Install Google Credential Provider for Windows

As an administrator, you can set up Google Credential Provider for Windows (GCPW) to let users sign in to a Windows 10 or 11 device with the Google Account they use for work or school. For company-owned devices, you or other IT professionals in your organization set up GCPW on the devices. For personal devices that the user has admin privileges on, you can have the user install GCPW.

Requirements

License requirements

GCPW (standalone)—Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition
GCPW with Windows device management—Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

System requirements

Windows 10 or 11 (Pro, Pro for Workstations, Enterprise, or Education).
Chrome Browser version 81 or later (stable version), installed with admin privileges.
Available disk space for Google Chrome (100 MB) and GCPW (3 MB).
You need administrator privileges on the device to run the installer, or you can deploy the installer to devices using software deployment tools.
GCPW is not compatible with third-party providers of mobile device management.

Before you begin–Prepare for your deployment

If you haven't already, prepare to install GCPW and install Chrome browser on the devices.
If you plan to use Chrome Browser Cloud Management, set it up before you install GCPW. For details, see Set up Chrome Browser Cloud Management.

Step 1. Download GCPW

The following steps describe how to set up GCPW manually. You can also use an app distribution tool or PowerShell script to distribute and install GCPW. For details, see the example PowerShell script.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesMobile and endpointsSettingsWindows.
Click Google Credential Provider for Windows setupDownload GCPW.
Download the 64-bit or 32-bit GCPW installation file and distribute it to devices.

Step 2. Set GCPW allowed domains and optional settings

Use the configuration method that meets your goals:

To apply the same settings to all Windows devices in your organization, the easiest way is to use your Admin console.
To apply different settings for different devices, leave the Admin console settings as Not configured and edit the registry settings on each device.

Note: Admin console settings override registry settings if both are configured.

Configure GCPW settings in your Admin console (recommended)

To use GCPW, you must set permitted domains. To set permitted domains in the Admin console, the device must have an enrollment token on it. There are several ways to set a token:

If you downloaded GCPW from the Admin console, your installation file automatically sets the token and you can proceed.
If you previously set enrollment tokens for Chrome Browser Cloud Management, these tokens also let you manage GCPW settings from the Admin console.
If you downloaded GCPW from the classic download page (https://tools.google.com/dlpage/gcpw/), your installation file doesn't include a token. Without the token, you can't change your permitted domains from the Admin console, but you can edit the settings in DevicesMobile & endpointsSettingsWindows settingsGCPW settings. If needed, set the GCPW token on devices.

Edit settings in your Admin console

Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesMobile and endpointsSettingsWindows.
Click Google Credential Provider for Windows (GCPW) setupPermitted domains.
Enter the domains that are allowed to sign in with GCPW. If you don't add any domains, no users can sign in through GCPW.
Click Save. It can take up to an hour for permitted domains to sync to devices.
Permitted domains is the only required setting. To configure other GCPW settings, go on to the next steps.
At the top of the page in the breadcrumb, click Windows settings.
Click GCPW Settings.
To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.

Click any of the following settings and update them, as needed:

Setting	Description and setup
Auto-update GCPW	To get new versions of GCPW installed automatically on Windows devices, check the Automatically update GCPW box (it's checked by default). To allow updates only up to a specific version, check the Prevent updates after a specific version box and enter the last allowed version. You might want to use this option if you want to test the latest version before deploying it to all your users. Note: You'll need to update this setting as you approve versions so users aren't blocked from getting new features and security updates. If you enter a version that is earlier than the version installed on a device, GCPW isn't rolled back to that version. To turn off auto-updates for GCPW (not recommended), uncheck the Automatically update GCPW box.
Manage multiple accounts	To allow more than one Google Workspace account to sign in to a device through GCPW, select Enabled. If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device. To allow only one Google Workspace account to sign in to a device through GCPW, select Disabled. When set to Not configured, then more than one Google Workspace account can sign in to a device unless the `enable_multi_user_login` registry setting is set to 0 on the device.
Enroll in device management	If your organization uses Windows device management, you can have devices automatically enroll when a user first signs in through GCPW. If the Automatically enroll in device management box isn't checked and your organization uses Windows device management, you must manually enroll devices unless you set the `enable_dm_enrollment` registry key to 1 on the device.
Offline access	To limit how long users are allowed to sign in to their devices through GCPW while offline, change the value to Enabled and set the number of days. When the limit expires, a user won't be able to sign in to their device until they connect to the internet. When set to Not configured, a user is allowed to sign in while offline indefinitely unless the `validity_period_in_days` registry setting is set on the device.

Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

GCPW settings sync to devices every hour, so it can take up to 1 hour for your settings to be applied and the user to be able to sign in through GCPW.

Configure GCPW with the device's registry settings

If you don’t manage GCPW with the settings in the Admin console, or you want to set values for settings that aren’t configured in the Admin console, you can set them in each device’s registry.

The following instructions describe how to set up registry keys manually, but you or a user with admin privileges can also set up keys with a PowerShell script.

Note: If you configure GCPW in your Admin console and a device's registry, the Admin console settings override registry settings.

Configure the mandatory registry key that allows users in the specified domains to sign in with GCPW, and any other registry keys your organization needs.

Note: The following instructions describe how to set up registry keys manually, but you or a user can also set up keys with a PowerShell script.

Setting	Default behavior and manual setup
Required: Specify the domains that are allowed to sign in with GCPW. Note: Users can’t sign in with GCPW until this registry key is set up.	Default: No domains are allowed to sign in with GCPW Setup From the Windows Start menu, click Run. In the Run box, enter regedit. In Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google, right-click Google, and click NewKey to create a folder. Name the folder GCPW. Right-click the GCPW folder and click NewString Value. For the name, enter `domains_allowed_to_login`. Double-click the name and, in the Value data box, enter a comma-separated list of allowed domain names. For example: example.com, example.org, example.net. Click OK.
Turn off automatic enrollment in Windows device management	Default: 1 (automatically enroll devices) Setup In Registry Editor, right-click the GCPW folder and click NewDWORD. For the name, enter `enable_dm_enrollment`. Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic enrollment, change the value to 1. Click OK.
Require users to sign in online after their device is offline a set time	Default: No value (online sign-in isn’t enforced) Setup In Registry Editor, right-click the GCPW folder and click NewDWORD. For the name, enter `validity_period_in_days`. Double-click the name and, in the Value data box, enter the number of days between online GCPW sign-ins. For example, if you enter 5, the user needs to sign in online after their device is offline for 5 days. If you enter 0, the user needs to sign in online immediately after the device is disconnected from the internet. Click OK.
Allow only one user to sign in to the device with a Google Account	Default: Multiple users can sign in to a device with their Google Account. If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device. Setup In Registry Editor, right-click the GCPW folder and click NewDWORD. For the name, enter `enable_multi_user_login`. Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic multiple accounts on the device, change the value to 1. Click OK.
Lets a user sign in with GCPW for the first time with their existing local Windows profile (without clicking Add Work Account)	Default: GCPW sign-in doesn’t use the existing local profile. Users must click Add Work Account when they first sign in. Setup In Registry Editor, right-click the GCPW folder and click NewKey. Name the key Users. Right-click the Users folder and click NewKey. Name the key the user’s Windows account SID (security identifier). To find a user’s SID, refer to Microsoft’s documentation. Right-click the SID folder and click NewString Value. For the name, enter `email`. Double-click the name and, in the Value data box, enter the work account you want to associate with the user's local Windows account. Use the user's full email address, such as user@your-company.com. Click OK.
Have GCPW set up a new Windows account name that is only the username part of the user's work or school email address	Default: When GCPW creates a Windows profile for the user on first sign-in (you don't associate Google Accounts with existing Windows profiles or no Windows profile exists), the account name is generated from the user's email address with the format username_domain. Setup In Registry Editor, right-click the GCPW folder and click NewDWORD. For the name, enter `use_shorter_account_name`. Double-click the name and, in the Value data box, enter 1. Click OK.

Restart the device.

Step 3. Install GCPW

You can install GCPW in several ways:

Manually, as described in this section.
Using a PowerShell script. For details, see the example PowerShell script.
Using a third-party app distribution tool or as part of your PC system image.

