- Sign in issues
- User account issues
- Locked account issues
- Enrollment issues
- Network issues
- Admin-related issues
- Contact Support
This message can appear if a user tries to sign in to a device and you haven't set any allowed domains for the device.
As an administrator, you can add the user's domain to the list of permitted domains:
- If you manage GCPW in the Admin console, go to the Permitted domains setting and enter allowed domains. Learn how
It can take up to 1 hour for your update to sync to devices. If you have access to the device, you can manually sync the device:
- On the device, open Task Scheduler.
- In the Task Scheduler library, right-click GoogleUpdateTaskMachineUA and click Run.
- Wait a few minutes for the policies to update.
- If you manage GCPW with registry keys, set the
domains_allowed_to_loginregistry key with the allowed domains. Learn how
If the user still can't sign in, contact Google Support.
This message can appear if the user's Google password doesn't synchronize with their Windows password. The user can enter their Windows password so GCPW can restore the synchronization.
If the user's Google Account and Windows passwords aren't in sync, GCPW asks the user for their current Windows password. This message can appear if the user enters an incorrect Windows password.
This message can appear when the Google sign-in screen can't open due to a Chrome Browser issue or a device policy issue.
- Confirm Chrome Browser is installed on the device. If not, install it.
- If Chrome browser is installed, it might not be in the right place. Confirm that it is installed in C:\Program Files (x86)\Google\Chrome\Application\chrome.exe or C:\Program Files\Google\Chrome\Application\chrome.exe. If not, reinstall Chrome Browser in the correct location.
- If the device has anti-virus software installed, confirm that this software doesn't prevent Chrome Browser from running.
- If the device has a group policy object (GPO) that defines the Log on as batch job policy, it might override the GPO that lets GCPW use a special account to request sign-in details from the user. To fix this:
- Find the GPO on the device and add gaia as a user to the policy. For instructions, consult the Windows documentation.
- Reboot the device.
- Confirm that gaia is listed in the local policy.
If the user's Google Account password changed but their Windows password wasn't automatically synchronized on the device, GCPW asks the user if they want to reset their Windows password. This message appears if the password can't be reset.
This message can appear when a user needs to sign in again with their Google credentials. Possible causes include:
- A session timeout occurred, according to the timeout setting in the Admin console.
- Their Google Account password changed.
- Suspicious activity was detected in the Google Account.
The user can fix this issue by signing in to the device with their Windows account.
A user might be prompted to complete a second verification step every time they sign in to GCPW if the device is trying to auto-enroll in Windows device management and can't.
As an administrator, you can set the desired behavior:
- If you want the device to auto-enroll:
- If you don't want the device to auto-enroll (you only want to use GCPW for that user): Disable automatic device enrollment for their device.
This message can appear if GCPW is set to allow only 1 work account, and a second user attempts to sign in using the Other User option.
As an administrator, you can allow multiple accounts (the default setting):
This message can appear if the user is trying to change their Windows password and enters their old Windows password incorrectly too many times.
A Windows Group Policy Object (GPO) setting determines the number of times a user can enter incorrect sign-in credentials before they're locked out of their Windows account.
This message can appear if the user's device isn't enrolled Windows device management. The user needs to sign in with their Google credentials using GCPW.
This message can appear if the user can't sign in to Windows using GCPW. Most likely, their device lost its connection to the Internet after the user opened the Google sign-in screen. Check the device's internet connection. If necessary, try to connect the device to another network.
This issue occurs if the device's internet connection is lost after the user tries to open Google sign-in screen. Check the device's internet connection. If necessary, try to connect the device to another network.
This issue can occur if the user's Google Account password requirements aren't as complex as the Windows or Active Directory password requirements. For example, Windows might require a certain number of digits or capital letters, and the Google Account doesn't. Verify this issue by checking the Windows Application event logs.
To fix this issue, ask the user to reset their Google Account password so it meets your organization’s password requirements.
To avoid this issue, set password complexity requirements for users’ Google accounts to be the same or higher than their Active Directory or Windows password requirements. For details, see Manage your users' password settings.
Though many users can sign in through GCPW on the same device, multiple users can't enroll in Windows device management on the same device.
When a user signs in through GCPW and has Windows device management turned on for them, the device is enrolled in Windows device management by default. The Windows device management settings configured for that user are applied to the device.
When another user signs in later, the first user's device-level settings, such as Windows updates, admin privileges, and BitLocker encryption, are enforced. User-level settings, such as some custom settings, can't be enforced for the second user.
When GCPW is set to auto-enroll users in Windows device management, the device is enrolled only for the first user who signs in to the device through GCPW. As an admin, you might set up a device for a user before the user signs in, and can get enrolled in Windows device management instead of the user.
To change who the device is enrolled in Windows device management for, you can unenroll the device. Learn how. Note: Unenrolling the device might not remove all the settings that were applied for the first user. If the next user signs in and a Windows setting is not configured that was configured for the first user, then the first user’s setting still applies.
If some GCPW features don't work, such as the browser doesn't load or passwords don't sync, check that any security software doesn't block URLs required for GCPW function. Some possible blockers include Windows Defender, a desktop firewall, or other third-party security software.
Confirm that the following URLs are allowed:
Required for GCPW updates
Required for other GCPW operations
- On the device, enable verbose logging and try to reproduce the issue. To enable verbose logging:
- On the device, click Start, and then click Run.
- In the Run box, enter regedit, and then click OK.
- In Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google\GCPW.
- Right-click the GCPW folder and click NewDWORD.
- For the name, enter
- Double-click the name and, in the Value data box, enter 1. (When you're done troubleshooting, change the value to 0 to turn off verbose logging).
- Click OK.
- On the device, export the registry folder at HKLMSoftwareGoogleGCPW.
- Export the event viewer log:
- On the device, open Event Viewer by one of the following methods:
- From the Windows Start menu, click Windows Administrative ToolsEvent Viewer.
- From the Windows Start menu, click Run. In the Run box, enter eventvwr.msc and press Enter.
- In Event Viewer for GCPW log, click Windows logsApplication.
All application events load, which can take a minute.
- Click Filter Current Log.
- Click Event sources and select GCPW as the source.
- Click OK. The event list refreshes with only the events relevant to enhanced desktop security for Windows.
- Click Save All Events As.
- For File name, enter a name that includes the log type and the server it was exported from.
- For Save as type, select CSV (comma separated values).
- Click Save.
- On the device, open Event Viewer by one of the following methods:
- Collect Device Management-Enterprise-Diagnostics-Provider (only if you also use Windows device management):
- In Event Viewer, click Applications and Services Logs Microsoft Windows DeviceManagement-Enterprise-Diagnostic-Provider Admin.
- Right click on the Admin node.
- Follow the steps f to i in the above step to save logs.
- Record the following information:
- The version of Chrome Browser on the device
- The affected account
- The device serial number
- A screenshot of any error messages
- Any Chrome policies used on the device
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.