Install Google Credential Provider for Windows (alpha)

As an administrator, you can set up Google Credential Provider for Windows (GCPW) to let users sign in to a Microsoft Windows 10 device using the Google Account they use for work or school. For company-owned devices, you or other IT professionals in your organization set up GCPW on the devices. For personal devices that the user has admin privileges on, you can have the user install GCPW.

Requirements

License requirements

  • GCPW (standalone)—Supported editions for this feature: Frontline; Business Starter, Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Basic and Business; Essentials; Cloud Identity Free and Premium.  Compare your edition
  • GCPW with Windows device management—Supported editions for this feature: Enterprise; Education Standard and Plus; Cloud Identity Premium. Compare your edition

System requirements

  • Windows 10 Pro, Pro for Workstations, Enterprise, or Education version 1803 or later
  • Chrome Browser version 81 or later (stable version), installed with admin privileges
  • Available disk space for Google Chrome (100 MB) and GCPW (3 MB)
  • You need administrator privileges on the device to run the installer, or you can deploy the installer to devices using software deployment tools.

Step 1. Install GCPW

The following steps describe how to set up GCPW manually. You can also use an app distribution tool or PowerShell script to distribute and install GCPW. For details, see the example PowerShell script.

Note: If you downloaded an installer file before November X, 2020 (version X), we strongly recommend that you download a new file from the Admin console. This file will contain an organization-specific token that lets you manage GCPW settings from the Admin console. Learn more

Before you begin: If you haven't already, prepare to install GCPW.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Mobile & endpointsand thenSettingsand thenWindows settings.
  4. Click Google Credential Provider for Windows setupand thenDownload GCPW.
  5. Download the 64-bit or 32-bit GCPW installation file and distribute it to devices.
  6. On the device, run the installer. You can double-click the installation file or run it from Command Prompt:
    1. Open the Command Prompt.
    2. To install the 64-bit client, run gcpwstandaloneenterprise64.exe as administrator. To install the 32-bit client, run gcpwstandaloneenterprise.exe as administrator.

    The installation creates 4 files:

    • C:\Program Files\Google\CredentialProvider\version number\Gaia.dll
    • C:\Program Files\Google\CredentialProvider\version number\gcp_setup.exe
    • C:\Program Files\Google\CredentialProvider\version number\gcp_eventlog_provider.dll
    • C:\Program Files\Google\CredentialProvider\version number\extension\gcpw_extension.exe
  7. (Optional) To help Google improve GCPW, on the device you can enable automatic error reporting for GCPW.

Step 2. Set GCPW allowed domains and optional settings

Before a user can sign in through GCPW, you must set which domains are allowed. You can also control other settings such as auto-enrollment in Windows device management and offline access. Use the configuration method that meets your goals:

  • To apply the same settings to all Windows devices in your organization, the easiest way is to use your Admin console.
  • To apply different settings for different devices, leave the Admin console settings as Not configured and edit the registry settings on each device.

Note: Admin console settings override registry settings if both are configured.

Configure GCPW settings in your Admin console (recommended)

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left, click Mobile & endpointsand thenSettingsand thenWindows settings.
  4. Click GCPW setupand thenPermitted domains.
  5. Enter the domains that are allowed to sign in with GCPW. If you don't add any domains, no users can sign in through GCPW.
  6. Click Save. Permitted domains is the only required setting. To configure other GCPW settings, go on to the next steps.
  7. At the top of the page in the breadcrumb, click Windows settings.
  8. Click GCPW Settings.
  9. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  10. Click any of the following settings and update them, as needed:
    Setting Description and setup
    Auto-update GCPW

    To get new versions of GCPW installed automatically on Windows devices, check the Automatically update GCPW box (it's checked by default).

    To allow updates only up to a specific version, check the Prevent updates after a specific version box and enter the last allowed version. You might want to use this option if you want to test the latest version before deploying it to all your users. 

    Note: You'll need to update this setting as you approve versions so users aren't blocked from getting new features and security updates. If you enter a version that is earlier than the version installed on a device, GCPW isn't rolled back to that version.

    To turn off auto-updates for GCPW (not recommended), uncheck the Automatically update GCPW box.

    Manage multiple accounts

    To allow more than one Google Workspace account to sign in to a device through GCPW, select Enabled. Note: If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device.

    To allow only one Google Workspace account to sign in to a device through GCPW, select Disabled.

    When set to Not configured, then more than one Google Workspace account can sign in to a device unless the enable_multi_user_login registry setting is set to 0 on the device.

    Enroll in device management

    If your organization uses Windows device management, you can have devices automatically enroll when a user first signs in through GCPW.

    If the Automatically enroll in device management box isn't checked and your organization uses Windows device management, you must manually enroll devices unless you set the enable_dm_enrollment registry key to 1 on the device.

    Offline access

    To limit how long users are allowed to sign in to their devices through GCPW while offline, change the value to Enabled and set the number of days.

    When the limit expires, a user won't be able to sign in to their device until they connect to the internet.

    When set to Not configured, a user is allowed to sign in while offline indefinitely unless the validity_period_in_days registry setting is set on the device.

  11. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Configure GCPW with the device's registry settings
  1. Configure the mandatory registry key that allows users in the specified domains to sign in with GCPW, and any other registry keys your organization needs.

    Note: The following instructions describe how to set up registry keys manually, but you or a user can also set up keys with a PowerShell script.

    Setting Default behavior and manual setup

    Required: Specify the domains that are allowed to sign in with GCPW.

    Note: Users can’t sign in with GCPW until this registry key is set up.

