Manage your Windows WorkSpaces - Amazon WorkSpaces

Manage your Windows WorkSpaces

You can use Group Policy Objects (GPOs) to apply settings to manage Windows WorkSpaces or users that are part of your Windows WorkSpaces directory.

Note

Linux instances do not adhere to Group Policy. For information about managing Amazon Linux WorkSpaces, see Manage your Amazon Linux WorkSpaces.

We recommend that you create an organizational unit for your WorkSpaces Computer Objects and an organizational unit for your WorkSpaces User Objects.

To use the Group Policy settings that are specific to Amazon WorkSpaces, you must install the Group Policy administrative template for the protocol or protocols that you are using, either PCoIP or WorkSpaces Streaming Protocol (WSP).

Warning

Group Policy settings can affect the experience of your WorkSpace users as follows:

  • Implementing an interactive logon message to display a logon banner prevents users from being able to access their WorkSpaces. The interactive logon message Group Policy setting is not currently supported by PCoIP WorkSpaces. The logon message is supported on WSP WorkSpaces, and users have to login again after accepting the logon banner.

  • Disabling removable storage through Group Policy settings causes a login failure that results in users being logged in to temporary user profiles with no access to drive D.

  • Removing users from the Remote Desktop Users local group through Group Policy settings prevents those users from being able to authenticate through the WorkSpaces client applications. For more information about this Group Policy setting, see Allow log on through Remote Desktop Services in the Microsoft documentation.

  • If you remove the built-in Users group from the Allow log on locally security policy, your PCoIP WorkSpaces users won't be able to connect to their WorkSpaces through the WorkSpaces client applications. Your PCoIP WorkSpaces also won't receive updates to the PCoIP agent software. PCoIP agent updates might contain security and other fixes, or they might enable new features for your WorkSpaces. For more information about working with this security policy, see Allow log on locally in the Microsoft documentation.

  • Group Policy settings can be used to restrict drive access. If you configure Group Policy settings to restrict access to drive C or to drive D, users can't access their WorkSpaces. To prevent this issue from occurring, make sure that your users can access drive C and drive D.

  • The WorkSpaces audio-in feature requires local logon access inside the WorkSpace. The audio-in feature is enabled by default for Windows WorkSpaces. However, if you have a Group Policy setting that restricts users' local logon in their WorkSpaces, audio-in won't work on your WorkSpaces. If you remove that Group Policy setting, the audio-in feature is enabled after the next reboot of the WorkSpace. For more information about this Group Policy setting, see Allow log on locally in the Microsoft documentation.

    For more information about enabling or disabling audio-in redirection, see Enable or disable audio-in redirection for PCoIP or Enable or disable audio-in redirection for WSP.

  • Using Group Policy to set the Windows power plan to Balanced or Power saver might cause your WorkSpaces to sleep when they're left idle. We strongly recommend using Group Policy to set the Windows power plan to High performance. For more information, see My Windows WorkSpace goes to sleep when it's left idle.

  • Some Group Policy settings force users to log off when they are disconnected from a session. Any applications that users have open on their WorkSpaces are closed.

  • "Set time limit for active but idle Remote Desktop Services sessions" is currently not supported on WSP WorkSpaces. Avoid using it during WSP sessions as it causes a disconnect even when there is activity and the session is not idle.

For information about using the Active Directory administration tools to work with GPOs, see Set up Active Directory Administration Tools for WorkSpaces.

Install the Group Policy administrative template files for the WorkSpaces Streaming Protocol (WSP)

To use the Group Policy settings that are specific to WorkSpaces when using the WorkSpaces Streaming Protocol (WSP), you must add the Group Policy administrative template wsp.admx and wsp.adml files for WSP to the Central Store of the domain controller for your WorkSpaces directory. For more information about .admx and .adml files, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

The following procedure describes how to create the Central Store and add the administrative template files to it. Perform the following procedure on a directory administration WorkSpace or Amazon EC2 instance that is joined to your WorkSpaces directory.

To install the Group Policy administrative template files for WSP
  1. From a running Windows WorkSpace, make a copy of the wsp.admx and wsp.adml files in the C:\Program Files\Amazon\WSP directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open Windows File Explorer, and in the address bar, enter your organization's fully qualified domain name (FQDN), such as \\example.com.

  3. Open the sysvol folder.

  4. Open the folder with the FQDN name.

  5. Open the Policies folder. You should now be in \\FQDN\sysvol\FQDN\Policies.

  6. If it doesn't already exist, create a folder named PolicyDefinitions.

  7. Open the PolicyDefinitions folder.

  8. Copy the wsp.admx file into the \\FQDN\sysvol\FQDN\Policies\PolicyDefinitions folder.

  9. Create a folder named en-US in the PolicyDefinitions folder.

  10. Open the en-US folder.

  11. Copy the wsp.adml file into the \\FQDN\sysvol\FQDN\Policies\PolicyDefinitions\en-US folder.

To verify that the administrative template files are correctly installed
  1. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  2. Expand the forest (Forest:FQDN).

  3. Expand Domains.

  4. Expand your FQDN (for example, example.com).

  5. Expand Group Policy Objects.

  6. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, you must create and link the GPO under the domain container that has delegated privileges.

    When you create a directory with AWS Managed Microsoft AD, AWS Directory Service creates a yourdomainname organizational unit (OU) under the domain root. The name of this OU is based on the NetBIOS name that you typed when you created your directory. If you didn't specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name is corp).

