AN ADMIN GUIDE TO MANAGE
WINDOWS DEVICES VIA GOOGLE

  • Google recently launched an option for G Suite (and Cloud Identity) customers to manage Windows 10 devices right from Google Admin Console.

  • I invested sometime in learning how it works, so I can help community manage Windows devices via G Suite and get more out of their investment in Google.

  • Let me share everything I learnt, and hopefully it would help you seamlessly manage your Windows 10 devices as a G Suite or Cloud Identity Administrator.

Table of Contents

1. An Overview

An overview of managing Windows devices via G Suite

Read Chapter 1

4. Detailed Configuration

Instructions to manage Windows via Google

Read Chapter 4

2. How does it work?

How are windows devices managed via G Suite?

Read Chapter 2

5. Troubleshooting & FAQs

FAQs about managing Windows devices via Google

Read Chapter 5

3. System Requirements

Prerequisites for managing Windows Devices via G Suite

Read Chapter 3

1. An Overview

An overview of managing Windows devices via G Suite

Read Chapter 1

2. How does it work?

How are windows devices managed via G Suite?

Read Chapter 2

3. System Requirements

Prerequisites for managing Windows Devices via G Suite

Read Chapter 3

4. Detailed Configuration

Instructions to manage Windows via Google

Read Chapter 4

5. Troubleshooting & FAQs

FAQs about managing Windows devices via Google

Read Chapter 5

Chapter # 1

G Suite Windows Management Overview

G Suite Windows Management Overview

I certainly agree that each prominent operating system in the market today (e.g Windows, Mac, ChromeOS, or Linux) can get the job done, and it essentially is a matter of personal preference based on what works best for you.

I switched from Windows to Mac back in 2013 and never looked back, however some of my friends & colleagues love the Windows operating system and I respect their choice.

Instead of imposing, smart organizations prefer to provide their users with a choice and let them decide what make them more productive, this might be the reason vendors like Google & Microsoft are also investing in interoperability along with building their ecosystem.

As an example, Microsoft allows organizations to manage their android devices via intune, and Google also provides an option to manage devices from other vendors.

Microsoft of course provides a way to manage Windows devices, but won’t it be better if Google provides that option to G Suite customers and let you get more out of your investment in Google (especially if you either do not use Active Directory or have plans to replace it with Google Directory)?

Drum roll…….It is time for some good news:)

Google indeed recently launched an option where G Suite customers like you would be able to manage Windows 10 devices right from G Suite or Google Cloud Identity Admin Console.

This new Windows device management functionality works seamlessly with your Active Directory too, and just in case if you are fortunate to get rid of Active Directory, then even better, you can still manage your Windows devices from the Google admin console.

In this blog post, we will cover things in great detail and hopefully it should help you understand how windows devices management via Google works, and how you can set it up in your environment.

Let us first start with understanding what exactly I mean when i say “Manage Windows devices via G Suite”

Well, essentially 3 things

1. Authenticate to Windows via G Suite : It offers an authentication method where your users should be able to login to Windows 10 devices via their G Suite or Google Cloud Identity credentials.

2. Windows devices Inventory : It offers an easy to manage inventory management system where all your connected Windows devices can be seen in your G Suite Admin console along with some metadata like last sync time, OS version, and an option to block, delete or wipe these devices.

3. Windows devices management : It allows to manage Windows settings on enrolled devices, you may think of it like pushing your GPO policies right from your G Suite or Google Cloud Identity admin console (e.g enable camera, disable USB etc).

Manage Windows 10 devices via Google – Terminology :

 

Google calls this “Enhanced Desktop Security for Windows”, which has two modules-:

  • Google Credential Provider for Windows (GCPW) : It is an installable utility that you install on users windows devices (either manually or via app distribution) to let them sign in on Windows via their Google account. It is available to all G Suite and Cloud Identity plans.

  • Windows Device Management : It allows pushing policies to Windows 10 devices (e.g manage windows updates, enable camera, disable USB etc) which is only available in selective G Suite and Google Cloud Identity plans (more details about it are provided in system requirements section).

Benefits of managing your Windows devices via G Suite or Google Cloud Identity :

 

Security : You should be able to push security policies (e.g disable camera, usb etc) along with option to sign users out or wipe data from their Windows devices.

