Workspaces Bring Your Own Windows Desktop Images – Windows 10

1
5387

NOTE: This Article was originally prepared on the 19th August 2019 and some information will no longer be up to date. Where updated, an update has been annotated.

This article attempts to expand upon the OS level tweaks that are required in order to fulfill all the requirements set out by AWS in the article below:

https://docs.aws.amazon.com/workspaces/latest/adminguide/byol-windows-images.html

The AWS article is quite clear on what is required on the AWS side, but it may not be clear what’s required on the Windows 10 image side. Hopefully this will help you quickly get your Windows 10 image ready to upload to AWS.

The Supported Editions – Important

Before you begin, ensure that you understand that there are a limited number of supported releases. As stated by the article, the VM must run one of the following Windows versions (Updated April 2020):

  • Windows 10 Version 1803 (April 2018 Update)
  • Windows 10 Version 1809 (October 2018 Update)
  • Windows 10 Version 1903 (May 2019 Update)
  • Windows 10 Version 1909 (November 2019 Update)

The Requirements – The checker

To help ensure the build is ready, a checker is available from here:

https://tools.amazonworkspaces.com/BYOLChecker.zip

The following “tests” need to pass inorder for a build to function correctly as a workspace image:

NOTE: If you have concerns clicking on a random link, this link is provided via the previous linked document over at AWS. It is left here as a convenience. This link was current as at 19/08/2019.

Requirement Notes
OS is 64 Bit Windows 10 is 64 bit
AutoLogon is disabled Disabled by Default
Automount is enabled Enabled by default
Antivirus is not installed Windows Defender doesn’t affect this test
System is not Azure domain joined Do not join an image to a domain
DHCP is enabled on network interface DHCP is enabled on most VM platforms
Windows Update is disabled To satisfy this requirement, do not set this via registry, simply disable the Windows Update service AND set the “Windows Modules Installer” service to manual. The checker will automatically fix this if required.
System is not AD domain joined Do not join an image to a domain
Attached C: disk is smaller than 80 GB Potentially to do with MaxUploadParts = 10000 ?
Windows Firewall is disabled The checker will automatically fix this if required.
More than 10GB of free space on C: drive  
MBR Partitioned volumes Cannot use GPT volumes (which means only Generation 1 Hyper-V builds can be used)
Image is not in-place upgraded An image should be from a fresh install
Only local disks are attached Remove all removable drives including floppies
Single bootable partition  
Supported Windows Operating system See the list of supported editions
PCoIP Agent is not installed  
No pending system reboot  
PowerShell version installed is 4.0 or higher All editions of Windows 10 should have at least Powershell 5.0 or higher
RealTimeISUniversal registry key is enabled Registry setting under HKLM\System\CurrentControlSet\Control\TimeZoneInformation The checker will automatically fix this if required.
Rearm count is 0 Do not use a trial edition of Windows that has been reset.
VMWare Tools not installed Remove the VMWare Tools if the image is built under VMWare
WorkSpaces_BYOL account is enabled Advised to create the first local account on the image as this account
WorkSpaces_BYOL account exists Advised to create the first local account on the image as this account

The Licence

You must make sure you meet the requirements outlined in the article; this includes:

  1. Your Microsoft licensing agreement allows Windows to be run in a virtual hosted environment.
  2. You will use a minimum of 200 Amazon WorkSpaces. This is a requirement for running your Amazon WorkSpaces on dedicated hardware. Running your Amazon WorkSpaces on dedicated hardware is necessary to comply with Microsoft licensing requirements.
  3. If you plan to use GPU-enabled (Graphics and Graphics Pro) bundles, verify that you will run a minimum of 4 AlwaysOn or 20 AutoStop GPU-enabled WorkSpaces in a Region per month on dedicated hardware.
  4. The Windows operating system image must be activated against your key management servers.
  5. Activate the licence of image with your local KMS servers. This may require manually setting the DNS suffix of the image to your relevant DNS suffix in order to reach relevant KMS services.

The Build – General Guidelines

With regards to the image, the following recommendations have been made:

  1. Keep customizations to a minimum
  2. Do not join an image to a Windows Domain
  3. It is recommended that a local user be created with the name of “Workspaces_BYOL” with Local Admin rights.This password may be needed in future.
  4. Upon completion of build, all removable drives must be removed – this includes floppy disk drives.
  5. Whilst building the image, leave the network interface disconnected to avoid triggering Windows updates.
  6. If using Hyper-V do not build using Generation 2 as all volumes must be MBR partitioned.
  7. Do not Sysprep this image natively – run the checker and allow press the “sysprep” button only when the build passes all checks.

With regards to the image, the following regular build items will generate a warning condition when running the checker tool that the tool can correct if required:

  1. The Windows Firewall must be disabled prior to uploading the image to AWS
  2. Windows Updates must be disabled
  3. RealTimeIsUniversal registry key needs to be enabled

The Windows Firewall – post build

It is reasonable to expect that in most organisations, GPOs have normally been instantiated in order to restrict connectivity in and out of workstations via the Windows Firewall.

For a full list of ports required for Workspaces take a look at this article:

https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html

Once the image has been uploaded and is ready for build, each Workspace will feature a regular production network interface along with a management interface. In order to ensure a stable workspace build, ensure that the following ports are enabled inbound on the management interface port:

  • Inbound TCP on port 4172. This is used for establishment of the streaming connection.
  • Inbound UDP on port 4172. This is used for streaming user input.
  • Inbound TCP on port 8200. This is used for management and configuration of the WorkSpace.

NOTE: If there are plans to utilse the web client TCP port 4489 will also need to be enabled.

In most organisations, the inbound ports are restricted and typically outbound is unrestricted. However; in organisations that have blocked outbound, the following ports will need to be opened outbound:

  • Outbound UDP on ports 50002 and 55002. This is used for PCoIP streaming. If your firewall uses stateful filtering, the ephemeral ports 50002 and 55002 are automatically opened to allow return communication. If your firewall uses stateless filtering, you need to open ephemeral ports 49152 – 65535 to allow return communication.
  • Outbound TCP on port 80 to IP address 169.254.169.254 for access to the EC2 metadata service. Any HTTP proxy assigned to your WorkSpaces must also exclude 169.254.169.254.
  • Outbound TCP on port 1688 to IP addresses 169.254.169.250 and 169.254.169.251 to allow access to Microsoft KMS for Windows and Office activation.

Note: If the Web Client is being used,  8443, 9997 TCP and 3478, 4172 UDP need to be open outbound.

The Logon Banner Message

Many organisations implement a LegalNoticeCaption  and LegalNoticeText via GPO fairly high up in their OU structure. Once these are defined, it can be quite awkward to “disable” them. There is a requirement to not show this for AWS workspaces builds. The good news is that simply defining those policy elements blank (with no value) is sufficient to meet the requirements here.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here