Troubleshoot GCPW

Here's how to troubleshoot common issues with Google Credential Provider for Windows (GCPW).

Open all   |   Close all

Sign-in issues

"Your administrator doesn’t allow you to sign in with this account. Try a different account."

This message can appear if a user tries to sign in to a device and you haven't set any allowed domains for the device.

As an administrator, you can add the user's domain to the list of permitted domains:

  • If you manage GCPW in the Admin console, go to the Permitted domains setting and enter allowed domains. Learn how

    It can take up to 1 hour for your update to sync to devices. If you have access to the device, you can manually sync the device:

    1. On the device, open Task Scheduler.
    2. In the Task Scheduler library, right-click GoogleUpdateTaskMachineUA and click Run.
    3. Wait a few minutes for the policies to update.
  • If you manage GCPW with registry keys, set the domains_allowed_to_login registry key with the allowed domains. Learn how

If the user still can't sign in, contact Google Support.

"Your account password has changed. Enter your Windows password to sync your Windows account with your work account."

This message can appear if the user's Google password doesn't synchronize with their Windows password. The user can enter their Windows password so GCPW can restore the synchronization.

"The Windows password is incorrect. Try again."

If the user's Google Account and Windows passwords aren't in sync, GCPW asks the user for their current Windows password. This message can appear if the user enters an incorrect Windows password.

"Can't open the Google sign-in screen because there's an issue with the Chrome installation on this device. Contact your administrator. "

This message can appear when the Google sign-in screen can't open due to a Chrome Browser issue or a device policy issue.

To fix:

  1. Confirm Chrome Browser is installed on the device. If not, install it.
  2. If Chrome browser is installed, it might not be in the right place. Confirm that it is installed in C:\Program Files (x86)\Google\Chrome\Application\chrome.exe or C:\Program Files\Google\Chrome\Application\chrome.exe. If not, reinstall Chrome Browser in the correct location.
  3. If the device has anti-virus software installed, confirm that this software doesn't prevent Chrome Browser from running.
  4. If the device has a group policy object (GPO) that defines the Log on as batch job policy, it might override the GPO that lets GCPW use a special account to request sign-in details from the user. To fix this:
    1. Find the GPO on the device and add gaia as a user to the policy. For instructions, consult the Windows documentation.
    2. Reboot the device.
    3. Confirm that gaia is listed in the local policy.
"Can't continue because there was an error while changing your Windows password. Please contact your administrator."

If the user's Google Account password changed but their Windows password wasn't automatically synchronized on the device, GCPW asks the user if they want to reset their Windows password. This message appears if the password can't be reset.

"Your session has expired. Sign in with your work account."

This message can appear when a user needs to sign in again with their Google credentials. Possible causes include:

  • A session timeout occurred, according to the timeout setting in the Admin console.
  • Their Google Account password changed.
  • Suspicious activity was detected in the Google Account.

The user can fix this issue by signing in to the device with their Windows account.

The user is prompted for 2-Step Verification for every sign-in

A user might be prompted to complete a second verification step every time they sign in to GCPW if the device is trying to auto-enroll in Windows device management and can't.

As an administrator, you can set the desired behavior:

  • If you want the device to auto-enroll:
    1. Confirm that Windows device management is enabled. Learn how
    2. Confirm that the user has a license that supports Windows device management. Review license requirements
  • If you don't want the device to auto-enroll (you only want to use GCPW for that user): Disable automatic device enrollment for their device.
    • If you manage GCPW in the Admin console, go to the Enroll in device management setting and uncheck the box. Learn how
    • If you manage GCPW with registry keys, set the enable_dm_enrollment registry key to 0. Learn how

User account issues

"Failed to add a new user. This computer only allows one user to be created... "

This message can appear if GCPW is set to allow only 1 work account, and a second user attempts to sign in using the Other User option.

As an administrator, you can allow multiple accounts (the default setting):

  • If you manage GCPW in the Admin console, go to the Manage multiple accounts setting and select Enabled. Learn how
  • If you manage GCPW with registry keys, set the enable_dm_enrollment registry key to 0. Learn how

Locked account issues

"Your account has been locked. Please contact a system administrator."

This message can appear if the user is trying to change their Windows password and enters their old Windows password incorrectly too many times.

A Windows Group Policy Object (GPO) setting determines the number of times a user can enter incorrect sign-in credentials before they're locked out of their Windows account.

Enrollment issues

"This device isn’t yet enrolled with your organization’s device management. Sign in with your work account."

This message can appear if the user's device isn't enrolled Windows device management. The user needs to sign in with their Google credentials using GCPW.

Network issues

"Can’t sign in to your work account. Make sure your device is connected to the internet and try again."