    To create your GPO, instead of selecting Default Domain Policy, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here.

    For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  7. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  8. You can now use this WSP Group Policy object to modify the Group Policy settings that are specific to WorkSpaces when using WSP.

Manage Group Policy settings for WorkSpaces Streaming Protocol (WSP)

Use Group Policy settings to manage your Windows WorkSpaces that use WSP.

By default, WorkSpaces enables Basic remote printing, which offers limited printing capabilities because it uses a generic printer driver on the host side to ensure compatible printing.

Advanced remote printing for Windows clients (not available for WSP) lets you use specific features of your printer, such as double-sided printing, but it requires installation of the matching printer driver on the host side.

Remote printing is implemented as a virtual channel. If virtual channels are disabled, remote printing does not function.

For Windows WorkSpaces, you can use Group Policy settings to configure printer support as needed.

To configure printer support
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Configure remote printing setting.

  10. In the Configure remote printing dialog box, do one of the following:

    • To enable local printer redirection, choose Enabled, and then for Printing options, choose Basic. To automatically use the client computer's current default printer, select Map local default printer to the remote host.

    • To disable printing, choose Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces supports two-way (copy/paste) clipboard redirection. For Windows WorkSpaces, you can use Group Policy settings to disable this feature or configure the direction where clipboard redirection is allowed.

To configure clipboard redirection for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Configure clipboard redirection setting.

  10. In the Configure clipboard redirection dialog box, choose Enabled or Disabled.

    When Configure clipboard redirection is Enabled, the following Clipboard redirection options will become available:

    • Choose Copy and Paste to allow two-way clipboard copy and paste redirection.

    • Choose Copy Only to allow copying data from the server clipboard to the client clipboard only.

    • Choose Paste Only to allow pasting data from the client clipboard to the server clipboard only.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

Known limitation

With clipboard redirection enabled on the WorkSpace, if you copy content that is larger than 890 KB from a Microsoft Office application, the application might become slow or unresponsive for up to 5 seconds.

When you lose network connectivity, your active WorkSpaces client session is disconnected. WorkSpaces client applications for Windows and macOS attempt to reconnect the session automatically if network connectivity is restored within a certain amount of time. The default session resume timeout is 20 minutes (1200 seconds), but you can modify that value for WorkSpaces that are controlled by your domain's Group Policy settings.

To set the automatic session resume timeout value
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable automatic reconnect setting.

  10. In the Enable/disable automatic reconnect dialog box, choose Enabled, and then set Reconnect timeout (seconds) to the desired timeout in seconds.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces supports redirecting data from a local camera. If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To enable or disable video-in redirection for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable video-in redirection setting.

  10. In the Enable/disable video-in redirection dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces supports redirecting data from a local microphone. If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To enable or disable audio-in redirection for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable audio-in redirection setting.

  10. In the Enable/disable audio-in redirection dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces redirects data to a local speaker. If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To enable or disable audio-out redirection for Windows WorkSpaces
  1. Ensure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN. For example, example.com.

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you can't use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable audio-out redirection setting.

  10. In the Enable/disable audio-out redirection dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace. In the Amazon WorkSpaces console, select the WorkSpace, then choose Actions > Reboot WorkSpaces.

    • In an administrative command prompt, enter gpupdate /force.

By default, the time within a Workspace is set to mirror the time zone of the client that is being used to connect to the WorkSpace. This behavior is controlled through time zone redirection. You might want to turn off time zone direction for various reasons. For example:

  • Your company wants all employees to work in a certain time zone (even if some employees are in other time zones).

  • You have scheduled tasks in a WorkSpace that are meant to run at a certain time in a specific time zone.

  • Your users who travel a lot want to keep their WorkSpaces in one time zone for consistency and personal preference.

If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To disable time zone redirection for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you can't use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable time zone redirection setting.

  10. In the Enable/disable time zone redirection dialog box, choose Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

  13. Set the time zone for the WorkSpaces to the desired time zone.

The time zone of the WorkSpaces is now static and no longer mirrors the time zone of the client machines.

For WSP, data in transit is encrypted using TLS 1.2 encryption. By default, all of the following ciphers are allowed for encryption, and the client and server negotiate which cipher to use:

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

For Windows WorkSpaces, you can use Group Policy settings to modify the TLS Security Mode and to add new or block certain cipher suites. A detailed explanation of these settings and the supported cipher suites is provided in the Configure security settings Group Policy dialog box.

To configure WSP security settings
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN. For example, example.com.

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you can't use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open Configure security settings.

  10. In the Configure security settings dialog box, choose Enabled. Add cipher suites that you want to allow and remove cipher suites that you want to block. For more information about these settings, see the descriptions provided in the Configure security settings dialog box.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace, and after you restart the WorkSpace session. To apply the Group Policy changes, do one of the following:

    • To reboot the WorkSpace, in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces.

    • In an administrative command prompt, enter gpupdate /force.

By default, support for WorkSpaces extensions is disabled. If needed, you can configure your WorkSpace to use extensions in the following ways:

  • Server and client – Enable extensions for both server and client

  • Server only – Enable extensions for server only

  • Client only – Enable extensions for client only

For Windows WorkSpaces, you can use Group Policy settings to configure the use of extensions.

To configure extensions for WSP
  1. Ensure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that's joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN. For example, example.com

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you can't use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Configure extensions setting.

