Re: GCPW updates?

arussell · 02-08-2023 09:55 AM

Hey guys. I work for a non-profit and am looking to upgrade our account primarily to get access to the Advanced Endpoint Management and Enhanced Desktop Security for Windows. In particular I am looking to leverage GCPW and drive together on a couple hundred mahinces.

On the test laptops I have used to seemed to work great. What gives me pause is that there were a lot of updates being released and then they stopped. The last release being in September of 2021.
https://support.google.com/a/answer/9818093

Is there a road map for Advanced Endpoint Management/Enhanced desktop security for Windows/GCPW?

Sorry in advance if I am asking the wrong place.

ajojose33333344

@arussell If a product is stable why would there be any updates, I am just asking not sure about this scenario here.

Are you facing any issues while using GCPW?

EzequielBlejman

We can assume that the product is "stable" but it lacks of tons of features and patches to fix sync issues. I implemented GCPW + enhanced desktop security a couple month after its release, its OK, login with google account is fine but there are a lot of problems managing windows features, policies and compliance.

ajojose33333344

@EzequielBlejman I agree but GCPW basically intends to be the credential provider,

I suppose you are talking about windows management and in total the Enhanced desktop Security here, and here are some common custom settings you can use for compliance:

https://support.google.com/a/answer/9852044?hl=en&ref_topic=9541297#zippy=

And yes, I agree with the fact that you won't get full control over a windows machine using windows management, google is focusing more on chrome os is what I understood from the recent conferences that I have attended, not sure if they will do much for interoperability so do Microsoft.

ajojose33333344

@EzequielBlejman If you have any specific questions in mind please let us know such that we can see if there is a way to address the same.

arussell

I only really need to manage a handful of settings like bitlocker, auto locking the workstation, and windows updates. That in conjunction with GCPW managing credentials and Google Drive for desktop covers everything.

There was a lot of information in 2021, for example https://www.youtube.com/watch?v=noBNNEJCGUU and then it stopped. There is still no offical support for Windows 11. I can potentially get rid of Active Directory and file servers. Which would be amazing.

ajojose33333344

@arussell To auto lock workstation based on the time of inactivity:

Automatically lock a device after it's idle for a set time (in minutes)

To set a timeout, you must also explicitly turn on device lock:

Set the idle timeout:
Name: MaxInactivityTimeDeviceLock
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock
Data type: Integer
Value: 0–999, 0 = No timeout (default)
Turn on device lock.

For more info: link

Also refer to https://support.google.com/a/answer/9303419

ajojose33333344

for bit locker and windows update for windows 10:

https://support.google.com/a/answer/9539590

https://support.google.com/a/answer/9303492?hl=en

roeland1

Hi, I have a question about bitlocker, where can we find the recovery keys in the admin panel?

We are enrolling bitlocker in GCPW but can't find the keys from enrolled devices.

Thanks!

kim_nilsson

AFAIK, that has to be saved in AzureAD, and not Workspace.

Save BitLocker recovery information to Active Directory Domain Services–When checked, you can choose which BitLocker recovery information to store in Active Directory. You can select either the Backup recovery password and key package or the Backup recovery password only. When enabled, you can set the following:
- Don't enable BitLocker until recovery information is stored in Active Directory–Check the box to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to Active Directory succeeds.

roeland1

Thanks for your reply but we don't have AD, fully Google minded company 🙂

kim_nilsson

@emreknlk maybe you can shed some light on how to manage Bitlocker keys?

arussell

You cant currently that I know of.
You can save it to AD or Azure AD (silently). You can enable it yourself and save the key prior to issuing it. Or force the user to enable it and save the key. (They have to have admin rights for this to work).

We enable it and save it prior to issuing the laptop. We were able to get reporting in the admin console that laptops were encrypted by setting up the endpoint verification chrome extension.

There really is no low touch way to issue windows laptops managed by Google currently.

rholroyd

i'm also concerned about the lack of updates in GCPW. i would really like to implement this product throughout my organisation and get rid of some Microsoft backend stuff as it works great as far as it goes. however the lack of USB 2 factor key support and no domain autofill control in a multi domain environment means i'm waiting for the product to be updated with more features. it feels like it's partly finished and no updates for 2 1/2 years is disappointing.