This message can appear if the user can't sign in to Windows using GCPW. Most likely, their device lost its connection to the Internet after the user opened the Google sign-in screen. Check the device's internet connection. If necessary, try to connect the device to another network.

"Make sure your device is connected to the internet and try again"

This issue occurs if the device's internet connection is lost after the user tries to open Google sign-in screen. Check the device's internet connection. If necessary, try to connect the device to another network.

Administration issues

I installed GCPW and can't sign in to my desktop remotely
GCPW doesn't add local user profiles it creates to the Remote Desktop Users group in Windows. You need to add them to the group manually or with an automated tool.
A user can't sign in to Windows using their Google credentials

This issue can occur if the user's Google Account password requirements aren't as complex as the Windows or Active Directory password requirements. For example, Windows might require a certain number of digits or capital letters, and the Google Account doesn't. Verify this issue by checking the Windows Application event logs.

To fix this issue, ask the user to reset their Google Account password so it meets your organization’s password requirements.

To avoid this issue, set password complexity requirements for users’ Google accounts to be the same or higher than their Active Directory or Windows password requirements. For details, see Manage your users' password settings.

The wrong policies were applied to a user's device after they signed in with their Google credentials

Though many users can sign in through GCPW on the same device, multiple users can't enroll in Windows device management on the same device.

When a user signs in through GCPW and has Windows device management turned on for them, the device is enrolled in Windows device management by default. The Windows device management settings configured for that user are applied to the device.

When another user signs in later, the first user's device-level settings, such as Windows updates, admin privileges, and BitLocker encryption, are enforced. User-level settings, such as some custom settings, can't be enforced for the second user.

The wrong user was automatically enrolled in Windows device management

When GCPW is set to auto-enroll users in Windows device management, the device is enrolled only for the first user who signs in to the device through GCPW. As an admin, you might set up a device for a user before the user signs in, and can get enrolled in Windows device management instead of the user.

To change who the device is enrolled in Windows device management for, you can unenroll the device. Learn how. Note: Unenrolling the device might not remove all the settings that were applied for the first user. If the next user signs in and a Windows setting is not configured that was configured for the first user, then the first user’s setting still applies.

GCPW doesn't seem to work properly (for example, passwords don't sync)

If some GCPW features don't work, such as the browser doesn't load or passwords don't sync, check that any security software doesn't block URLs required for GCPW function. Some possible blockers include Windows Defender, a desktop firewall, or other third-party security software.

Confirm that the following URLs are allowed:

Required for GCPW updates

  • www.google.com/dl/*
  • dl.google.com/*
  • google.com/dl/*
  • *.gvt1.com
  • tools.google.com/service/update2
  • clients2.google.com
  • update.googleapis.com/service/update2
  • clients4.google.com
  • https://m.google.com/devicemanagement/data/api

Required for other GCPW operations

  • .googleapis.com/
  • accounts.google.com/*

Contacting support

Gather diagnostic information
Before you contact support, we recommend you gather the following information so that a support specialist can help you resolve your issue faster:
  1. On the device, enable verbose logging and try to reproduce the issue. To enable verbose logging:
    1. On the device, click Start, and then click Run.
    2. In the Run box, enter regedit, and then click OK.
    3. In Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google\GCPW.
    4. Right-click the GCPW folder and click Newand thenDWORD.
    5. For the name, enter enable_verbose_logging.
    6. Double-click the name and, in the Value data box, enter 1. (When you're done troubleshooting, change the value to 0 to turn off verbose logging).
    7. Click OK.
  2. On the device, export the registry folder at HKLMand thenSoftwareand thenGoogleand thenGCPW.
  3. Export the event viewer log:
    1. On the device, open Event Viewer by one of the following methods:
      • From the Windows Start menu, click Windows Administrative Toolsand thenEvent Viewer.
      • From the Windows Start menu, click Run. In the Run box, enter eventvwr.msc and press Enter.
    2. In Event Viewer, click Windows logsand thenApplication.

      All application events load, which can take a minute.

    3. Click Filter Current Log.
    4. Click Event sources and select the following sources:
      • GCPW
      • Device Management-Enterprise-Diagnostics-Provider (if you also use Windows device management)
    5. Click OK. The event list refreshes with only the events relevant to enhanced desktop security for Windows.
    6. Click Save All Events As.
    7. For File name, enter a name that includes the log type and the server it was exported from.
    8. For Save as type, select CSV (comma separated values).
    9. Click Save.
  4. Record the following information:
    • The version of Chrome Browser on the device
    • The affected account
    • The device serial number
    • A screenshot of any error messages
    • Any Chrome policies used on the device

More help

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false