    Default: No domains are allowed to sign in with GCPW

    Setup

    1. From the Windows Start menu, click Run.
    2. In the Run box, enter regedit.
    3. In Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google, right-click Google, and click Newand thenKey to create a folder.
    4. Name the folder GCPW.
    5. Right-click the GCPW folder and click Newand thenString Value.
    6. For the name, enter domains_allowed_to_login.
    7. Double-click the name and, in the Value data box, enter a comma-separated list of allowed domain names. For example: example.com, example.org, example.net.
    8. Click OK.
    Turn off automatic enrollment in Windows device management

    Default: 1 (automatically enroll devices)

    Setup

    1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
    2. For the name, enter enable_dm_enrollment.
    3. Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic enrollment, change the value to 1.
    4. Click OK.
    Require users to sign in online after their device is offline a set time

    Default: No value (online sign-in isn’t enforced)

    Setup

    1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
    2. For the name, enter validity_period_in_days.
    3. Double-click the name and, in the Value data box, enter the number of days between online GCPW sign-ins.

      For example, if you enter 5, the user needs to sign in online after their device is offline for 5 days. If you enter 0, the user needs to sign in online immediately after the device is disconnected from the internet.

    4. Click OK.
    Allow only one user to sign in to the device with a Google Account

    Default: Multiple users can sign in to a device with their Google Account

    Setup

    1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
    2. For the name, enter enable_multi_user_login.
    3. Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic multiple accounts on the device, change the value to 1.
    4. Click OK.
    Lets a user sign in with GCPW for the first time with their existing local Windows profile (without clicking Add Work Account)

    Default: GCPW sign-in doesn’t use the existing local profile. Users must click Add Work Account when they first sign in.

    Setup

    1. In Registry Editor, right-click the GCPW folder and click Newand thenKey.
    2. Name the key Users.
    3. Right-click the Users folder and click Newand thenKey.
    4. Name the key the user’s Windows account SID (security identifier). To find a user’s SID, refer to Microsoft’s documentation.
    5. Right-click the SID folder and click Newand thenString Value.
    6. For the name, enter email.
    7. Double-click the name and, in the Value data box, enter the work account you want to associate with the user's local Windows account. Use the user's full email address, such as user@your-company.com.
    8. Click OK.
    Have GCPW set up a new Windows account name that is only the username part of the user's work or school email address

    Default: When GCPW creates a Windows profile for the user on first sign-in (you don't associate Google accounts with existing Windows profiles or no Windows profile exists), the account name is generated from the user's email address with the format username_domain.

    Setup

    1. In Registry Editor, right-click the GCPW folder and click Newand thenDWORD.
    2. For the name, enter use_shorter_account_name.
    3. Double-click the name and, in the Value data box, enter 1.
    4. Click OK.
  2. Restart the device.

Step 3. Manage GCPW devices

The user can now sign in to the device with GCPW. If they have problems signing in, see Troubleshoot GCPW. After users sign in for the first time, the device is listed in the Admin console and you can view device details.

Set up GCPW with a PowerShell script

You can use a Microsoft PowerShell script to download GCPW, install it, and optionally set registry keys. We recommend that you use the Admin console to manage GCPW settings.

Note: Google doesn't provide support for using example scripts. You should have experience using PowerShell scripts before using the example script.

Example script

This script downloads GCPW from the classic public site (no organization-specific token included) and installs it, then configures the required registry key that restricts device sign-ins to accounts in specific domains. To use the script, copy it into a text editor and enter the allowed domains in line 11.

<# This script downloads Google Credential Provider for Windows from
https://tools.google.com/dlpage/gcpw/, then installs and configures it.
Windows administrator access is required to use the script. #>

<# Set the following key to the domains you want to allow users to sign in from.

For example:
$domainsAllowedToLogin = "acme1.com,acme2.com"
#>

$domainsAllowedToLogin = ""

Add-Type -AssemblyName System.Drawing
Add-Type -AssemblyName PresentationFramework

<# Check if one or more domains are set #>
if ($domainsAllowedToLogin.Equals('')) {
    $msgResult = [System.Windows.MessageBox]::Show('The list of domains cannot be empty! Please edit this script.', 'GCPW', 'OK', 'Error')
    exit 5
}

function Is-Admin() {
    $admin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')
    return $admin
}

<# Check if the current user is an admin and exit if they aren't. #>
if (-not (Is-Admin)) {
    $result = [System.Windows.MessageBox]::Show('Please run as administrator!', 'GCPW', 'OK', 'Error')
    exit 5
}

<# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #>
$gcpwFileName = 'gcpwstandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
    $gcpwFileName = 'gcpwstandaloneenterprise64.msi'
}

<# Download the GCPW installer. #>
$gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/'
$gcpwUri = $gcpwUrlPrefix + $gcpwFileName
Write-Host 'Downloading GCPW from' $gcpwUri
Invoke-WebRequest -Uri $gcpwUri -OutFile $gcpwFileName

<# Run the GCPW installer and wait for the installation to finish #>
$arguments = "/i `"$gcpwFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)

<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
    $result = [System.Windows.MessageBox]::Show('Installation failed!', 'GCPW', 'OK', 'Error')
    exit $installProcess.ExitCode
}
else {
    $result = [System.Windows.MessageBox]::Show('Installation completed successfully!', 'GCPW', 'OK', 'Info')
}

<# Set the required registry key with the allowed domains #>
$registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW'
$name = 'domains_allowed_to_login'
[microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin)

$domains = Get-ItemPropertyValue HKLM:\Software\Google\GCPW -Name $name

if ($domains -eq $domainsAllowedToLogin) {
    $msgResult = [System.Windows.MessageBox]::Show('Configuration completed successfully!', 'GCPW', 'OK', 'Info')
}
else {
    $msgResult = [System.Windows.MessageBox]::Show('Could not write to registry. Configuration was not completed.', 'GCPW', 'OK', 'Error')

}

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false