Troubleshoot GCPW

This message can appear if a user tries to sign in to a device and you haven't set any allowed domains for the device.

As an administrator, you can add the user's domain to the list of permitted domains:

• If you manage GCPW in the Admin console, go to the Permitted domainssetting and enter allowed domains. Learn how

  It can take up to 1 hour for your update to sync to devices. If you have access to the device, you can manually sync the device:

  1. On the device, open Task Scheduler.
  2. In the Task Scheduler library, right-click GoogleUpdateTaskMachineUAand click Run.
  3. Wait a few minutes for the policies to update.
• If you manage GCPW with registry keys, set the domains_allowed_to_login registry key with the allowed domains. Learn how

If the user still can't sign in, contact Google Support .

This message can appear if the user's Google password doesn't synchronize with their Windows password. The user can enter their Windows password so GCPW can restore the synchronization.

If the user's Google Account and Windows passwords aren't in sync, GCPW asks the user for their current Windows password. This message can appear if the user enters an incorrect Windows password.

This message can appear when the Google sign-in screen can't open due to a Chrome Browser issue or a device policy issue.

To fix:

1. Confirm Chrome Browser is installed on the device. If not, install it.
2. If Chrome browser is installed, it might not be in the right place. Confirm that it is installed in C:\Program Files (x86)\Google\Chrome\Application\chrome.exeor C:\Program Files\Google\Chrome\Application\chrome.exe. If not, reinstall Chrome Browser in the correct location.
3. If the device has anti-virus software installed, confirm that this software doesn't prevent Chrome Browser from running.
4. If the device has a group policy object (GPO) that defines the Log on as batch jobpolicy, it might override the GPO that lets GCPW use a special account to request sign-in details from the user. To fix this:
   1. Find the GPO on the device and add gaiaas a user to the policy. For instructions, consult the Windows documentation.
   2. Reboot the device.
   3. Confirm that gaiais listed in the local policy.

If the user's Google Account password changed but their Windows password wasn't automatically synchronized on the device, GCPW asks the user if they want to reset their Windows password. This message appears if the password can't be reset.

This message can appear when a user needs to sign in again with their Google credentials. Possible causes include:

• A session timeout occurred, according to the timeout setting in the Admin console.
• Their Google Account password changed.
• Suspicious activity was detected in the Google Account.

The user can fix this issue by signing in to the device with their Windows account.

A user might be prompted to complete a second verification step every time they sign in to GCPW if the device is trying to auto-enroll in Windows device management and can't.

As an administrator, you can set the desired behavior:

• If you want the device to auto-enroll:
  1. Confirm that Windows device management is enabled. Learn how
  2. Confirm that the user has a license that supports Windows device management. Review license requirements
• If you don't want the device to auto-enroll (you only want to use GCPW for that user): Disable automatic device enrollment for their device.
  • If you manage GCPW in the Admin console, go to the Enroll in device managementsetting and uncheck the box. Learn how
  • If you manage GCPW with registry keys, set the enable_dm_enrollment registry key to 0. Learn how

This message can appear if GCPW is set to allow only 1 work account, and a second user attempts to sign in using the Other Useroption.

As an administrator, you can allow multiple accounts (the default setting):

• If you manage GCPW in the Admin console, go to the Manage multiple accountssetting and select Enabled. Learn how
• If you manage GCPW with registry keys, set the enable_dm_enrollment registry key to 0. Learn how

This message can appear if the user is trying to change their Windows password and enters their old Windows password incorrectly too many times.

A Windows Group Policy Object (GPO) setting determines the number of times a user can enter incorrect sign-in credentials before they're locked out of their Windows account.

This message can appear if the user's device isn't enrolled Windows device management. The user needs to sign in with their Google credentials using GCPW.

This message can appear if the user can't sign in to Windows using GCPW. Most likely, their device lost its connection to the Internet after the user opened the Google sign-in screen. Check the device's internet connection. If necessary, try to connect the device to another network.

This issue occurs if the device's internet connection is lost after the user tries to open Google sign-in screen. Check the device's internet connection. If necessary, try to connect the device to another network.

This issue can occur if the user's Google Account password requirements aren't as complex as the Windows or Active Directory password requirements. For example, Windows might require a certain number of digits or capital letters, and the Google Account doesn't. Verify this issue by checking the Windows Application event logs.

To fix this issue, ask the user to reset their Google Account password so it meets your organization’s password requirements.

To avoid this issue, set password complexity requirements for users’ Google accounts to be the same or higher than their Active Directory or Windows password requirements. For details, see Manage your users' password settings .

Though many users can sign in through GCPW on the same device, multiple users can't enroll in Windows device management on the same device.

When a user signs in through GCPW and has Windows device management turned on for them, the device is enrolled in Windows device management by default. The Windows device management settings configured for that user are applied to the device.

When another user signs in later, the first user's device-level settings, such as Windows updates, admin privileges, and BitLocker encryption, are enforced. User-level settings, such as some custom settings, can't be enforced for the second user.