  10. In the Configure extensions dialog box, choose Enabled and then set the desired support option. Choose Client Only, Server and Client, or Server only.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after you restart the WorkSpace session. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace. In the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces.

    • In an administrative command prompt, enter gpupdate /force.

By default, Amazon WorkSpaces are not enabled to support the use of smart cards for either pre-session authentication or in-session authentication. Pre-session authentication refers to smart card authentication that's performed while users are logging in to their WorkSpaces. In-session authentication refers to authentication that's performed after logging in.

If needed, you can enable pre-session and in-session authentication for Windows WorkSpaces by using Group Policy settings. Pre-session authentication must also be enabled through your AD Connector directory settings by using the EnableClientAuthentication API action or the enable-client-authentication AWS CLI command. For more information, see Enable Smart Card Authentication for AD Connector in the AWS Directory Service Administration Guide.

Note

To enable the use of smart cards with Windows WorkSpaces, additional steps are required. For more information, see Use smart cards for authentication.

To enable or disable smart card redirection for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable smart card redirection setting.

  10. In the Enable/disable smart card redirection dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the WorkSpace session is restarted. To apply the Group Policy change, reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

By default, Amazon WorkSpaces enables the use of WebAuthn authenticators for in-session authentication. In-session authentication refers to WebAuthn authentication that's performed after logging in and requested by the web applications running within the session.

Requirements

WebAuthn (FIDO2) redirection for WSP requires the following:

  • WSP host agent version 2.0.0.1425 or higher

  • WorkSpaces clients:

    • Linux Ubuntu 22.04 2023.3 or higher

    • Windows 5.19.0 or higher

    • Mac client 5.19.0 or higher

  • Web browsers installed on your WorkSpaces running the Amazon DCV WebAuthn Redirection Extension:

    • Google Chrome 116+

    • Microsoft Edge 116+

Enabling or disabling WebAuthn (FIDO2) redirection for Windows WorkSpaces

If needed, you can enable or disable support for in-session authentication with WebAuthn authenticators for Windows WorkSpaces by using Group Policy settings. If you enable or do not configure this setting, WebAuthn redirection will be enabled and users can utilize local authenticators within the remote WorkSpace.

When feature is enabled, all WebAuthn requests from the browser in the session are redirected to the local client. Users can use Windows Hello or locally attached security devices like YubiKey or other FIDO2 compliant authenticators to complete the authentication process.

To enable or disable WebAuthn (FIDO2) redirection for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable WebAuthn redirection setting.

  10. In the Enable/disable WebAuthn redirection dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the WorkSpace session is restarted. To apply the Group Policy changes, reboot the WorkSpace by going to the Amazon WorkSpaces console and selecting the WorkSpace. Then, choose Actions, Reboot WorkSpaces).

Installing the Amazon DCV WebAuthn Redirection Extension

Users will need install the Amazon DCV WebAuthn Redirection Extension to use WebAuthn after the feature is enabled by doing either of the following:

  • Your users will be prompted to enable the browser extension in their browser.

    Note

    This is a one-time browser prompt. Your users will get the notification when you update the WSP agent version to 2.0.0.1425 or higher. If your end users don’t need the WebAuthn redirection, they can just remove the extension from the browser. You can also block the WebAuthn Redirection Extension installation prompt using below GPO policy.

  • You can force install the redirection extension for your users using below GPO policy. If you enable the GPO policy, the extension will automatically be installed when your users launch the supported browsers with internet access.

  • Your users can install the extension manually with Microsoft Edge Add-ons or the Chrome Web Store.

Manage and install the browser extension using Group Policy

You can install the Amazon DCV WebAuthn Redirection Extension using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain or using the Local Group Policy Editor for each session host. This process will change depending on which browser you're using.

For Microsoft Edge
  1. Download and install the Microsoft Edge administrative template.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

  8. Choose Computer Configuration , Administrative Templates, Microsoft Edge, and Extensions

  9. Open Configure extension management settings and set it to Enabled.

  10. Under Configure extension management settings, enter the following:

    {"ihejeaahjpbegmaaegiikmlphghlfmeh":{"installation_mode":"force_installed","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"}}
  11. Choose OK.

  12. The Group Policy setting change takes effect after the WorkSpace session is restarted. To apply the Group Policy changes, reboot the WorkSpace by going to the Amazon WorkSpaces console and selecting the WorkSpace. Then, choose Actions, Reboot WorkSpaces).

Note

You can block the installation of the extension by applying the following configuration management setting:

{"ihejeaahjpbegmaaegiikmlphghlfmeh":{"installation_mode":"blocked","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"}}
For Google Chrome
  1. Download and install the Google Chrome administrative template. For more information, see Set Chrome Browser policies on managed PCs.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

  8. Choose Computer Configuration , Administrative Templates, Google Chrome, and Extensions

  9. Open Configure extension management settings and set it to Enabled.

  10. Under Configure extension management settings, enter the following:

    {"mmiioagbgnbojdbcjoddlefhmcocfpmn":{ "installation_mode":"force_installed","update_url":"https://clients2.google.com/service/update2/crx"}}
  11. Choose OK.

  12. The Group Policy setting change takes effect after the WorkSpace session is restarted. To apply the Group Policy changes, reboot the WorkSpace by going to the Amazon WorkSpaces console and selecting the WorkSpace. Then, choose Actions, Reboot WorkSpaces).