As your users would be able to login to windows 10 devices via their Google credentials, you can also enforce multi factor authentication (MFA) for secure login.

Rich user experience : Once your users sign in to windows devices via their Google credentials, a session is established, which helps them to login to any G Suite (e.g Gmail, Drive) or assigned SAML application (e.g Salesforce) without a need to enter credentials again.

Your users will not need to remember different sets of credentials (e.g for Windows, for G Suite, for 3rd party applications), just login to Windows via G Suite or Google Cloud Identity once, then login to any assigned applications via Single Sign on (SSO).

Updates management : You should be able to control how and when your users get Microsoft windows device security updates.

Increased ROI : Till the time you have supported G Suite or Google Cloud Identity subscription, you do not need any additional license specifically for managing your windows devices via Google.

Now, with this context, let us understand how G Suite provides your Windows users rich login experience and let you seamlessly manage their windows devices.

Chapter # 2

How does Windows Management work?

Windows Authentication & Management via G Suite

I have put some flowcharts below which would help you understand it better, but here is the summarized version of how managing Windows devices via Google works.

Google offers a utility called Google Credential Provider for Windows (GCPW) which you install on your users Windows devices either manually or via your preferred application distribution tool (PowerShell script is included later in this post).

This utility (along with a few registry changes) does a few things-:

  • At the time of GCPW installation on Windows devices, you tell Google to either associate Google account with your existing Windows profile (e.g local or AD profile) or create a new Windows profile.

  • After GCPW installation on Windows devices, users sign in with their G Suite account password, GCPW then either create and login to a new Windows profile or to an existing one based on your configuration.

  • Though Internet connection is required for the first login via Google to sync Google password to Windows (and to push custom settings if you have those in place), but subsequent logins should work fine even without internet access (unless Google session expired or password is changed) because now essentially their Windows password is same as G Suite.

Password Synchronization :

This also requires us to keep our G Suite and Windows password in sync. There are couple of options available for you to keep these passwords in sync, lets explore them-:

  • If your windows user changes his/her G Suite password, then this new password should be synchronized with Windows at next login via G Suite (however user should be connected to internet for this).


    if the user logs in offline mode after changing his/her G Suite password, then old password should be entered to login to Windows as GCPW didn’t get a chance to push updated password (due to being offline).

  • If your user changes password on Windows for the Windows local profile, then GCPW would detect and push this changed password securely to G Suite.

  • However, if your user has an Active directory managed Windows profile, and change the password, then user would either need to change the G Suite password manually (make it same as Windows).

    You may consider utilizing G Suite Password Sync (GSPS) utility offered by Google, which detects AD password changes and automatically push them to G Suite (via Directory API) to keep them in sync.

Note : Your G Suite or Cloud Identity password policy should be same (or stronger) than Active Directory or Windows password requirements.

Windows User
Login Experience

windows user login experience

Login to Windows via G Suite - User Experience

Before we start required setup to let your users login to their Windows devices via G Suite, let us explore user experience-:

  • Non-Domain joined machines -: Users would either click on existing Windows tile, or “Add Work Account”

  • Domain joined machines : Users would either click on their existing windows tile OR Other Accounts on their Windows devices.

  • Above is configurable as we’ll see later in the post based on whether you want Google to create new windows profile or associate with local or AD profile.

  • Your users would then be shown an option to sign in via Google where they’ll enter user email, password (and second authentication factor if you have enforced it).

  • Based on your (configurable) profile strategy Google Credential Provider for Windows (GCPW) would either create new Windows profile or associate it with existing local or AD windows profile.

    Note -: After successful authentication, GCPW looks for a custom attribute and its value (e.g SamAccountName for AD, and un:Windows username for local windows profile) in G Suite directory, if found, it then checks if a Windows profile exists for this user and finally associates G Suite account with this profile, otherwise it creates a new windows profile for G Suite user. 

  • Once the user logins to Windows (either new or existing profile), this device will be enrolled in GCPW, and you should be able to see it (along with metadata) under device inventory in G Suite admin console.

  • If you have supported G Suite or Google Cloud Identity subscription and you have not disabled auto enrollment via registry changes (cover later in this post) , then these devices would be automatically enrolled in Enhanced Desktop Security, so you can push policies to them.

