As an administrator, you can set up Google Credential Provider for Windows (GCPW) to let users sign in to a Windows 10 or 11 device with the Google Account they use for work or school. For company-owned devices, you or other IT professionals in your organization set up GCPW on the devices. For personal devices that the user has admin privileges on, you can have the user install GCPW.
Requirements
License requirements
- GCPW (standalone)—This feature is available with Cloud Identity Free and Cloud Identity Premium editions. Compare editions
- GCPW with Windows device management—This feature is available with Cloud Identity Premium edition. Compare editions
System requirements
- Windows 10 or 11 Pro, Pro for Workstations, Enterprise, or Education (32-bit and 64-bit versions only). ARM-based devices are not supported.
- Chrome browser version 81 or later (stable version), installed with admin privileges.
- Available disk space for ChromeOS (100 MB) and GCPW (3 MB).
- You need administrator privileges on the device to run the installer, or you can deploy the installer to devices using software deployment tools.
- GCPW is not compatible with third-party providers of mobile device management.
Before you begin–Prepare for your deployment
- If you haven't already, prepare to install GCPW and install Chrome browser on the devices.
- If you plan to use Chrome Enterprise Core, set it up before you install GCPW. For details, see Set up Chrome Enterprise Core.
Step 1: Download GCPW
You must be signed in as a super administrator for this task.
The following steps describe how to set up GCPW manually. You can also use an app distribution tool or Microsoft PowerShell script to distribute and install GCPW. For details, see the example PowerShell script.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile and endpointsSettingsWindows.
- Click Google Credential Provider for Windows setupDownload GCPW.
- Download the 64-bit or 32-bit GCPW installation file and distribute it to devices.
Step 2: Set GCPW allowed domains and optional settings
Use the configuration method that meets your goals:
- To apply the same settings to all Windows devices in your organization, the easiest way is to use your Admin console.
- To apply different settings for different devices, leave the Admin console settings as Not configured and edit the registry settings on each device.
Note: Admin console settings override registry settings if both are configured.
Configure GCPW settings in your Admin console (recommended)To use GCPW, you must set permitted domains. To set permitted domains in the Admin console, the device must have an enrollment token on it. There are several ways to set a token:
- If you downloaded GCPW from the Admin console, your installation file automatically sets the token and you can proceed.
- If you previously set enrollment tokens for Chrome Enterprise Core, these tokens also let you manage GCPW settings from the Admin console.
- If you downloaded GCPW from the classic download page (https://tools.google.com/dlpage/gcpw/), your installation file doesn't include a token. Without the token, you can't change your permitted domains from the Admin console, but you can edit the settings in DevicesMobile & endpointsSettingsWindows settingsGCPW settings. If needed, set the GCPW token on devices.
Edit settings in your Admin console
You must be signed in as a super administrator for this task.
Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesMobile & endpointsSettingsiOS.
- Click Google Credential Provider for Windows (GCPW) setupPermitted domains.
- Enter the domains that are allowed to sign in with GCPW. If you don't add any domains, no users can sign in through GCPW.
- Click Save. It can take up to an hour for permitted domains to sync to devices.
Permitted domains is the only required setting. To configure other GCPW settings, go on to the next steps.
- At the top of the page in the breadcrumb, click Windows settings.
- Click GCPW Settings.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Click any of the following settings and update them, as needed:
Setting Description and setup Auto-update GCPW To get new versions of GCPW installed automatically on Windows devices, check the Automatically update GCPW box (it's checked by default).
To allow updates only up to a specific version, check the Prevent updates after a specific version box and enter the last allowed version. You might want to use this option if you want to test the latest version before deploying it to all your users.
Note: You'll need to update this setting as you approve versions so users aren't blocked from getting new features and security updates. If you enter a version that is earlier than the version installed on a device, GCPW isn't rolled back to that version.
To turn off auto-updates for GCPW (not recommended), uncheck the Automatically update GCPW box.
Manage multiple accounts To allow more than one Google Workspace account to sign in to a device through GCPW, select Enabled. If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device.
To allow only one Google Workspace account to sign in to a device through GCPW, select Disabled.
When set to Not configured, then more than one Google Workspace account can sign in to a device unless the
enable_multi_user_login
registry setting is set to 0 on the device.Enroll in device management If your organization uses Windows device management, you can have devices automatically enroll when a user first signs in through GCPW.