Note

You can block the installation of the extension by applying the following configuration management setting:

{"mmiioagbgnbojdbcjoddlefhmcocfpmn":{ "installation_mode":"blocked","update_url":"https://clients2.google.com/service/update2/crx"}}

If needed, you can disconnect users' WorkSpaces sessions when the Windows lock screen is detected. To reconnect from the WorkSpaces client, users can use their passwords or their smart cards to authenticate themselves, depending on which type of authentication has been enabled for their WorkSpaces.

This Group Policy setting is disabled by default. If needed, you can enable disconnecting the session when the Windows lock screen is detected for Windows WorkSpaces by using Group Policy settings.

Note
  • This Group Policy setting applies to both password-authenticated and smart card-authenticated sessions.

  • To enable the use of smart cards with Windows WorkSpaces, additional steps are required. For more information, see Use smart cards for authentication.

To enable or disable disconnect session on screen lock for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable/disable disconnect session on screen lock setting.

  10. In the Enable/disable disconnect session on screen lock dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces supports supports using Indirect Display Driver (IDD). If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To enable or disable Indirect Display Driver (IDD) for Windows WorkSpaces
  1. Make sure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon Elastic Compute Cloud instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context by right-clicking the menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, select the yourdomainname Organizational Unit (OU) or any OU under that domain name, open the context by right-clicking the menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable the AWS Indirect Display Driver setting.

  10. In the Enable the AWS Indirect Display Driver dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    1. Reboot the WorkSpace (in the WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    2. In an administrative command prompt, enter gpupdate /force.

WorkSpaces allows you to configure several different display settings, including the maximum frame rate, minimum image quality, maximum image quality, and YUV encoding. Adjust these settings based on the image quality, responsiveness, and color accuracy that you need.

By default, the maximum frame rate value is 25. The maximum frame rate value specifies the maximum allowed frames per second (fps). A value of 0 means no limit.

By default, the minimum image quality value is 30. The minimum image quality can be optimized for best image responsiveness, or best image quality. For best responsiveness, reduce the minimum quality. For best quality, increase the minimum quality.

  • Ideal values for best responsiveness are between 30 and 90.

  • Ideal values for best quality are between 60 and 90.

By default, the maximum image quality value is 80. The maximum image quality doesn't affect the image responsiveness or quality, but sets a maximum to limit network usage.

By default, image encoding is set to YUV420. Selecting Enable YUV444 encoding enables YUV444 encoding for high color accuracy.

For Windows WorkSpaces, you can use Group Policy settings to configure the maximum frame rate, minimum image quality, and maximum image quality values.

To configure display settings for Windows WorkSpaces
  1. Ensure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that's joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN.or example, example.com.

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you can't use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Configure display settings setting.

  10. In the Configure display settings dialog box, choose Enabled and then set the Maximum frame rate (fps), minimum image quality, and maximum image quality values to the desired levels.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after you restart the WorkSpace session. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace. the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces supports using the VSync feature for the AWS Virtual Display-Only Driver. If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To enable or disable VSync for Windows WorkSpaces
  1. Ensure the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon Elastic Compute Cloud instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN (for example, example.com).

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context by right-clicking the menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, choose the yourdomainname Organizational Unit (OU) or any OU under that domain name, open the context by reight-clicking the menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What gets created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Enable VSync feature of the AWS Virtual Display Only Driver setting.

  10. In the Enable VSync feature of the AWS Virtual Display Only Driver dialog box, choose Enabled or Disabled.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do the following:

    1. Restart the WorkSpace by doing the either of the following:

      1. Option 1 — In the WorkSpaces console, choose the WorkSpace you want to reboot. Then, choose Actions, Reboot WorkSpaces.

      2. Option 2 — In an administrative command prompt, enter gpupdate /force.

    2. Reconnect to the WorkSpace in order to apply the setting.

    3. Reboot the Workspace again.

By default, the log verbosity level for WSP WorkSpaces is set to Info. You can set log levels to verbosity levels ranging from least verbose to most verbose, as detailed here:

  • Error – least verbose

  • Warning

  • Info – default

  • Debug – most verbose

For Windows WorkSpaces, you can use Group Policy settings to configure the log verbosity levels.

To configure log verbosity levels for Windows WorkSpaces
  1. Ensure that the most recent WorkSpaces Group Policy administrative template for WSP is installed in the Central Store of the domain controller for your WorkSpaces directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  3. Expand the forest (Forest:FQDN).

  4. Expand Domains.

  5. Expand your FQDN. For example, example.com.

  6. Expand Group Policy Objects.

  7. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you can't use the Default Domain Policy to create your GPO. Instead, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here. For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  8. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Amazon, and WSP.

  9. Open the Configure log verbosity setting.

  10. In the Configure log verbosity dialog box, choose Enabled and then set the log verbosity level to debug, error, info, or warning.

  11. Choose OK.

  12. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after you restart the WorkSpace session. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace. In the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces.

    • In an administrative command prompt, enter gpupdate /force.

Install the Group Policy administrative template for PCoIP

To use the Group Policy settings that are specific to Amazon WorkSpaces when using the PCoIP protocol, you must add the Group Policy administrative template that is appropriate to the version of the PCoIP agent (either 32-bit or 64-bit) that is being used for your WorkSpaces.

Note

If you have a mix of WorkSpaces with 32-bit and 64-bit agents, you can use the Group Policy administrative templates for 32-bit agents, and your Group Policy settings will be applied to both 32-bit and 64-bit agents. When all of your WorkSpaces are using the 64-bit agent, you can switch to using the administrative template for 64-bit agents.