Login to Windows via G Suite - Behind the scenes

Windows User Login Experience - G Suite

Chapter # 3

Windows Devices Management Prerequisites

System Requirements for managing Windows 10 devices via G Suite (or Google Cloud Identity)

1. Supported G Suite or Google Cloud Identity Subscription
GCPW (which includes login via Google, SSO to Google and SAML Apps, and windows devices inventory) is available to all G Suite & Cloud Identity subscriptions, however Windows management (e.g pushing custom settings / policies) is included in specific plans, following table should be helpful to understand it.

G Suite or Cloud Identity plan GCPW Windows Management
G Suite Basic Available Not Available
G Suite Business Available Not Available
G Suite Enterprise Available Available
Google Cloud Identity Free Available Not Available
Google Cloud Identity Premium Available Available
G Suite Essentials Available Not Available
G Suite Enterprise Essentials Available Available
G Suite Education Available Not Available
G Suite Education Enterprise Available Available

Note : For Windows management (e.g pushing policies to user devices), each user should have a supported G Suite or Google Cloud license.

 2. Supported Windows 10 Version
— You would need version 1803 or newer for Windows 10 Pro, Pro for Workstations, Enterprise, or Education.

3. Supported Google Chrome (for GCPW)
— You would need Chrome Browser 81 or later.

4. Local Administration Rights & enough storage
Local system admin rights to install Google Credential Provider for Windows (GCPW) on Windows devices if you are doing manual install on user devices (You can also deploy the installer via your app distribution tool).

— Google also recommends
100 MB available disk space for Google Chrome and 3 MB for GCPW.

Here is the reference PowerShell script provided by Google which downloads GCPW and configures the required registry to restrict sign in to Windows devices from provided domains only, simple hover on the script and it’ll give an option to copy it.

							
							
					<# This script downloads Google Credential Provider for Windows from
https://tools.google.com/dlpage/gcpw/, then installs and configures it.
Windows administrator access is required to use the script. #>

<# Set the following key to the domains you want to allow users to sign in from.

For example:
$domainsAllowedToLogin = "acme1.com,acme2.com"
#>

$domainsAllowedToLogin = ""

Add-Type -AssemblyName System.Drawing
Add-Type -AssemblyName PresentationFramework

<# Check if one or more domains are set #>
if ($domainsAllowedToLogin.Equals('')) {
    $msgResult = [System.Windows.MessageBox]::Show('The list of domains cannot be empty! Please edit this script.', 'GCPW', 'OK', 'Error')
    exit 5
}

function Is-Admin() {
    $admin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')
    return $admin
}

<# Check if the current user is an admin and exit if they aren't. #>
if (-not (Is-Admin)) {
    $result = [System.Windows.MessageBox]::Show('Please run as administrator!', 'GCPW', 'OK', 'Error')
    exit 5
}

<# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #>
$gcpwFileName = 'gcpwstandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
    $gcpwFileName = 'gcpwstandaloneenterprise64.msi'
}

<# Download the GCPW installer. #>
$gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/'
$gcpwUri = $gcpwUrlPrefix + $gcpwFileName
Write-Host 'Downloading GCPW from' $gcpwUri
Invoke-WebRequest -Uri $gcpwUri -OutFile $gcpwFileName

<# Run the GCPW installer and wait for the installation to finish #>
$arguments = "/i `"$gcpwFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)

<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
    $result = [System.Windows.MessageBox]::Show('Installation failed!', 'GCPW', 'OK', 'Error')
    exit $installProcess.ExitCode
}
else {
    $result = [System.Windows.MessageBox]::Show('Installation completed successfully!', 'GCPW', 'OK', 'Info')
}

<# Set the required registry key with the allowed domains #>
$registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW'
$name = 'domains_allowed_to_login'
[microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin)

$domains = Get-ItemPropertyValue HKLM:\Software\Google\GCPW -Name $name

if ($domains -eq $domainsAllowedToLogin) {
    $msgResult = [System.Windows.MessageBox]::Show('Configuration completed successfully!', 'GCPW', 'OK', 'Info')
}
else {
    $msgResult = [System.Windows.MessageBox]::Show('Could not write to registry. Configuration was not completed.', 'GCPW', 'OK', 'Error')

}				
			

Chapter # 4

Windows Management via G Suite Setup

Manage Windows devices via G Suite (Admin Workflow)

Manage Windows Devices via G Suite - Admin Workflow
Step 1

Enable Device Management

Let us first enable device management in G Suite Admin console so our users can be enrolled at first login and our policies can be pushed.

