Overview: Enhanced desktop security for Windows

As an administrator, you can set up company-owned and personal Microsoft Windows devices to use Google’s single-sign on (SSO) access security, push Windows settings, and wipe device data remotely. Enhanced desktop security for Windows has two complementary features that can be set up together or individually.

For an introduction to some product features, check out the following video:

How do I manage Windows 10 devices within my organization?

Note: This video applies to both Windows 10 and Windows 11.

Requirements
Google Credential Provider for Windows (GCPW)—Use Google Account authentication on Windows 10 or 11 devices.
Windows device management—Manage Windows settings on enrolled devices.
Setup procedures
More resources for admins
Help for GCPW users

Requirements

License

GCPW (standalone)—Supported editions for this feature: Frontline Starter and Frontline Standard; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, Education Plus, and Endpoint Education Upgrade; Essentials, Enterprise Essentials, and Enterprise Essentials Plus; G Suite Basic and G Suite Business; Cloud Identity Free and Cloud Identity Premium. Compare your edition
Windows device management (standalone or with GCPW)—Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

System

Windows 10 or 11 (Pro, Pro for Workstations, Enterprise, or Education)
For GCPW, Chrome Browser 81 or later

Google Credential Provider for Windows (GCPW)

You can let users sign in to a Windows 10 device using the Google Account your organization provides. You can configure GCPW so that a user’s Google Account syncs with their Active Directory or local Windows profiles. GCPW also provides the following benefits:

Additional security—Users get all the security benefits of their Google Account on their Windows 10 device. These features include anti-hijacking features such as 2-step verification (2SV) and login challenges.
SSO experience—Users can access Google Workspace services and SSO apps in Chrome Browser without the need to re-enter their Google credentials.
Password synchronization—Keep users’ Google passwords in sync with their Windows passwords in the Admin console or with G Suite Password Sync.
Automatic enrollment in Windows device management—If you use GCPW and Windows device management together, devices are automatically enrolled in Windows device management when the user signs in through GCPW.
Note: Only one user can enroll in Windows device management per device, even though you can allow multiple accounts to sign in through GCPW, because of a Microsoft limitation in Windows 10 and 11. When many users sign in through GCPW on the same device, the first user is enrolled in Windows device management. Their device-level settings (such as Windows updates, admin privileges, and BitLocker encryption) apply to all users of the device.
Perform admin actions:
- Get details about managed devices
- Sign users out of their Google Account

To use GCPW, you need to install it on each Windows device. Learn how to set up and install GCPW.

Windows device management

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

With Windows device management, you can configure and manage enrolled devices from the Admin console. Only one user can enroll in Windows device management per device, due to a Microsoft limitation in Windows 10 and 11.

Setting management	Device management
Set users' administrative permission level Enable BitLocker encryption Manage automatic updates for Windows Apply custom settings—You can block specific apps, disable USB drives, set the screen lock timeout, and more.	Wipe data from a device Get details about managed devices Sign users out of their Google Account Audit device system activity Unenroll a device from Windows device management

Learn how to set up Windows device management.

Set up GCPW and Windows device management

You can set up GCPW and Windows device management together or only the one you want to use.

Note: For company owned devices, we recommend you also add them to the company owned inventory.

Set up both (recommended)

When you enable Windows device management and install GCPW on a device, the device is automatically enrolled in Windows device management.

For instructions, see Set up GCPW and Windows device management together.

Set up GCPW only

Use this set up when you have a third-party EMM to manage devices and only want the Google sign-on experience.

Prepare to install GCPW
(Optional) Associate Google Accounts with existing Windows profiles
Install GCPW
(Optional) Set automatic error reporting for GCPW
Share GCPW training resources with your users

Set up Windows device management only

Use this set up when you use AD sign-in and only want to manage Windows devices.

More resources for admins

YouTube: How do I manage Windows 10 devices within my organization? (This video applies to both Windows 10 and Windows 11.)
Coursera: Device management modules in Introduction to Cloud Identity and Managing Google Workspace

Help for GCPW users

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?