For years, enterprise IT administrators have wrestled with a fragmented reality: managing a fleet of Windows devices through Google’s cloud-first ecosystem has meant accepting certain gaps in local device control. That era appears to be drawing to a close. Google’s latest round of improvements to local controls for Windows devices within Google Workspace signals a deliberate and significant push to make its administrative tools competitive with — and in some cases superior to — the legacy management frameworks that have long dominated the Windows enterprise environment.
The changes, announced via the Google Workspace Updates Blog in February 2026, represent the most comprehensive expansion of Windows device management capabilities Google has shipped in a single release. For IT departments that have committed to Google Workspace as their productivity backbone but still rely heavily on Windows endpoints, the update addresses a persistent pain point: the inability to enforce granular, local-level policies without resorting to third-party endpoint management tools or maintaining parallel infrastructure through Microsoft’s own Intune or Group Policy frameworks.
A Deeper Layer of Device-Level Enforcement
At the heart of the update is an expanded set of local device controls that allow Workspace administrators to manage Windows-specific settings directly from the Google Admin console. Previously, Google’s Windows device management capabilities were largely confined to high-level policies — enforcing screen locks, requiring encryption, and performing remote wipes. The new controls go substantially deeper, enabling administrators to configure local security policies, manage Windows Firewall rules, control peripheral access including USB device restrictions, and enforce application installation policies — all without requiring a separate endpoint management solution.
This is not a trivial enhancement. For organizations running hundreds or thousands of Windows machines under Google Workspace, the ability to eliminate a secondary management layer translates directly into reduced licensing costs, simplified IT workflows, and fewer points of failure in the security chain. According to the Google Workspace Updates Blog, the rollout is available to customers on Business Plus, Enterprise Standard, and Enterprise Plus tiers, with a phased deployment expected to reach all eligible domains within 15 business days of the announcement.
Closing the Gap With Microsoft Intune
The timing of Google’s move is notable. Microsoft has spent the last several years aggressively expanding Intune’s capabilities and integrating it ever more tightly with the broader Microsoft 365 ecosystem. For many enterprise IT shops, the calculus has been straightforward: if your endpoints are Windows, your management stack should be Microsoft. Google’s latest salvo challenges that assumption directly by offering a credible alternative that lives entirely within the Workspace administrative framework.
Industry analysts have been watching this space closely. The enterprise endpoint management market has been consolidating around a handful of major players, and Google’s willingness to invest in deeper Windows controls suggests the company sees a viable path to capturing share among organizations that are already Workspace-native but have been forced to maintain Microsoft management infrastructure solely for their Windows fleet. The cost implications are significant — Intune licensing, even when bundled with Microsoft 365 Enterprise plans, represents a meaningful line item for large organizations, and the operational overhead of maintaining two administrative consoles is a persistent source of friction for IT teams.
What the New Controls Actually Do
Drilling into the specifics, the update introduces several categories of new functionality. First, administrators can now define and enforce Windows Firewall configurations directly from the Admin console, including inbound and outbound rule sets that are pushed to devices and enforced at the local level. This is a capability that previously required either Group Policy Objects in an Active Directory environment or Intune configuration profiles — both of which presuppose a Microsoft-centric management infrastructure.
Second, the update adds granular peripheral management. Administrators can now create policies that restrict or allow specific categories of USB devices, including storage devices, input peripherals, and network adapters. This addresses a well-known attack vector — malicious USB devices — and brings Google’s Windows management capabilities in line with what security-conscious organizations have long demanded. Third, application control policies now allow administrators to define whitelists and blacklists for software installation, reducing the risk of unauthorized applications being installed on managed endpoints. As noted in the Google Workspace Updates Blog, these policies are enforced locally on the device and persist even when the machine is offline, a critical requirement for organizations with mobile or field-based workforces.
The Offline Enforcement Question
That offline enforcement capability deserves particular attention. One of the longstanding criticisms of cloud-first device management approaches has been their dependency on network connectivity. If a device is offline, cloud-pushed policies may not be enforced, creating windows of vulnerability. Google’s approach, as described in the announcement, involves a local agent — the Google Credential Provider for Windows (GCPW) — that caches and enforces policies at the device level regardless of connectivity status. This is architecturally similar to how Intune’s management extensions work, and it represents a maturation of Google’s endpoint management philosophy from purely cloud-dependent to hybrid enforcement.
For security teams, this is a meaningful development. The ability to guarantee that firewall rules, USB restrictions, and application controls remain active even when a laptop is disconnected from the corporate network — whether in an airport, a remote job site, or simply in airplane mode — eliminates a class of risk that has plagued cloud-only management approaches. It also makes Google’s solution viable for industries with strict compliance requirements, including healthcare, financial services, and government contracting, where the ability to demonstrate continuous policy enforcement is not optional.
Enterprise IT Teams Weigh the Implications
The reaction from enterprise IT professionals has been cautiously optimistic. In discussions across industry forums and on X, administrators have noted that while the new capabilities are welcome, the devil will be in the implementation details. Questions remain about how Google’s local controls will interact with existing Group Policy configurations in hybrid environments, whether the GCPW agent’s resource footprint will increase meaningfully with the expanded policy set, and how conflict resolution will work when Google Workspace policies and locally-defined Windows policies overlap or contradict each other.
These are not hypothetical concerns. Many organizations that use Google Workspace still maintain some Active Directory infrastructure, particularly for legacy application authentication and network resource access. The coexistence of Google-pushed local policies and AD-driven Group Policies on the same machine is a scenario that will require careful testing and clear documentation — areas where Google has historically lagged behind Microsoft’s more mature and extensively documented enterprise tooling.
A Strategic Bet on the Heterogeneous Enterprise
Viewed in a broader strategic context, Google’s investment in Windows device management reflects a recognition that the modern enterprise is not monolithic in its platform choices. While Chromebooks have gained traction in education and certain enterprise verticals, Windows remains the dominant desktop operating system in most corporate environments. Google’s ability to serve as the administrative backbone for these mixed-platform organizations — managing Chromebooks, Android devices, iOS devices, and now Windows machines from a single console — is a compelling value proposition that no other single vendor currently matches with the same breadth.
Microsoft, for its part, offers deep management capabilities for Windows and increasingly for other platforms through Intune, but its tools are optimized for and most capable within the Microsoft ecosystem. Apple’s device management capabilities are similarly platform-centric. Google’s cross-platform ambition, now bolstered by genuinely competitive Windows controls, positions Workspace as the management layer for organizations that refuse to be locked into a single hardware or OS vendor.
What Comes Next for Google’s Endpoint Strategy
Looking ahead, the February 2026 update is likely a precursor to further expansions. Google has been steadily building out its endpoint management capabilities over the past several years, and the trajectory suggests that deeper integration with Windows security features — including BitLocker management, Windows Defender configuration, and potentially even patch management — could be on the roadmap. If Google can deliver those capabilities while maintaining the administrative simplicity that Workspace is known for, the company will have built a formidable case for enterprises to consolidate their management infrastructure under a single Google umbrella.
For now, IT leaders evaluating the new controls should begin with pilot deployments in controlled environments, paying particular attention to policy conflict scenarios in hybrid AD/Workspace setups and validating offline enforcement behavior across their specific device fleet. The improvements are real and substantive, but as with any significant change to endpoint management infrastructure, the transition demands rigor, testing, and a clear-eyed assessment of organizational readiness. Google has delivered the tools; the burden now shifts to enterprise IT teams to determine whether those tools are ready for their specific operational realities.