See Instructions

Enable Enhanced Desktop Security & apply policies

Let us start with enabling enhanced desktop security and applying a few policies to our Windows devices.

Note -: If you do not meet requirements for “Enhanced Desktop Security” as mentioned above, OR if you only want to setup Google Credential Provider for Windows (authentication) so your users can login via G Suite, then you can skip this step and go to Step 2 of the setup.

In my case, I use G Suite Enterprise, and prefer to automatically enroll my windows devices to enhanced desktop security, and also apply a few policies on my users first Windows login via G Suite.

So, I will login to G Suite Admin Console, and go to Devices as shown below.

21. go to devices in g suite admin console

If you have supported G Suite or Google Cloud Identity subscription, you would see “Windows Settings” under Settings section as shown in below screenshot. Click on “Windows Settings” in this section.

36. Go to windows settings in G Suite

Here you can enable “Enhanced Desktop Security” or device management on either the root organization (which means all users) or selective child organization units (which means it’ll apply only to the users who belong to these child org units).

Click on save changes.

37. Enable Enhanced Desktop Security
Step 2

Push Custom Settings

If you have supported G Suite plan, you can also push custom settings either now, or you can do it later too. I will push couple of custom settings now for the demonstration.

See Instructions

Apply custom settings for Windows 10 devices

This is only available in Enhanced Desktop Security, you may refer to system requirements above to see which G Suite and Cloud Identity plans offer it.

As per Microsoft “Windows 10 custom profiles use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings to configure different features. These settings are typically used by mobile device manufacturers to control features on the device”.

Google provides you option to apply custom settings to your Windows 10 devices via OMA-URI where essentially you put the URI for a specific policy (e.g Allow Camera) and then enter its value (e.g 0 to disable camera, 1 to enable camera).

Let us create a simple policy of restricting our Windows users to use camera on device.

In your G Suite or Google Cloud Identity Admin Console, go to device management, click on Windows settings (as shown in the screenshot above) and then click on custom settings.

You would see your existing custom policies here, I do not have one yet, so i’ll click on “Add a custom setting” to create one.

25. add a custom windows device policy setting

Though you can find a list of OMA-URIs on Microsoft’s site, but Google also let you easily search while creating them in G Suite Admin console.

I will search for “Camera” to see associated custom policies option, and then select the one which allows or block camera usage (as shown in the screenshot below).

26. search for the policy setting in g suite admin console

Your OMA-URI based custom setting policy would look like this, once configured click on Next.

27. confirm your OMA -URI and click on next

Here you have the flexibility to define the scope for this custom policy, you can either apply it to all users by selecting your root organizational unit OR you can go granular by selecting child organizational units so it only applies to users who belong to child org units.

Now, ideally, when my Windows user login via G Suite credentials, camera will not be available to use, and user will not be able to enable it.

29 define windows policy scope in G Suite

Additional Steps - Depending on your profile strategy.

I want Google to create a new Windows profile when my users login to Windows via their G Suite or Google Cloud Identity credentials, however if you want, you can also associate their existing Windows local or Active directory profile with Google account.

You should follow either of the following steps only if want to associate users’ Google account with local or AD windows profile, otherwise skip them.

In this post, I will be configure Google to create a new windows profile with my users Google credentials, however if you want to rather associate your users Google profile with existing Windows Active Directory Profile, then you should perform this additional setup.

1. Login to your Google Admin console –> go to Users –> click on Manage Custom Attributes 

2. Click on Manage custom attributes in g suite admin console

2. Create a custom attribute which will be looked up by GCPW for associating Google account with existing Windows AD profile.
(i) Category name should be “Enhanced desktop security“.
(ii) Custom field name should exactly be “AD accounts“.
(iii) Info type should be “Text“.
(iv) Visibility should be “Visible to User and Admin“.
(v) No. of values should be “Multi-value“.
(vi) Save changes

40. create new custom attribute for Active directory accounts

3. Populate the newly created custom attribute with the AD user sAMAccountName in format: domain\username.

For e.g my AD domain name is ad.goldyarora.com and my sAMAccountName is admin, so I would enter ad.goldyarora.com\admin as shown in the screenshot below.

