Apply settings for Windows 10 or 11 devices

As an administrator, you can control Windows 10 or 11 device security and features by applying policy settings. Some of these settings apply only to Windows devices with Google Credential Provider for Windows installed on them, and some apply only to devices under Windows device management. For details about these management options, see Overview: Enhanced desktop security for Windows.

Find the settings

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile and endpointsand thenSettingsand thenWindows.
  3. Click a settings category and setting.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Update the setting.
  6. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

After you update a setting, it can take 3–6 hours for the change to apply to devices.

Windows settings reference

Open all   |   Close all

Google Credential provider for Windows (GCPW) setup

Open all   |   Close all

Download GCPW

Get a 64-bit or 32-bit installation file for GCPW for your organization. For instructions, see Install Google Credential Provider for Windows.

You can also copy and regenerate the GCPW token. For details, see Regenerate the GCPW token.

Permitted domains (required for GCPW)

To allow users to sign in through GCPW, you must specify the allowed domains for users' Google accounts. Until you specify at least one domain, no users can sign in. For details, see Install Google Credential Provider for Windows.

GCPW Settings

Supported for devices with GCPW

Open all   |   Close all

Auto-update GCPW

To get new versions of GCPW installed automatically on Windows devices, check the Automatically update GCPW box (it's checked by default).

To allow updates only up to a specific version, check the Prevent updates after a specific version box and enter the last allowed version. You might want to use this option if you want to test the latest version before deploying it to all your users. 

Note: You'll need to update this setting as you approve versions so users aren't blocked from getting new features and security updates. If you enter a version that is earlier than the version installed on a device, GCPW isn't rolled back to that version.

To turn off auto-updates for GCPW (not recommended), uncheck the Automatically update GCPW box.

To set up a test organizational unit differently from the rest of your organization:

  1. Select the top organizational unit.
  2. Check the Automatically update GCPW and Prevent updates after a specific version boxes, and enter the latest version you want people to use.
  3. Click Save.
  4. Select the organizational unit that contains users with test devices.
  5. Check the Automatically update GCPW box and uncheck the Prevent updates after a specific version box.
  6. Click Override.
Manage multiple accounts

To allow more than one Google Workspace account to sign in to a device through GCPW, select Enabled. If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device.

To allow only one Google Workspace account to sign in to a device through GCPW, select Disabled.

When set to Not configured, then more than one Google Workspace account can sign in to a device unless the enable_multi_user_login registry setting is set to 0 on the device.

Enroll in device management

If your organization uses Windows device management, you can have devices automatically enroll when a user first signs in through GCPW.

If the Automatically enroll in device management box isn't checked and your organization uses Windows device management, you must manually enroll devices unless you set the enable_dm_enrollment registry key to 1 on the device.

Offline access

To limit how long users are allowed to sign in to their devices through GCPW while offline, change the value to Enabled and set the number of days.

When the limit expires, a user won't be able to sign in to their device until they connect to the internet.

When set to Not configured, a user is allowed to sign in while offline indefinitely unless the validity_period_in_days registry setting is set on the device.

Windows management setup

Windows device management

To turn on Windows device management for your organization, select Enabled. You might want to wait to enable Windows device management until you configure any policies. For instructions, see Set up GCPW and Windows device management.

To turn off Windows device management, select Disabled.

Account settings

Supported for devices under Windows device management

Administrative privileges

Set the privileges users have on devices managed with Windows device management:

  • To revoke admin privileges, select Standard User.
  • To give users admin privileges, select Local Administrator.

You can also give administrative privileges on the device to Active Directory (AD) users, AD groups, or local users.

Note: If you don't enter any values, any existing local admin accounts are removed from devices. If User account type is set to Standard User, then no local admin account is available on devices. In this case, to take admin actions on the device you'll need to temporarily grant privileges to the user.

For details, see Set account permissions on Windows 10 or 11 devices.

Windows Update settings

Supported for devices under Windows device management

Windows automatic updates

Set how and when your organization’s Windows 10 or 11 devices receive security updates and other important downloads through the Windows automatic updating service.

For details, see Manage automatic updates for Windows 10 or 11 devices.

BitLocker settings

Supported for devices under Windows device management

BitLocker drive encryption

Set how Windows 10 or 11 devices and drives are encrypted.

For details, see Enable BitLocker encryption on a Windows 10 or 11 device.

Custom settings

Supported for devices under Windows device management

Custom settings


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu