As an administrator, you can control Windows 10 or 11 device security and features by applying policy settings. Some of these settings apply only to Windows devices with Google Credential Provider for Windows installed on them, and some apply only to devices under Windows device management. For details about these management options, see Overview: Enhanced desktop security for Windows.
Find the settings
Before you begin:If you need to set up a department or team for this setting, go to Add an organizational unit .
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go toMenu Devices > Mobile and endpoints > Settings > Windows .
Requires having the Services and devices administrator privilege.
- Click a settings category and setting.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Update the setting.
- Click Save.Or, you might click Overridefor an organizational unit
.
To later restore the inherited value, click Inherit.
After you update a setting, it can take 3–6 hours for the change to apply to devices.
Windows settings reference
Google Credential provider for Windows (GCPW) setup
Download GCPWGet a 64-bit or 32-bit installation file for GCPW for your organization. For instructions, see Install Google Credential Provider for Windows .
You can also copy and regenerate the GCPW token. For details, see Regenerate the GCPW token .
To allow users to sign in through GCPW, you must specify the allowed domains for users' Google accounts. Until you specify at least one domain, no users can sign in. For details, see Install Google Credential Provider for Windows .
GCPW Settings
Supported for devices with GCPW
Auto-update GCPWTo get new versions of GCPW installed automatically on Windows devices, check the Automatically update GCPW box (it's checked by default).
To allow updates only up to a specific version, check the Prevent updates after a specific version box and enter the last allowed version. You might want to use this option if you want to test the latest version before deploying it to all your users.
Note:You'll need to update this setting as you approve versions so users aren't blocked from getting new features and security updates. If you enter a version that is earlier than the version installed on a device, GCPW isn't rolled back to that version.
To turn off auto-updates for GCPW (not recommended), uncheck the Automatically update GCPW box.
To set up a test organizational unit differently from the rest of your organization:
- Select the top organizational unit.
- Check the Automatically update GCPW and Prevent updates after a specific version boxes, and enter the latest version you want people to use.
- Click Save.
- Select the organizational unit that contains users with test devices.
- Check the Automatically update GCPW box and uncheck the Prevent updates after a specific version box.
- Click Override.
To allow more than one Google Workspace account to sign in to a device through GCPW, select Enabled. If you use Windows device management, even if you allow multiple accounts for GCPW, only one user can be enrolled in Windows device management per device.
To allow only one Google Workspace account to sign in to a device through GCPW, select Disabled.
When set to Not configured, then more than one Google Workspace account can sign in to a device unless the enable_multi_user_login
registry setting is set to 0on the device.
If your organization uses Windows device management, you can have devices automatically enroll when a user first signs in through GCPW.
If the Automatically enroll in device management box isn't checked and your organization uses Windows device management, you must manually enroll devices
unless you set the enable_dm_enrollment
registry key to 1on the device.
To limit how long users are allowed to sign in to their devices through GCPW while offline, change the value to Enabledand set the number of days.
When the limit expires, a user won't be able to sign in to their device until they connect to the internet.
When set to Not configured, a user is allowed to sign in while offline indefinitely unless the validity_period_in_days
registry setting is set on the device.
Windows management setup
Windows device managementTo turn on Windows device management for your organization, select Enabled. You might want to wait to enable Windows device management until you configure any policies. For instructions, see Set up GCPW and Windows device management .
To turn off Windows device management, select Disabled.
Account settings
Supported for devices under Windows device management
Administrative privilegesSet the privileges users have on devices managed with Windows device management:
- To revoke admin privileges, select Standard User.
- To give users admin privileges, select Local Administrator.
You can also give administrative privileges on the device to Active Directory (AD) users, AD groups, or local users.
Note:If you don't enter any values, any existing local admin accounts are removed from devices. If User account typeis set to Standard User, then no local admin account is available on devices. In this case, to take admin actions on the device you'll need to temporarily grant privileges to the user.
For details, see Set account permissions on Windows 10 or 11 devices .
Windows Update settings
Supported for devices under Windows device management
Windows automatic updatesSet how and when your organization’s Windows 10 or 11 devices receive security updates and other important downloads through the Windows automatic updating service.
For details, see Manage automatic updates for Windows 10 or 11 devices .
BitLocker settings
Supported for devices under Windows device management
BitLocker drive encryptionSet how Windows 10 or 11 devices and drives are encrypted.
For details, see Enable BitLocker encryption on a Windows 10 or 11 device .
Custom settings
Supported for devices under Windows device management
Custom settingsManage Windows settings and features that aren't available to set in the Google Admin console. You can also block and deploy apps.
Learn more:
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