When GCPW is set to auto-enroll users in Windows device management, the device is enrolled only for the first user who signs in to the device through GCPW. As an admin, you might set up a device for a user before the user signs in, and can get enrolled in Windows device management instead of the user.

To change who the device is enrolled in Windows device management for, you can unenroll the device. Learn how . Note:Unenrolling the device might not remove all the settings that were applied for the first user. If the next user signs in and a Windows setting is not configured that was configured for the first user, then the first user’s setting still applies.

If some GCPW features don't work, such as the browser doesn't load or passwords don't sync, check that any security software doesn't block URLs required for GCPW function. Some possible blockers include Windows Defender, a desktop firewall, or other third-party security software.

Confirm that the following URLs are allowed:

• accounts.google.com/*
• accounts.youtube.com/*
• android.clients.google.com/*
• clients2.google.com/*
• clients2.googleusercontent.com/*
• clients4.google.com/*
• clientservices.googleapis.com/*
• deviceenrollmentforwindows.googleapis.com/*
• devicemanagementforwindows.googleapis.com/*
• devicepasswordescrowforwindows-pa.googleapis.com/*
• dl.google.com/*
• firebaseperusertopics-pa.googleapis.com/*
• fonts.gstatic.com/*
• gcpw-pa.googleapis.com /*
• googleapis.com/*
• google.com/dl/*
• lh3.googleusercontent.com/*
• m.google.com /*
• m.google.com/devicemanagement/data/api/*
• mtalk.google.com/*
• optimizationguide-pa.googleapis.com/*
• play.google.com/*
• sb-ssl.google.com/*
• secureconnect-pa.clients6.google.com/*
• securitydomain-pa.googleapis.com/*
• ssl.gstatic.com /*
• tools.google.com/service/update2/*
• update.googleapis.com /*
• update.googleapis.com/service/update2/*
• www.googleapis.com/*
• www.google.com /*
• www.google.com/dl /*
• *.gvt1.com/*

Provide support with the following details:

• The Chrome browser version on the device
  1. Open Chrome browser.
  2. In the top-right corner, click More Help About Chrome.
• The affected account
  1. In the Start menu, click Windows System Runand enter cmd.
  2. In the Commandwindow, enter Get-LocalUser | Select-Object Name, SID
• The device's serial number
  1. In the Start menu, click Windows System Runand enter cmd.
  2. In the Commandwindow, enter Get-CimInstance -ClassName Win32_BIOS | Select-Object SerialNumber
• (Optional) Any Chrome policies used on the device
  1. Open Chrome browser.
  2. In the address bar, enter chrome://policy.
  3. Click More actions Export to JSON.
• A screenshot of any error messages

1. Open the Registry Editor:
   1. In the Start menu, click Windows System Run.

      Note: Alternatively, press the Windows key + R.

   2. In the Runbox, enter regedit.
   3. Click OK.
2. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google\GCPW.
3. Right-click the GCPWfolder and select New DWORD.
4. For Name, enter enable_verbose_logging.
5. Double-click the name and, in the Value databox, enter 1.
6. Click OK.

When you're finished troubleshooting, turn off verbose logging by changing the enable_verbose_loggingvalue to 0.

You can use the Event Viewer to export the log to a comma-separated values (CSV) text file:

1. On the device, use one of the following methods to open Event Viewer:
   • In the Start menu, click Windows Administrative Tools Event Viewer.
   • In the Start menu, click Run. In the Runbox, enter eventvwr.msc and then press Enter.
2. In the Event Viewer file browser, go to  Windows logs Application.
3. Right-click on  Application and select  Filter Current Log.
   1. For  Event sources, select GCPW.
   2. Click OK.

   The event list refreshes with only the events relevant to enhanced desktop security for Windows.

4. At the top, click  Action Save All Events As.
   1. For File name, enter a name that includes the log type and the server that it was exported from.
   2. For Save as type, select CSV.
   3. Click Save.
5. (Optional) To collect information from the Device Management Enterprise Diagnostics Provider using Windows device management:
   1. In the Event Viewer file browser, select Applications and Services Logs  Microsoft Windows  DeviceManagement-Enterprise-Diagnostic-Provider   Admin.
   2. Right-click  Adminand select Save All Events As.
   3. For File name, enter a name that includes the log type and the server that it was exported from.
   4. For Save as type, select CSV.

Alternatively, you can define a file path to capture GCPW event logs:

1. Open the Registry Editor:
   1. In the Start menu, click Windows System Run.

      Note: Alternatively, press the Windows key + R.

   2. In the Runbox, enter regedit.
   3. Click OK.
2. In the Registry Editor, go to HKEY_LOCAL_MACHINE\Software\Google\GCPW.
3. Create a new string value:
   1. For Value name, enter log_file_path.
   2. For Value data, enter the path (for example, C:\GCPW.log).
4. (Optional) To append to the log file instead of writing over it, create a DWORDentry named log_file_appendand set the value to 1.