41. Populate custom attribute with AD user value

In this post, I will configure Google to create a new windows profile with my users Google credentials, however if you want to rather associate your users Google profile with existing Windows local profile, then you should perform this additional setup.

1. Login to your Google Admin console –> go to Users –> click on Manage Custom Attributes 

2. Click on Manage custom attributes in g suite admin console

2. Create a custom attribute which will be looked up by GCPW for associating Google account with existing Windows local profile.
(i) Category name should be “Enhanced desktop security“.
(ii) Custom field name should exactly be “Local Windows accounts“.
(iii) Info type should be “Text“.
(iv) Visibility should be “Visible to User and Admin“.
(v) No. of values should be “Multi-value“.
(vi) Save changes

42. Create new custom attribute for local Windows profile

3. Populate this newly created custom attribute with local Windows user’s user name in the format un:username.

For e.g, my local windows profile name is admin, so i would enter un:admin as shown in the screenshot below.

43. Populate custom attribute with Windows user profile value

3.1 If you want to restrict only one user to this respective device, then you should also write the device serial number along with the user name separated by comma (e.g un:admin, sn:123456) as shown in the screenshot below.

44. Populate new custom attribute with Windows user profile values

Step 3

Download & Install GCPW

We now need to download and install Google Credential Provider for Windows (GCPW). Please ensure you have system requirements in place as mentioned in above section.

See Instructions

Google Credential Provider for Windows Installation

You can either search Google for “Google Credential Provider for Windows” or click on this link https://tools.google.com/dlpage/gcpw

Download the version compatible with your system, and then run it with the local admin rights.

4. Download Google Credentials Provider for Windows

Allow the system to run the installation as shown in the screenshot below.

5. Install GCPW for Windows Management

GCPW installation should start now and may take just a minute to finish.

6. GCPW Installation would begin

Once the installation is finished, you should-:
(1) Go the path shown in the screenshot below
(2) Ensure that it has created 3 files as shown below.

7. GCPW should install 3 files
Step 4

Make Registry Changes

GCPS includes some required and optional registry changes, let us understand and configure them in this section.

See Instructions

Available Registry Settings

Registry Setting

 

Domains Allowed to Login

Description : This setting restricts users to login to Windows devices only if their email belongs to any of these domains.

Any user whom email does not belong to these domains will get an error when login to Windows via G Suite.

By default, no domains are allowed to sign in with GCPW.

Setting Type : Required

 

Configuration

 

Configuration Instructions

  1. In the Windows search box, enter regedit.
  2. In Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google
  3. Right-click the GCPW folder and click Newand thenString Value.
  4. For the name, enter domains_allowed_to_login
  5. Double-click the name and, in the Value data box, enter a comma-separated list of allowed domain names. For example: id.goldyarora.com, goldyarora.com.
  6. Click OK.
If required, Please look at the screenshot based instructions later in this post where I perform this registry change.
 

 

Disable Device Enrollment

By default device enrollment is enabled, however if you want to use GCPW for authentication only, you may consider disabling device enrollment either here or in G Suite Admin Console. 

Setting Type : Optional

 

 

Configuration Instructions

  1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
  2. For the name, enter enable_dm_enrollment
  3. Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic enrollment, change the value to 1.
  4. Click OK.
 

 

Session Validity

Enforce users to sign into G Suite online after their windows device is offline a set time

Default behavior : No value, online sign-in is not enforced.

Setting Type : Optional

 

 

Configuration Instructions

  1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
  2. For the name, enter validity_period_days.
  3. Double-click the name and, in the Value data box, enter the number of days between online GCPW sign-ins.

    (e.g if you enter 7, the user needs to sign in online after their device is offline for 7 days, If you enter 0, the user needs to sign in online immediately after the device is disconnected from the internet).

  4. Click OK.
 


Enable Multiple User Login

This setting let you define whether multiple users can login to a respective Windows device or not.

Default behavior : Multiple users are allowed to sign in to Windows device via their G Suite account.

Setting Type : Optional

 

Configuration Instructions

  1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
  2. For the name, enter enable_multi_user_login.
  3. Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic multiple accounts on the device, change the value to 1.
  4. Click OK.
 

