Deploying Google Credential Provider for Windows during Autopilot

Overview

Google Credential Provider for Windows (GCPW) is a piece of software provided by Google to allow users to sign into Windows with their Google Workspace account. Google provides an installer script that can be deployed by your device management software, but that can quickly cause issues with one of GCPW’s pre-requisites: Chrome must be installed.

A Word About Timing

The timing and order in which configurations, scripts, and applications install during an Autopilot deployment can be a little bit tricky. In general, they begin to run in the following order:

  1. Platform Scripts (not tracked)
  2. Security Profiles (not tracked)
  3. Certificate Profiles
  4. Network Profiles
  5. Win32 OR Line-Of-Business Applications

As you can see, attempting to install something with a Platform Script that relies on a Win32 application being installed will not often work as intended. In many cases, allowing this to clean itself up after deployment is complete is not a huge issue, but, for an application that manages your Windows logon, it’s sort of important for it to be fully configured during enrollment.

Pre-Requisites

  1. Intune licensing (Entra ID P1 or P2 required for Autopilot)
  2. Google Workspace as your Identity Provider

We will not be going over setting up your Google Workspace, but Google’s instructions can be found here.

Process

To ensure that Chrome and GCPW install and are configured in the correct order, I have put together a script to install them both, packaged it as a Win32 app, and utilized that combined install app as a blocking app on the user Enrollment Status Page.

The PowerShell script I am using is available on my GitHub. Make sure to set your Google Workspace domain(s) in line 24.

<#Install Chrome using the latest installer available from Google#>
$Path = $env:TEMP
$Installer = "chrome_installer.exe"
Invoke-WebRequest "https://dl.google.com/chrome/install/latest/chrome_installer.exe" -OutFile $Path$Installer
Start-Process -FilePath $Path$Installer -Args "/silent /install" -Verb RunAs -Wait
Remove-Item $Path$Installer

<# This portion of the combined script has been sourced from the
Google Workspace Admin Help center here https://support.google.com/a/answer/9250996?hl=en&fl=1&sjid=3323556608127888066-NA
and modified to remove portions not necessary for an Intune
deployment, including admin checking, verifying that domains are
added to the "allowed to log in" list, and user-facing error handling -Krys#>

<# This script downloads Google Credential Provider for Windows from
https://tools.google.com/dlpage/gcpw/, then installs and configures it.
Windows administrator access is required to use the script. #>

<# Set the following key to the domains you want to allow users to sign in from.

For example:
$domainsAllowedToLogin = "acme1.com,acme2.com"
#>

$domainsAllowedToLogin = "acme1.com,acme2.com"

<# Choose the GCPW file to download. 32-bit and 64-bit versions have different names #>
$gcpwFileName = 'gcpwstandaloneenterprise.msi'
if ([Environment]::Is64BitOperatingSystem) {
    $gcpwFileName = 'gcpwstandaloneenterprise64.msi'
}

<# Download the GCPW installer. #>
$gcpwUrlPrefix = 'https://dl.google.com/credentialprovider/'
$gcpwUri = $gcpwUrlPrefix + $gcpwFileName
Write-Host 'Downloading GCPW from' $gcpwUri
Invoke-WebRequest -Uri $gcpwUri -OutFile $gcpwFileName

<# Run the GCPW installer and wait for the installation to finish #>
$arguments = "/i `"$gcpwFileName`""
$installProcess = (Start-Process msiexec.exe -ArgumentList $arguments -PassThru -Wait)

<# Check if installation was successful #>
if ($installProcess.ExitCode -ne 0) {
    exit $installProcess.ExitCode
}

<# Set the required registry key with the allowed domains #>
$registryPath = 'HKEY_LOCAL_MACHINE\Software\Google\GCPW'
$name = 'domains_allowed_to_login'
[microsoft.win32.registry]::SetValue($registryPath, $name, $domainsAllowedToLogin)

Once you have the script packaged as a Win32 application (after testing on your machine and understanding what the script is doing), we need to upload the packaged app to Intune.

For our install string, we will call the PowerShell script:

%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file installChromeAndGCPW.ps1

For our uninstall string, we will call the uninstall script:

%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file uninstallChromeAndGCPW.ps1

For our detection method, we will look for the Credential Provider folder in Program Files:

After you assign your app and deploy, head over to your Enrollment Status Page settings and add your new app as a Blocking App:

From here, GCPW should install during your User ESP and be ready to go on first login.