If the Automatically enroll in device management box isn't checked and your organization uses Windows device management, you must manually enroll devices unless you set the
enable_dm_enrollment
registry key to 1 on the device.Offline access To limit how long users are allowed to sign in to their devices through GCPW while offline, change the value to Enabled and set the number of days.
When the limit expires, a user won't be able to sign in to their device until they connect to the internet.
When set to Not configured, a user is allowed to sign in while offline indefinitely unless the
validity_period_in_days
registry setting is set on the device. -
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit.
GCPW settings sync to devices every hour, so it can take up to 1 hour for your settings to be applied and the user to be able to sign in through GCPW.
If you don’t manage GCPW with the settings in the Admin console, or you want to set values for settings that aren’t configured in the Admin console, you can set them in each device’s registry.
The following instructions describe how to set up registry keys manually, but you or a user with admin privileges can also set up keys with a PowerShell script.
Note: If you configure GCPW in your Admin console and a device's registry, the Admin console settings override registry settings.
- Configure the mandatory registry key that allows users in the specified domains to sign in with GCPW, and any other registry keys your organization needs.
Setting Default behavior and manual setup Required: Specify the domains that are allowed to sign in with GCPW.
Note: Users can’t sign in with GCPW until this registry key is set up.Default: No domains are allowed to sign in with GCPW
Setup
- From the Windows Start menu, click Run.
- In the Run box, enter regedit.
- In Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google, right-click Google, and click NewKey to create a folder.
- Name the folder GCPW.
- Right-click the GCPW folder and click NewString Value.
- For the name, enter
domains_allowed_to_login
. - Double-click the name and, in the Value data box, enter a comma-separated list of allowed domain names. For example: example.com, example.org, example.net.
- Click OK.
Turn off automatic enrollment in Windows device management Default: 1 (automatically enroll devices)
Setup
- In Registry Editor, right-click the GCPW folder and click NewDWORD.
- For the name, enter
enable_dm_enrollment
. - Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic enrollment, change the value to 1.
- Click OK.
Require users to sign in online after their device is offline a set time Default: No value (online sign-in isn’t enforced)
Setup
- In Registry Editor, right-click the GCPW folder and click NewDWORD.
- For the name, enter
validity_period_in_days
. - Double-click the name and, in the Value data box, enter the number of days between online GCPW sign-ins.
For example, if you enter 5, the user needs to sign in online after their device is offline for 5 days. If you enter 0, the user needs to sign in online immediately after the device is disconnected from the internet.
- Click OK.
Allow only one user to sign in to the device with a Google Account Default: Multiple users can sign in to a device with their Google Account. If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device.
Setup
- In Registry Editor, right-click the GCPW folder and click NewDWORD.
- For the name, enter
enable_multi_user_login
. - Double-click the name and, in the Value data box, enter 0. If you ever want to reset the key to allow automatic multiple accounts on the device, change the value to 1.
- Click OK.
Lets a user sign in with GCPW for the first time with their existing local Windows profile (without clicking Add Work Account) Default: GCPW sign-in doesn’t use the existing local profile. Users must click Add Work Account when they first sign in.
Setup
- In Registry Editor, right-click the GCPW folder and click NewKey.
- Name the key Users.
- Right-click the Users folder and click NewKey.
- Name the key the user’s Windows account SID (security identifier). To find a user’s SID, refer to Microsoft’s documentation.
- Right-click the SID folder and click NewString Value.
- For the name, enter
email
. - Double-click the name and, in the Value data box, enter the work account you want to associate with the user's local Windows account. Use the user's full email address, such as [email protected].
- Click OK.
Have GCPW set up a new Windows account name that is only the username part of the user's work or school email address Default: When GCPW creates a Windows profile for the user on first sign-in (you don't associate Google Accounts with existing Windows profiles or no Windows profile exists), the account name is generated from the user's email address with the format username_domain.
Setup
- In Registry Editor, right-click the GCPW folder and click NewDWORD.
- For the name, enter
use_shorter_account_name
. - Double-click the name and, in the Value data box, enter 1.
- Click OK.
- Restart the device.
Step 3: Install GCPW
You can install GCPW in several ways:
- Manually, as described in this section.
- Using a PowerShell script. For details, see the example PowerShell script.
- Using a third-party app distribution tool or as part of your PC system image.
To install GCPW manually
- On the device, run the installer. You can double-click the installation file or run it from Command Prompt:
- Open the Command Prompt.