 

Windows Profile Association

This setting helps you define whether you want Google to create new Windows profile (default), or rather associate Windows local or AD profile with Google account.

Default behavior : Google does not associate existing Windows profile, and let users click on “Add Work Account” to create a new Windows profile via G Suite.

Setting Type : Optional

 

Configuration Instructions

  1. In Registry Editor, right-click the GCPW folder and click Newand thenKey.
  2. Name the key Users.
  3. Right-click the Users folder and click Newand thenKey.
  4. Name the key the user’s Windows account SID (security identifier). 
  5. Right-click the SID folder and click Newand thenString Value.
  6. For the name, enter email.
  7. Double-click the name and, in the Value data box, enter the work account you want to associate with the user’s local Windows account. Use the user’s full email address, such as user@id.goldyarora.com.
  8. Click OK.
 

Make Registry Changes

Though you may configure the optional registry changes as well if required, however I would configure only the required one for this demonstration.

Go to your Windows search and type regedit as shown below.

8. Go to regedit to make registry changes

1. Go to HKEY_LOCAL_MACHINE
2. Go to GCPW.
3. Right click and click on New.
4. Click on “String Value” and name it domains_allowed_to_login

9. Make registry changes

Now, right click on domains_allowed_to_login and enter the comma separated G Suite or Google Cloud Identity domain names which you want to allow for login in to this Windows device.

I want my users to login from any of my three G Suite domains, so i have entered them separated by comma, however if you have only domain, simply enter it here.

10. Add allowed domains to login to G Suite

Your completed domains_allowed_to_login entry should look like the screenshot below. 

11. Domain list added

Additional Steps - Depending on your profile strategy.

If you decided to rather associate your existing Windows local or Active directory profile with Google account, then you would need to make an additional registry setting, which will let GCPW look for your custom attribute that you created in Google directory.

You should follow either of the following step only if want to associate users Google account with local or AD windows profile.

If you want to associate users’ existing Windows profile with their G Suite or Google Cloud Identity account, then create this registry key as follows :

Before we create the registry key, we’ll need user’s security identifier (e.g SID), you can use following command in CMD on the respective device to find user’s SID.

Commands :
If you don’t know the user name : wmic useraccount get name, sid
If you know the user name : wmic useraccount where name = “Your User Name” get sid

47. Get SID from Windows via cmd

Go to registry settings (regedit) –> HKEY_LOCAL_MACHINE –> Software –> right click on GCPW and create a new Key called “Users” 

45. Add new key in GCPW

Now, right click on the newly created Users folder to create a new key with the SID you got above.

46. Add new key under Users in GCPW

You should now right click on the SID folder, and create a new String Value called “email” as shown in the screenshot below.

48. Add a new string value to SID

You should now right click to modify the email value. 

49. Modify the string

Enter your G Suite or Google Cloud Identity user’s full email address here as shown below.

50. add value to email string

Your entry would look like the screenshot below.

51. Your string should look like this

Step 5

Configuration Testing

As we are now done with our setup, let us go ahead and perform testing to ensure everything works as we expected

See Instructions

Now sign out from your Windows device, and let’s start testing login to it via any of the G Suite domains we allowed above.

12. Sign out from Windows local profile

You would notice a new “Add Work Account” option with Google logo as shown in the screenshot below, click on it.

Note : If your admin has setup to associate existing Windows profile with Google account, then you should be able to rather click on your existing Windows profile to login via Google.

13. Click on Add work account profile

After you click on Add Work Account, you would see a Google screen suggesting you to sign in with your work account as you see below. Click on the arrow to start login via Google process.

14. click on sign with your work account arrow

Enter your G Suite or Google Cloud Identity email address.

15. enter your G Suite full email address

Enter your G Suite or Google Cloud Identity account’s password.

16. Enter your G Suite password

As this is our first login, Google would inform us that our G Suite admin can monitor and mange this device. Click on “I agree” to continue with the process.

17. Agree to Google's terms and conditions

Your new windows profile is now getting ready, it may take a few minutes.

Note -: If you associated your existing local or AD windows profile with G Suite, then new profile would not be created, and you would rather straight away login to your Windows.

18. your windows profile is getting ready

Your new Windows profile has been created via G Suite, and is now ready for you.

19. your new windows profile via G Suite is ready to use

However, you would notice that user can neither use camera, nor change its setting due to the custom setting we pushed earlier.