To install GCPW manually

On the device, run the installer. You can double-click the installation file or run it from Command Prompt:
1. Open the Command Prompt.
2. To install the 64-bit client, run gcpwstandaloneenterprise64.exe as administrator. To install the 32-bit client, run gcpwstandaloneenterprise.exe as administrator. To run the installer in silent mode, include the arguments /silent /install.
The installation creates 4 files:
- C:\Program Files\Google\CredentialProvider\version number\Gaia.dll
- C:\Program Files\Google\CredentialProvider\version number\gcp_setup.exe
- C:\Program Files\Google\CredentialProvider\version number\gcp_eventlog_provider.dll
- C:\Program Files\Google\CredentialProvider\version number\extension\gcpw_extension.exe
(Optional) To help Google improve GCPW, on the device you can enable automatic error reporting for GCPW.

Step 4. Manage GCPW devices

User experience

The user can now sign in to the device with GCPW. If allowed, they can manage their device password by managing their Google Account password.
If they have problems signing in, you can help them by following the instructions in Troubleshoot GCPW.

Admin management

You can review device details in your Admin console after users sign in for the first time.
If you need to reset a user’s password, we strongly recommend that you reset their passwords for them in the Admin console. If you require a password reset through AD or another tool, they’ll have to update their Windows password and then update their Google Account password to match. For users who aren’t allowed to update their own password, such as students, they’ll be locked out of their account.

Set up GCPW with a PowerShell script

You can use a Microsoft PowerShell script to download GCPW, install it, and optionally set registry keys. We recommend that you use the Admin console to manage GCPW settings.

Note: Google doesn't provide support for using example scripts. You should have experience using PowerShell scripts before using the example script.

Example script

This script downloads GCPW from the classic public site (no organization-specific token included) and installs it, then configures the required registry key that restricts device sign-ins to accounts in specific domains. To use the script, copy it into a text editor and enter the allowed domains in line 11. If you want to manage GCPW settings in the admin console, get the token from the Admin console and use the script to set a registry key with the token.

<# This script downloads Google Credential Provider for Windows from
https://tools.google.com/dlpage/gcpw/, then installs and configures it.
Windows administrator access is required to use the script. #>

<# Set the following key to the domains you want to allow users to sign in from.

For example:
$domainsAllowedToLogin = "solarmora.com,altostrat.com"
#>

$domainsAllowedToLogin = ""

Add-Type -AssemblyName System.Drawing
Add-Type -AssemblyName PresentationFramework

<# Check if one or more domains are set #>
if ($domainsAllowedToLogin.Equals('')) {
    $msgResult = [System.Windows.MessageBox]::Show('The list of domains cannot be empty! Please edit this script.', 'GCPW', 'OK', 'Error')
    exit 5
}

function Is-Admin() {
    $admin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')
    return $admin
}

<# Check if the current user is an admin and exit if they aren't. #>
if (-not (Is-Admin)) {
    $result = [System.Windows.MessageBox]::Show('Please run as administrator!', 'GCPW', 'OK', 'Error')
    exit 5
}

<# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #>
$gcpwFileName = 'gcpwstandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
    $gcpwFileName = 'gcpwstandaloneenterprise64.msi'
}

<# Download the GCPW installer. #>
$gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/'
$gcpwUri = $gcpwUrlPrefix + $gcpwFileName
Write-Host 'Downloading GCPW from' $gcpwUri
Invoke-WebRequest -Uri $gcpwUri -OutFile $gcpwFileName

<# Run the GCPW installer and wait for the installation to finish #>
$arguments = "/i `"$gcpwFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)

<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
    $result = [System.Windows.MessageBox]::Show('Installation failed!', 'GCPW', 'OK', 'Error')
    exit $installProcess.ExitCode
}
else {
    $result = [System.Windows.MessageBox]::Show('Installation completed successfully!', 'GCPW', 'OK', 'Info')
}

<# Set the required registry key with the allowed domains #>
$registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW'
$name = 'domains_allowed_to_login'
[microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin)

$domains = Get-ItemPropertyValue HKLM:\Software\Google\GCPW -Name $name

if ($domains -eq $domainsAllowedToLogin) {
    $msgResult = [System.Windows.MessageBox]::Show('Configuration completed successfully!', 'GCPW', 'OK', 'Info')
}
else {
    $msgResult = [System.Windows.MessageBox]::Show('Could not write to registry. Configuration was not completed.', 'GCPW', 'OK', 'Error')

}

Was this helpful?

How can we improve it?