Supported editions for this feature: Frontline; Business Starter, Standard and Plus; Enterprise; Education Fundamentals, Standard, Teaching and Learning Upgrade, and Plus; G Suite Basic and Business; Essentials; Cloud Identity Free and Premium. Compare your edition
Before you install Google Credential Provider for Windows (GCPW) on devices, you need to decide how passwords are synchronized between Google and Windows, give your support team access to devices, and determine how you want to handle existing Windows profiles.
Note: USB security keys aren’t supported by GCPW. If you enforce security keys, users can still sign in to their device with Android and iOS built-in security keys. Or, when prompted for 2-Step Verification, they can click "Try another way" and use another 2-Step Verification method if one is available. If no other method is available, users can't sign in to the device. To modify your 2-Step Verification methods, go to the 2-Step Verification setup guide.
After you complete these preliminary setup steps, you can install GCPW on Windows devices.
When you install GCPW on a Windows 10 device, the user signs in with their Google Account password. GCPW then automatically signs in the user to their Windows profile and Chrome Browser. For this automatic sign-in to work, the Google Account password and Windows password must stay in sync.
You can keep passwords in sync in two ways: use Google (recommended) or use a synchronization tool to push password updates from Active Directory, Azure Active Directory (AD), or other third-party tools to Google.
With either approach, users manage only the Google password. They can't reset their password from the Ctrl+Alt+Delete screen on their device because GCPW blocks that feature.
If some users aren’t allowed to manage their own password, such as students, you must reset and update the user’s password in the Admin Console.
Google Admin console for password management
Recommended when associating local Windows profiles with Google Accounts
If you use the Google Admin console to manage passwords and users change their passwords in their Google Account, no action is required. GCPW automatically synchronizes their Google Account password with their Windows password. Synchronization occurs when they sign in to their device with the new password while it's connected to the internet.
- If users have Windows profiles associated with Microsoft accounts, such as @outlook.com and hotmail.com, GCPW can't synchronize passwords between the Microsoft account and the Google Account. When a user changes their Microsoft account password, they must manually change their Google Account password. If they don't, they'll get password sync errors.
- If users have AD-backed Windows profiles, password sync by this method might not happen if the device can't connect to the AD server. We recommend you use the next method instead.
Active Directory, Azure AD, or third-party tools for password management
Recommended when associating AD-backed Windows profiles with Google Accounts
If you use Active Directory, Azure AD, or other tools to manage passwords on Windows devices, synchronize Google Account passwords and Windows passwords with G Suite Password Sync (GSPS) or another tool.
Note: With this approach, users should still manage their passwords in their Google Account. We recommend that when you require a user to reset their password, you use the Google Admin console, not AD or other tools. You can still use AD or other tools, but the user will have to reset their Microsoft password and then reset their Google password to match.
If some users aren’t allowed to change their own passwords, you must reset their passwords for them in the Admin console. If you reset their password in AD or other tools, users can’t get past “Password incorrect” errors because they can’t change their Google Account password.
Set password complexity requirements for users’ Google Accounts to be the same or stronger than Active Directory or Windows password requirements. If the Google password requirements are weaker, a user can change their password to one that doesn't meet the Windows password requirements. They won't be able to access their Windows account until they change their Google password again to meet the Windows password requirements.
When you set up GCPW, users can’t sign in through GCPW until you set which domains are allowed to sign in. You can also turn off automatic enrollment in Windows device management, manage automatic updates, and require online sign-in after a set time. You can manage these settings in the Admin console or in the registry settings on each device.
- Admin console—Use this approach when everyone in your organization will have the same allowed domains. You can set other options by organizational unit. This approach lets you easily review how GCPW is set up. It also lets you change settings more efficiently because the settings are automatically pushed to all devices.
- Registry settings—Use this approach when you want to allow different domains for different devices. You won't be able to review how devices are set up from the Admin console, so you’ll need to keep your own records. If you need to update or add a setting, you have to update each device.
If the Windows device already has a Windows profile set up for a user’s work account, you can set up GCPW to associate the existing profile with their Google Account.
If you don’t associate the Windows profile with the Google Account, GCPW makes a new Windows profile for the Google sign in. Users with local profiles can still sign in to the other profile, but AD users won’t be able to access the other profile. Learn about how users sign in to existing Windows profiles with GCPW.
Learn how to Associate Google Accounts with existing Windows profiles.
Make sure your support teams (Active Directory users, Active Directory groups, and local users) get the correct local administrative privileges. For details, see Manage account settings for Windows 10 devices.
If you deploy GCPW automatically, you can skip this step.
By default, GCPW automatically enrolls the first user to sign in to the device through GCPW in Windows device management (when Windows device management is turned on for that user). If your organization deploys software manually, the person who sets up the device might not be the user you want to manage with Windows device management. If the setup person signs in through GCPW, they can be enrolled instead of the intended user. Due to Microsoft Windows management limitations, only one user per device can be enrolled in Windows device management, so the intended user’s settings aren’t applied if the setup person is already enrolled.
You can manage or avoid automatic enrollment for the setup person in the following ways:
- If the setup person uses a local admin account instead of signing in with their Google Account, they won’t be enrolled in Windows device management.
- If the setup person signs in through GCPW (with a privileged account or their own work account to set up devices), you can turn off automatic enrollment for the organizational unit with those accounts.
- If you allow the setup person to be automatically enrolled, you can unenroll that user before giving the device to the intended user. Learn how
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.