                tailcfg.StableNodeID
+	DisallowedTKAStateIDs []string
 }{})