Overview: Enhanced desktop security for Windows
As an administrator, you can set up company-owned and personal Microsoft Windows devices to use Google’s single-sign on (SSO) access security, push Windows settings, and wipe device data remotely.
Enhanced desktop security for Windows has two complementary features that can be set up together or individually:
- Google Credential Provider for Windows (GCPW)—Use Google Account authentication on Windows 10 devices.
- Windows device management—Manage Windows settings on enrolled devices.
At this post we will be focusing on the Windows device management
Requirements
License
- GCPW is available with all G Suite and Cloud Identity editions. However, to deploy GCPW and Windows device management together, you must have G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.
- Windows device management is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.
System
- Windows 10 Pro, Pro for Workstations, Enterprise, or Education, version 1803 or later
- For GCPW, Chrome Browser 81 or later
Enable Windows device management
Recommended – Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.
- In your Google Admin console (at admin.google.com)…
- Go to Devices.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- On the left, click SettingsWindows settings.
- Click Desktop security setup.
- Next to Windows device management, select Enabled.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit’s settings.
There are 2 ways to enroll a device
Manual way : Enroll a Windows device
- Sign in to the Windows 10 device.
- Open https://deviceenrollmentforwindows.googleapis.com/v1/deeplink in a Chrome or Edge browser.
- In the message that asks whether you meant to switch apps, click Yes.
- Enter the Google email address you would like to use for this feature.
- Click Next to start device enrollment.
- Sign in to your managed Google Account.
Automatic way : Enroll a Windows device
Automatic enrollment in Windows device management — If you use GCPW and Windows device management, devices are automatically enrolled in Windows device management.
Install GCPW
- Get the GCPW installer onto the device. You can download the installer from https://tools.google.com/dlpage/gcpw and distribute it to devices using GPO or other deploy methods , or the user can download it directly.
- On the device, run the installer:
- Open the Command Prompt.
- Run gcpwstandaloneenterprise64.msi as administrator.
Verify enrollment of a Windows device
- In your Google Admin console (at admin.google.com)…
- Go to Devices.
- Click Endpoints.
- Check the list of Windows devices to verify that the device enrolled. Tip: Click Add a filterManagement Type and select Enhanced desktop security to show only devices enrolled in Windows device management.


It’s very recommend to create A “playground” OU and move your user to this OU for testing before you deploy it to all your organization.

Apply Windows settings on the managed hosts.
- Set account permissions on Windows 10 devices
- Enable BitLocker encryption on a Windows 10 device
- Manage automatic updates for Windows 10 devices
- Understand custom settings for Windows 10 devices
- Add, edit, or delete custom settings for Windows 10 devices
- Common custom settings for Windows 10 devices
- Block apps on Windows 10 devices with custom settings
- Apply actions to custom settings for Windows 10 devices
Block apps on Windows 10 devices with custom settings.
Example XML For blocking EXE apps. (Putty and Ditto)
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="c6ed8334-5b63-4418-aa9f-653321413bb7" Name="%PROGRAMFILES%\\Ditto\\Ditto.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\\Ditto\\Ditto.exe" />
</Conditions>
<Exceptions>
<FileHashCondition>
<FileHash Type="SHA256" Data="0x7E988D388840A8AC096BE6BBF20F9657C025C452A2659BE9B7728A0FC0A67113" SourceFileName="Ditto.exe" SourceFileLength="5040128" />
</FileHashCondition>
</Exceptions>
</FilePathRule>
<FileHashRule Id="dd0060fd-79ff-4ba1-b3cb-c2b87be9fdf3" Name="putty.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FileHashCondition>
<FileHash Type="SHA256" Data="0x88D37305A54641AEAB56E8E134F82711E91A3F8F9FE3FC97F8A5A26EB9EBB99B" SourceFileName="putty.exe" SourceFileLength="883600" />
</FileHashCondition>
</Conditions>
</FileHashRule>
</RuleCollection>
Example XML For blocking Store apps. (Microsoft Store)
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="21d5002d-f66c-4460-ae41-fc734e006eaa" Name="Microsoft.WindowsStore, version 12007.1001.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
<BinaryVersionRange LowSection="12007.1001.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
Generating XML
- Follow the instructions in the “Generating the XML” section of this Microsoft article. Stop following the instructions when you get to the “Creating the Policy” section. Note: These instructions describe how to create a policy for an application that is installed on the device. To create a policy for an application that isn’t installed on the device, in step 6, select Use a packaged app installer as a reference.
- After you export the XML file, in Groups Policy editor, remove the policy you created. Otherwise, the policy is enforced on the device.
Create A Policy



Sync and test your policy manually