To determine whether your WorkSpaces have the 32-bit agent or the 64-bit agent
  1. Log in to a WorkSpace, and then open the Task Manager by choosing View, Send Ctrl + Alt + Delete or by right-clicking the task bar and choosing Task Manager.

  2. In the Task Manager, go to the Details tab, right-click the column headers, and choose Select Columns.

  3. In the Select Columns dialog box, select Platform, and then choose OK.

  4. On the Details tab, find pcoip_agent.exe, and then check its value in the Platform column to determine if the PCoIP agent is 32-bit or 64-bit. (You might see a mix of 32-bit and 64-bit WorkSpaces components; this is normal.)

To use the Group Policy settings that are specific to WorkSpaces when using the PCoIP protocol with the 32-bit PCoIP agent, you must install the Group Policy administrative template for PCoIP. Perform the following procedure on a directory administration WorkSpace or Amazon EC2 instance that is joined to your directory.

For more information about working with .adm files, see Recommendations for managing Group Policy administrative template (.adm) files in the Microsoft documentation.

To install the Group Policy administrative template for PCoIP
  1. From a running Windows WorkSpace, make a copy of the pcoip.adm file in the C:\Program Files (x86)\Teradici\PCoIP Agent\configuration directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to the organizational unit in your domain that contains your WorkSpaces machine accounts.

  3. Open the context (right-click) menu for the machine account organizational unit and choose Create a GPO in this domain, and link it here.

  4. In the New GPO dialog box, enter a descriptive name for the GPO, such as WorkSpaces Machine Policies, and leave Source Starter GPO set to (none). Choose OK.

  5. Open the context (right-click) menu for the new GPO and choose Edit.

  6. In the Group Policy Management Editor, choose Computer Configuration, Policies, and Administrative Templates. Choose Action, Add/Remove Templates from the main menu.

  7. In the Add/Remove Templates dialog box, choose Add, select the pcoip.adm file copied previously, and then choose Open, Close.

  8. Close the Group Policy Management Editor. You can now use this GPO to modify the Group Policy settings that are specific to WorkSpaces.

To verify that the administrative template file is correctly installed
  1. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to and select the WorkSpaces GPO for your WorkSpaces machine accounts. Choose Action, Edit in the main menu.

  2. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, Classic Administrative Templates, and PCoIP Session Variables.

  3. You can now use this PCoIP Session Variables Group Policy object to modify the Group Policy settings that are specific to Amazon WorkSpaces when using PCoIP.

    Note

    To allow the user to override your settings, choose Overridable Administrator Settings; otherwise, choose Not Overridable Administrator Settings.

To use the Group Policy settings that are specific to WorkSpaces when using the PCoIP protocol, you must add the Group Policy administrative template PCoIP.admx and PCoIP.adml files for PCoIP to the Central Store of the domain controller for your WorkSpaces directory. For more information about .admx and .adml files, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

The following procedure describes how to create the Central Store and add the administrative template files to it. Perform the following procedure on a directory administration WorkSpace or Amazon EC2 instance that is joined to your WorkSpaces directory.

To install the Group Policy administrative template files for PCoIP
  1. From a running Windows WorkSpace, make a copy of the PCoIP.admx and PCoIP.adml files in the C:\Program Files\Teradici\PCoIP Agent\configuration\policyDefinitions directory. The PCoIP.adml file is in the en-US subfolder of that directory.

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open Windows File Explorer, and in the address bar, enter your organization's fully qualified domain name (FQDN), such as \\example.com.

  3. Open the sysvol folder.

  4. Open the folder with the FQDN name.

  5. Open the Policies folder. You should now be in \\FQDN\sysvol\FQDN\Policies.

  6. If it doesn't already exist, create a folder named PolicyDefinitions.

  7. Open the PolicyDefinitions folder.

  8. Copy the PCoIP.admx file into the \\FQDN\sysvol\FQDN\Policies\PolicyDefinitions folder.

  9. Create a folder named en-US in the PolicyDefinitions folder.

  10. Open the en-US folder.

  11. Copy the PCoIP.adml file into the \\FQDN\sysvol\FQDN\Policies\PolicyDefinitions\en-US folder.

To verify that the administrative template files are correctly installed
  1. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc).

  2. Expand the forest (Forest:FQDN).

  3. Expand Domains.

  4. Expand your FQDN (for example, example.com).

  5. Expand Group Policy Objects.

  6. Select Default Domain Policy, open the context (right-click) menu, and choose Edit.

    Note

    If the domain backing the WorkSpaces is an AWS Managed Microsoft AD directory, you cannot use the Default Domain Policy to create your GPO. Instead, you must create and link the GPO under the domain container that has delegated privileges.

    When you create a directory with AWS Managed Microsoft AD, AWS Directory Service creates a yourdomainname organizational unit (OU) under the domain root. The name of this OU is based on the NetBIOS name that you typed when you created your directory. If you didn't specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name is corp).

    To create your GPO, instead of selecting Default Domain Policy, select the yourdomainname OU (or any OU under that one), open the context (right-click) menu, and choose Create a GPO in this domain, and Link it here.

    For more information about the yourdomainname OU, see What Gets Created in the AWS Directory Service Administration Guide.

  7. In the Group Policy Management Editor, choose Computer Configuration, Policies, Administrative Templates, and PCoIP Session Variables.