33. windows camera is blocked

Sign in to G Suite & assigned SAML Applications

When you login to Windows via your G Suite or Google Cloud Identity credentials, a session is established which lets you login to assigned G Suite and SAML applications.

When you launch Google Chrome after login to Windows via G Suite, you would be asked to link your profile/data to your G Suite organization. 

30. link google chrome data with g suite org

Now you can go to any G Suite application url (e.g drive.google.com, mail.google.com etc), or to your G Suite dashboard at gsuite.google.com/dashboard where you’ll see all the applications assigned to you.

Click on any of these application to login without a need to enter credentials again.

31. go to g suite dashboard

You should be logged into the application via an active session as shown in the screenshot below.

32. logged in to google drive without password

Device Enrollment Reporting

When your users sign in to Windows via G Suite, they get enroll in Google Credential Provider for Windows, GCPW (and also in Enhanced Desktop Security if you have automatic enrollment enabled along with supported G Suite or Cloud Identity subscription).

To view the devices inventory, go to your G Suite admin console (admin.google.com) and click on devices.

21. go to devices in g suite admin console

Now click on Endpoints as shown in the screenshot below.

38. Click on Endpoints in G Suite Admin Console

Here you can either search for the Windows device by user name or other properties, or add a filter to view devices based on your criteria (e.g OS matches Windows AND status = Pending Approval).

39. You can search and filter windows devices in G Suite

Here you should be able to perform a few operations including-:

  • Search and filter your devices based on criteria (e.g OS, user, last sync, serial no. etc).
  • Look at device information like user email, last sync, OS version etc.
  • Sign out the user, wipe device (factory reset), unenroll, and delete the device.
22. Your windows device now appear in admin console

Chapter # 5 – Windows Management via G Suite 

Troubleshooting & FAQs

FAQ

Most frequent questions and answers about managing Windows devices via Google

20. No other domains can login in

This error indicates you are trying to sign in with the email domain that is not included in Domains Allowed to Login registry setting.

Solution : Either try the email address on the allowed domain, or add the required domain to the registry key as shown above in the change registry settings section.

This error indicates Admin has not yet configured Domains Allowed to Login registry setting.

Solution : Add the required domain/s in the Domains Allowed to Login registry key.

This error indicates that the user’s Google and Windows passwords are not in sync, This message appears when user enters the wrong Windows password.

Solution : Sync Google and Windows password.

As per Google,

To fix this issue, you can install or reinstall the Chrome browser on the user’s device.

However, in my experience, this error also occurs when you install GCPW on a non supported Windows version (e.g Windows Server 2016).

Ask it in the comments below, and I would try to answer it (if i can) as soon as I get time.

RECOMMENDED READING

As you just read The Definitive G Suite Admin guide to Manage Windows Devices, I would recommend following as complimentary reading.
Google Meet Attendance Tracker
AdminMeetTools & Scripts

Google Meet Attendance Reporter – Self Service Solution

Read More →
G Suite to Office 365 SSO & Provisioning Guide
AdminG SuiteSecuritySSO

G Suite to Office 365 SSO and Provisioning Guide

Read More →
Control Session Length in G Suite
AdminG SuiteSecurity

G Suite Session Timeout – Control session timeout in G Suite

Read More →

4 thoughts on “The Definitive G Suite Admin guide to Manage Windows Devices”

  1. Nice! I am deploying GCPW to some users. It works ok until the user changes the password. Even Google Password (at accounts.google.com) or local windows password (at the lock screen, change password option). We don´t have AD. Local windows account only.

    What am I doing wrong? are there someplace where i can control how often the sync occurs?

    Even after sync, the password remains outdated and I have to use the old password (in g suite challenge logon or windows challenge logon).

    Thanks in advanced.

    1. 1. If you change your Google password, then GCPW can take care of synchronizing this to Windows, however for this to take place, you would need to login to Windows via your new Google password (when you are connected to the internet).

      2. If you change password in local Windows, isn’t Google Credential Provider for Windows (GCPW) detecting and pushing it to G Suite or Google Cloud Identity?

    1. It means you already created an account on this device with this G Suite account, try a new G Suite new account or login to existing account.

      Also, this assume that you have kept the default allow multiple logins in Google Credential Provider for Windows (GCPW).

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top