- To install the 64-bit client, run gcpwstandaloneenterprise64.exe as administrator. To install the 32-bit client, run gcpwstandaloneenterprise.exe as administrator. To run the installer in silent mode, include the arguments /silent /install.
The installation creates 4 files:
- C:\Program Files\Google\CredentialProvider\version number\Gaia.dll
- C:\Program Files\Google\CredentialProvider\version number\gcp_setup.exe
- C:\Program Files\Google\CredentialProvider\version number\gcp_eventlog_provider.dll
- C:\Program Files\Google\CredentialProvider\version number\extension\gcpw_extension.exe
- (Optional) To help Google improve GCPW, on the device you can enable automatic error reporting for GCPW.
Step 4: Manage GCPW devices
User experience
- The user can now sign in to the device with GCPW. If allowed, they can manage their device password by managing their Google Account password.
- If they have problems signing in, you can help them by following the instructions in Troubleshoot GCPW.
Admin management
- You can review device details in your Admin console after users sign in for the first time.
- If you need to reset a user’s password, we strongly recommend that you reset their passwords for them in the Admin console. If you require a password reset through Microsoft Active Directory or another tool, they’ll have to update their Windows password and then update their Google Account password to match. For users who aren’t allowed to update their own password, such as students, they’ll be locked out of their account.
Set up GCPW with a PowerShell script
You can use a PowerShell script to download GCPW, install it, and optionally set registry keys. We recommend that you use the Admin console to manage GCPW settings.
Note: Google doesn't provide support for using example scripts. You should have experience using PowerShell scripts before using the example script.
Example script
This script downloads GCPW from the classic public site (no organization-specific token included) and installs it, then configures the required registry key that restricts device sign-ins to accounts in specific domains. To use the script, copy it into a text editor and enter the allowed domains in line 11. If you want to manage GCPW settings in the Admin console, get the token from the Admin console and use the script to set a registry key with the token.
<# This script downloads Google Credential Provider for Windows from
https://tools.google.com/dlpage/gcpw/, then installs and configures it.
Windows administrator access is required to use the script. #>
<# Set the following key to the domains you want to allow users to sign in from.
For example:
$domainsAllowedToLogin = "solarmora.com,altostrat.com"
#>
$domainsAllowedToLogin = ""
Add-Type -AssemblyName System.Drawing
Add-Type -AssemblyName PresentationFramework
<# Check if one or more domains are set #>
if ($domainsAllowedToLogin.Equals('')) {
$msgResult = [System.Windows.MessageBox]::Show('The list of domains cannot be empty! Please edit this script.', 'GCPW', 'OK', 'Error')
exit 5
}
function Is-Admin() {
$admin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match 'S-1-5-32-544')
return $admin
}
<# Check if the current user is an admin and exit if they aren't. #>
if (-not (Is-Admin)) {
$result = [System.Windows.MessageBox]::Show('Please run as administrator!', 'GCPW', 'OK', 'Error')
exit 5
}
<# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #>
$gcpwFileName = 'gcpwstandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
$gcpwFileName = 'gcpwstandaloneenterprise64.msi'
}
<# Download the GCPW installer. #>
$gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/'
$gcpwUri = $gcpwUrlPrefix + $gcpwFileName
Write-Host 'Downloading GCPW from' $gcpwUri
Invoke-WebRequest -Uri $gcpwUri -OutFile $gcpwFileName
<# Run the GCPW installer and wait for the installation to finish #>
$arguments = "/i `"$gcpwFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)
<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
$result = [System.Windows.MessageBox]::Show('Installation failed!', 'GCPW', 'OK', 'Error')
exit $installProcess.ExitCode
}
else {
$result = [System.Windows.MessageBox]::Show('Installation completed successfully!', 'GCPW', 'OK', 'Info')
}
<# Set the required registry key with the allowed domains #>
$registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW'
$name = 'domains_allowed_to_login'
[microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin)
$domains = Get-ItemPropertyValue HKLM:\Software\Google\GCPW -Name $name
if ($domains -eq $domainsAllowedToLogin) {
$msgResult = [System.Windows.MessageBox]::Show('Configuration completed successfully!', 'GCPW', 'OK', 'Info')
}
else {
$msgResult = [System.Windows.MessageBox]::Show('Could not write to registry. Configuration was not completed.', 'GCPW', 'OK', 'Error')
}
Related topic
Uninstall Google Credential Provider for Windows
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.