  8. You can now use this PCoIP Session Variables Group Policy object to modify the Group Policy settings that are specific to WorkSpaces when using PCoIP.

    Note

    To allow the user to override your settings, choose Overridable Administrator Settings; otherwise, choose Not Overridable Administrator Settings.

Manage Group Policy settings for PCoIP

Use Group Policy settings to manage your Windows WorkSpaces that use PCoIP.

By default, WorkSpaces enables Basic remote printing, which offers limited printing capabilities because it uses a generic printer driver on the host side to ensure compatible printing.

Advanced remote printing for Windows clients lets you use specific features of your printer, such as double-sided printing, but it requires installation of the matching printer driver on the host side.

Remote printing is implemented as a virtual channel. If virtual channels are disabled, remote printing does not function.

For Windows WorkSpaces, you can use Group Policy settings to configure printer support as needed.

To configure printer support
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Configure remote printing setting.

  4. In the Configure remote printing dialog box, do one of the following:

    • To enable Advanced remote printing, choose Enabled, and then under Options, Configure remote printing, choose Basic and Advanced printing for Windows clients. To automatically use the client computer's current default printer, select Automatically set default printer.

    • To disable printing, choose Enabled, and then under Options, Configure remote printing, choose Printing disabled.

  5. Choose OK.

  6. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, local printer auto-redirection is disabled. You can use Group Policy settings to enable this feature so that your local printer is set as the default printer every time that you connect to your WorkSpace.

Note

Local printer redirection is not available for Amazon Linux WorkSpaces.

To enable local printer auto-redirection
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Configure remote printing setting.

  4. Choose Enabled, and then under Options, Configure remote printing, choose one of the following:

    • Basic and Advanced printing for Windows clients

    • Basic printing

  5. Select Automatically set default printer, and then choose OK.

  6. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, WorkSpaces supports clipboard redirection. If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To enable or disable clipboard redirection
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Configure clipboard redirection setting.

  4. In the Configure clipboard redirection dialog box, choose Enabled and then choose one of the following settings to determine the direction in which clipboard redirection is allowed. When you're done, choose OK.

    • Disabled in both directions

    • Enabled agent to client only (WorkSpace to local computer)

    • Enabled client to agent only (local computer to WorkSpace)

    • Enabled in both directions

  5. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

Known limitation

With clipboard redirection enabled on the WorkSpace, if you copy content that is larger than 890 KB from a Microsoft Office application, the application might become slow or unresponsive for up to 5 seconds.

When you lose network connectivity, your active WorkSpaces client session is disconnected. WorkSpaces client applications for Windows and macOS attempt to reconnect the session automatically if network connectivity is restored within a certain amount of time. The default session resume timeout is 20 minutes, but you can modify that value for WorkSpaces that are controlled by your domain's Group Policy settings.

To set the automatic session resume timeout value
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Configure Session Automatic Reconnection Policy setting.

  4. In the Configure Session Automatic Reconnection Policy dialog box, choose Enabled, set the Configure Session Automatic Reconnection Policy option to the desired timeout, in minutes, and choose OK.

  5. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, Amazon WorkSpaces supports redirecting data from a local microphone. If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

Note

If you have a Group Policy setting that restricts users' local logon in their WorkSpaces, audio-in won't work on your WorkSpaces. If you remove that Group Policy setting, the audio-in feature is enabled after the next reboot of the WorkSpace. For more information about this Group Policy setting, see Allow logon locally in the Microsoft documentation.

To enable or disable audio-in redirection
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Enable/disable audio in the PCoIP session setting.

  4. In the Enable/disable audio in the PCoIP session dialog box, choose Enabled or Disabled.

  5. Choose OK.

  6. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

By default, the time within a Workspace is set to mirror the time zone of the client that is being used to connect to the WorkSpace. This behavior is controlled through time zone redirection. You might want to turn off time zone direction for various reasons:

  • Your company wants all employees to work in a certain time zone (even if some employees are in other time zones).

  • You have scheduled tasks in a WorkSpace that are meant to run at a certain time in a specific time zone.

  • Your users who travel a lot want to keep their WorkSpaces in one time zone for consistency and personal preference.

If needed for Windows WorkSpaces, you can use Group Policy settings to disable this feature.

To disable time zone redirection
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Configure timezone redirection setting.

  4. In the Configure timezone redirection dialog box, choose Disabled.

  5. Choose OK.

  6. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

  7. Set the time zone for the WorkSpaces to the desired time zone.

The time zone of the WorkSpaces is now static and no longer mirrors the time zone of the client machines.

For PCoIP, data in transit is encrypted using TLS 1.2 encryption and SigV4 request signing. The PCoIP protocol uses encrypted UDP traffic, with AES encryption, for streaming pixels. The streaming connection, using port 4172 (TCP and UDP), is encrypted by using AES-128 and AES-256 ciphers, but the encryption defaults to 128-bit. You can change this default to 256-bit by using the Configure PCoIP Security Settings Group Policy setting.

You can also use this Group Policy setting to modify the TLS Security Mode and to block certain cipher suites. A detailed explanation of these settings and the supported cipher suites is provided in the Configure PCoIP Security Settings Group Policy dialog box.

To configure PCoIP security settings
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Configure PCoIP Security Settings setting.

  4. In the Configure PCoIP Security Settings dialog box, choose Enabled. To set the default encryption for streaming traffic to 256-bit, go to the PCoIP Data Encryption Ciphers option, and select AES-256-GCM only.

