Overview: Enhanced desktop security for Windows

As an administrator, you can set up company-owned and personal Microsoft Windows devices to use Google’s single-sign on (SSO) access security, push Windows settings, and wipe device data remotely.

Enhanced desktop security for Windows has two complementary features that can be set up together or individually:

• Google Credential Provider for Windows (GCPW)—Use Google Account authentication on Windows 10 devices.
• Windows device management—Manage Windows settings on enrolled devices.

At this post we will be focusing on the Windows device management

Requirements

License

• GCPW is available with all G Suite and Cloud Identity editions. However, to deploy GCPW and Windows device management together, you must have G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.
• Windows device management is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.

System

• Windows 10 Pro, Pro for Workstations, Enterprise, or Education, version 1803 or later
• For GCPW, Chrome Browser 81 or later

Enable Windows device management

Recommended – Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

1. In your Google Admin console (at admin.google.com)…
2. Go to Devices.
3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
4. On the left, click SettingsWindows settings.
5. Click Desktop security setup.
6. Next to Windows device management, select Enabled.
7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit’s settings.

There are 2 ways to enroll a device

Manual way : Enroll a Windows device

1. Sign in to the Windows 10 device.
2. Open https://deviceenrollmentforwindows.googleapis.com/v1/deeplink in a Chrome or Edge browser.
3. In the message that asks whether you meant to switch apps, click Yes.
4. Enter the Google email address you would like to use for this feature.
5. Click Next to start device enrollment.
6. Sign in to your managed Google Account.

Automatic way : Enroll a Windows device

Automatic enrollment in Windows device management — If you use GCPW and Windows device management, devices are automatically enrolled in Windows device management.

Install GCPW

1. Get the GCPW installer onto the device. You can download the installer from https://tools.google.com/dlpage/gcpw and distribute it to devices using GPO or other deploy methods , or the user can download it directly.
2. On the device, run the installer:
   1. Open the Command Prompt.
   2. Run gcpwstandaloneenterprise64.msi as administrator.

Verify enrollment of a Windows device

1. In your Google Admin console (at admin.google.com)…
2. Go to Devices.
3. Click Endpoints.
4. Check the list of Windows devices to verify that the device enrolled. Tip: Click Add a filterManagement Type and select Enhanced desktop security to show only devices enrolled in Windows device management.

It’s very recommend to create A “playground” OU and move your user to this OU for testing before you deploy it to all your organization.

Apply Windows settings on the managed hosts.

• Set account permissions on Windows 10 devices
• Enable BitLocker encryption on a Windows 10 device
• Manage automatic updates for Windows 10 devices
• Understand custom settings for Windows 10 devices
• Add, edit, or delete custom settings for Windows 10 devices
• Common custom settings for Windows 10 devices
• Block apps on Windows 10 devices with custom settings
• Apply actions to custom settings for Windows 10 devices

Block apps on Windows 10 devices with custom settings.

Example XML For blocking EXE apps. (Putty and Ditto)

<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="c6ed8334-5b63-4418-aa9f-653321413bb7" Name="%PROGRAMFILES%\\Ditto\\Ditto.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\\Ditto\\Ditto.exe" />
      </Conditions>
      <Exceptions>
        <FileHashCondition>
          <FileHash Type="SHA256" Data="0x7E988D388840A8AC096BE6BBF20F9657C025C452A2659BE9B7728A0FC0A67113" SourceFileName="Ditto.exe" SourceFileLength="5040128" />
        </FileHashCondition>
      </Exceptions>
    </FilePathRule>
    <FileHashRule Id="dd0060fd-79ff-4ba1-b3cb-c2b87be9fdf3" Name="putty.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FileHashCondition>
          <FileHash Type="SHA256" Data="0x88D37305A54641AEAB56E8E134F82711E91A3F8F9FE3FC97F8A5A26EB9EBB99B" SourceFileName="putty.exe" SourceFileLength="883600" />
        </FileHashCondition>
      </Conditions>
    </FileHashRule>
  </RuleCollection>

Example XML For blocking Store apps. (Microsoft Store)

<RuleCollection Type="Appx" EnforcementMode="Enabled">
  <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
        <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="21d5002d-f66c-4460-ae41-fc734e006eaa" Name="Microsoft.WindowsStore, version 12007.1001.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
        <BinaryVersionRange LowSection="12007.1001.0.0" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
</RuleCollection>

Generating XML

1. Follow the instructions in the “Generating the XML” section of this Microsoft article. Stop following the instructions when you get to the “Creating the Policy” section. Note: These instructions describe how to create a policy for an application that is installed on the device. To create a policy for an application that isn’t installed on the device, in step 6, select Use a packaged app installer as a reference.
2. After you export the XML file, in Groups Policy editor, remove the policy you created. Otherwise, the policy is enforced on the device.

Create A Policy

Sync and test your policy manually