  5. (Optional) Adjust the TLS Security Mode setting, and then list any cipher suites that you want to block. For more information about these settings, see the descriptions provided in the Configure PCoIP Security Settings dialog box.

  6. Choose OK.

  7. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

Note

Amazon WorkSpaces currently supports USB redirection only for YubiKey U2F. Other types of USB devices might be redirected but they are not supported and might not work properly.

To enable USB redirection for YubiKey U2F
  1. Make sure that you've installed the most recent WorkSpaces Group Policy administrative template for PCoIP (32-Bit) or WorkSpaces Group Policy administrative template for PCoIP (64-Bit).

  2. On a directory administration WorkSpace or an Amazon EC2 instance that is joined to your WorkSpaces directory, open the Group Policy Management tool (gpmc.msc) and navigate to PCoIP Session Variables.

  3. Open the Enable/disable USB in the PCOIP session setting.

  4. Choose Enabled, and then choose OK.

  5. Open the Configure PCoIP USB allowed and unallowed device rules setting.

  6. Choose Enabled, and under Enter the USB authorization table (maximum ten rules), configure your USB device allow list rules.

    1. Authorization rule - 110500407. This value is a combination of a Vendor ID (VID) and a Product ID (PID). The format for a VID/PID combination is 1xxxxyyyy, where xxxx is the VID in hexadecimal format and yyyy is the PID in hexadecimal format. For this example, 1050 is the VID, and 0407 is the PID. For more YubiKey USB values, see YubiKey USB ID Values.

  7. Under Enter the USB authorization table (maximum ten rules), configure your USB device block list rules.

    1. For Unauthorization Rule, set an empty string. This means that only USB devices in the authorization list are allowed.

    Note

    You can define a maximum of 10 USB authorization rules and a maximum of 10 USB unauthorization rules. Use the vertical bar (|) character to separate multiple rules. For detailed information about the authorization/unauthorization rules, see Teradici PCoIP Standard Agent for Windows.

  8. Choose OK.

  9. The Group Policy setting change takes effect after the next Group Policy update for the WorkSpace and after the WorkSpace session is restarted. To apply the Group Policy changes, do one of the following:

    • Reboot the WorkSpace (in the Amazon WorkSpaces console, select the WorkSpace, then choose Actions, Reboot WorkSpaces).

    • In an administrative command prompt, enter gpupdate /force.

After the setting takes effect, all supported USB devices can redirect to WorkSpaces unless restrictions are configured through the USB device rules setting.

Set the maximum lifetime for a Kerberos ticket

If you have not disabled the Remember Me feature of your Windows WorkSpaces, your WorkSpace users can use the Remember Me or Keep me logged in check box in their WorkSpaces client application to save their credentials. This feature allows users to easily connect to their WorkSpaces while the client application remains running. Their credentials are securely cached up to the maximum lifetime of their Kerberos tickets.

If your WorkSpace uses an AD Connector directory, you can modify the maximum lifetime of the Kerberos tickets for your WorkSpaces users through Group Policy by following the steps in Maximum Lifetime for a User Ticket in the Microsoft Windows documentation.

To enable or disable the Remember Me feature, see Enable self-service WorkSpace management capabilities for your users.

Configure device proxy server settings for internet access

By default, the WorkSpaces client applications use the proxy server that’s specified in the device operating system settings for HTTPS (port 443) traffic. The Amazon WorkSpaces client applications use the HTTPS port for updates, registration, and authentication.

Note

Proxy servers that require authentication with sign-in credentials are not supported.

You can configure the device proxy server settings for your Windows WorkSpaces through Group Policy by following the steps in Configure device proxy and internet connectivity settings in the Microsoft documentation.

For more information about configuring the proxy settings in the WorkSpaces Windows client application, see Proxy Server in the Amazon WorkSpaces User Guide.

For more information about configuring the proxy settings in the WorkSpaces macOS client application, see Proxy Server in the Amazon WorkSpaces User Guide.

For more information about configuring the proxy settings in the WorkSpaces Web Access client application, see Proxy Server in the Amazon WorkSpaces User Guide.

Proxying desktop traffic

For PCoIP WorkSpaces, the desktop client applications do not support the use of a proxy server nor TLS decryption and inspection for port 4172 traffic in UDP (for desktop traffic). They require a direct connection to ports 4172.

For WSP WorkSpaces, the WorkSpaces Windows client application (version 5.1 and above) and macOS client application (version 5.4 and above) support the use of HTTP proxy servers for port 4195 TCP traffic. TLS decryption and inspection are not supported.

WSP does not support the use of proxy for desktop traffic over UDP. Only WorkSpaces Windows and macOS desktop client applications and WSP web access support the use of proxy, for TCP traffic.

Note

If you choose to use a proxy server, the API calls that the client application makes to the WorkSpaces services are also proxied. Both API calls and desktop traffic should pass through the same proxy server.

Recommendation on the use of proxy servers

We do not recommend the use of a proxy server with your WorkSpaces desktop traffic.

Amazon WorkSpaces desktop traffic is already encrypted, so proxies do not improve security. A proxy represents an additional hop in the network path that could impact streaming quality by introducing latency. Proxies could also potentially reduce throughput if a proxy is not properly sized to handle desktop streaming traffic. Furthermore, most proxies are not designed for supporting long running WebSocket (TCP) connections and may affect streaming quality and stability.

If you must use a proxy, please locate your proxy server as close to the WorkSpace client as possible, preferably in the same network, to avoid adding network latency, which could negatively impact streaming quality and responsiveness.

Enable Amazon WorkSpaces for Zoom Meeting Media Plugin support

Zoom supports optimized real-time communication for WSP and PCoIP Windows-based WorkSpaces, with the Zoom VDI Plugin. Direct client communication allows video calls to bypass the cloud-based virtual desktop and provide a local-like Zoom experience when the meeting is running inside the your user’s WorkSpace.

Enable Zoom Meeting Media Plugin for WSP

Before installing the Zoom VDI components, update your WorkSpaces configuration to support Zoom optimization.

Prerequisites

Before using the plugin, make sure the following requirements are met.

Before you begin

  1. Enable the Extensions Group Policy setting. For more information, see Configure extensions for WSP.

  2. Disable the Automatic reconnect Group Policy setting. For more information, see Set the session resume timeout for WSP.

Installing the Zoom components

To enable Zoom optimization, install two components, provided by Zoom, on your Windows WorkSpaces. For more information, see Using Zoom for Amazon Web Services.

  1. Install the Zoom VDI Meeting client version 5.12.6+ within your WorkSpace.

  2. Install the Zoom VDI Plugin (Windows Universal Installer) version 5.12.6+ on the client where your WorkSpace is installed

  3. Validate the plugin is optimizing the Zoom traffic, by confirming that your VDI Plugin Status shows as Connected within the Zoom VDI client. For more information, see How to confirm Amazon WorkSpaces optimization .

Enable Zoom Meeting Media Plugin for PCoIP

Users with administrative permission to Active Directory can generate a registry key using their Group Policy Object (GPO). This allows users to send the registry key to all the Windows WorkSpaces within your domain using a forced update. Alternatively, users with administrative rights can also install registry keys individually on their WorkSpaces host.

Prerequisites

Before using the plugin, make sure the following requirements are met.

Create the registry key on a Windows WorkSpaces host

Complete the following procedure to create a registry key on a Windows WorkSpaces host. The registry key is required to use Zoom on Windows WorkSpaces.

  1. Open Windows Registry Editor as an administrator.

  2. Go to \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Amazon.

  3. If the Extension key doesn't exist, right-click and choose New > Key and name it Extension.

  4. In the new Extension key, right-click and choose New > DWORD and name it enable. The name must be in lower-case.

  5. Choose the new DWORD and change the Value to 1.

  6. Reboot the computer to complete the process.

  7. On your WorkSpaces host, download and install the latest Zoom VDI client. On your WorkSpaces client (5.4 or higher), download and install the latest Zoom VDI client plugin for Amazon WorkSpaces. For more information, see VDI releases and downloads on the Zoom support website.

Launch Zoom to start your video call.

Troubleshooting

Complete the following actions to troubleshoot Zoom on Windows WorkSpaces.

  • Confirm that The Registry Key Activation and Applied Correctly.

  • Go to C:\ProgramData\Amazon\Amazon WorkSpaces Extension. You should see wse_core_dll.

  • Make sure that the versions on the host and clients are correct and the same.

If you continue to experience difficulty, contact AWS Support using the AWS Support Center.

You can use the following examples to apply a GPO as an administrator of your directory.

  • WSE.adml

    <?xml version="1.0" encoding="utf-8"?> <policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions"> <!-- 'displayName' and 'description' don't appear anywhere. All Windows native GPO template files have them set like this. --> <displayName>enter display name here</displayName> <description>enter description here</description> <resources> <stringTable> <string id="SUPPORTED_ProductOnly">N/A</string> <string id="Amazon">Amazon</string> <string id="Amazon_Help">Amazon Group Policies</string> <string id="WorkspacesExtension">Workspaces Extension</string> <string id="WorkspacesExtension_Help">Workspace Extension Group Policies</string> <!-- Extension Itself --> <string id="ToggleExtension">Enable/disable Extension Virtual Channel</string> <string id="ToggleExtension_Help"> Allows two-way Virtual Channel data communication for multiple purposes By default, Extension is disabled.</string> </stringTable> </resources> </policyDefinitionResources>
  • WSE.admx

    <?xml version="1.0" encoding="utf-8"?> <policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions"> <policyNamespaces> <target prefix="WorkspacesExtension" namespace="Microsoft.Policies.Amazon.WorkspacesExtension" /> </policyNamespaces> <supersededAdm fileName="wse.adm" /> <resources minRequiredRevision="1.0" /> <supportedOn> <definitions> <definition name="SUPPORTED_ProductOnly" displayName="$(string.SUPPORTED_ProductOnly)"/> </definitions> </supportedOn> <categories> <category name="Amazon" displayName="$(string.Amazon)" explainText="$(string.Amazon_Help)" /> <category name="WorkspacesExtension" displayName="$(string.WorkspacesExtension)" explainText="$(string.WorkspacesExtension_Help)"> <parentCategory ref="Amazon" /> </category> </categories> <policies> <policy name="ToggleExtension" class="Machine" displayName="$(string.ToggleExtension)" explainText="$(string.ToggleExtension_Help)" key="Software\Policies\Amazon\Extension" valueName="enable"> <parentCategory ref="WorkspacesExtension" /> <supportedOn ref="SUPPORTED_ProductOnly" /> <enabledValue> <decimal value="1" /> </enabledValue> <disabledValue> <decimal value="0" /> </disabledValue> </policy> </policies> </policyDefinitions>