WIXLIB

Amazon WorkSpacesAdministration Guide

Amazon WorkSpaces Administration GuideAmazon WorkSpaces: Administration GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights reserved.Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

Amazon WorkSpaces Administration GuideTable of ContentsWhat is WorkSpaces? . 1Features . 1Architecture . 1Access your WorkSpace . 2Pricing . 3How to get started . 3Get started: Quick Setup . 4Before you begin . 4What Quick Setup does . 5Step 1: Launch the WorkSpace . 5Step 2: Connect to the WorkSpace . 7Step 3: Clean up (Optional) . 7Next steps . 8Networking and access . 9Protocols for Amazon WorkSpaces . 9VPC requirements . 10Requirements . 10Configure a VPC with private subnets and a NAT gateway . 10Configure a VPC with public subnets . 14Availability Zones for WorkSpaces . 17IP address and port requirements . 18Ports for client applications . 18Ports for Web Access . 19Domains and IP addresses to add to your allow list . 19. 25. 26Health check servers . 26PCoIP gateway servers . 28WSP gateway servers . 30Network interfaces . 30IP address and port requirements by Region . 34Network requirements . 57Trusted devices . 59Step 1: Create the certificates . 60Step 2: Deploy client certificates to the trusted devices . 60Step 3: Configure the restriction . 60Smart card authentication . 61Requirements . 61Limitations . 62Directory configuration . 62Enable smart cards for Windows WorkSpaces . 63Enable smart cards for Linux WorkSpaces . 64Internet access . 68Security groups . 69IP access control groups . 70Create an IP access control group . 71Associate an IP access control group with a directory . 71Copy an IP access control group . 71Delete an IP access control group . 72PCoIP zero client . 72Set up Android for Chromebooks . 73Web Access . 73Step 1: Enable Web Access to your WorkSpaces . 73Step 2: Configure inbound and outbound access to ports for Web Access . 74iii

Amazon WorkSpaces Administration GuideStep 3: Configure Group Policy and security policy settings to enable users to log on . 74FIPS endpoint encryption . 76Enable SSH connections . 77Prerequisites for SSH connections to Amazon Linux WorkSpaces . 77Enable SSH connections to all Amazon Linux WorkSpaces in a directory . 78Enable SSH connections to a specific Amazon Linux WorkSpace . 79Connect to an Amazon Linux WorkSpace using Linux or PuTTY . 79Required configuration . 80Required routing table configuration . 81Required service components . 80Directories . 83Register a directory . 84Update directory details . 85Select an organizational unit . 85Configure automatic IP addresses . 86Control device access . 87Manage local administrator permissions . 87Update the AD Connector account (AD Connector) . 87Multi-factor authentication (AD Connector) . 88Update DNS servers for WorkSpaces . 88Best practices . 89Step 1: Update the DNS server settings on your WorkSpaces . 89Step 2: Update the DNS server settings for Active Directory . 91Step 3: Test the updated DNS server settings . 91Delete a directory . 93Enable Amazon WorkDocs for AWS Managed Microsoft AD . 94Set up Directory Administration . 95Launch a WorkSpace . 97Launch using AWS Managed Microsoft AD . 98Before you begin . 98Step 1: Create an AWS Managed Microsoft AD Directory . 99Step 2: Create a WorkSpace . 99Step 3: Connect to the WorkSpace . 100Next steps . 101Launch using Simple AD . 101Before you begin . 101Step 1: Create a Simple AD directory . 102Step 2: Create a WorkSpace . 103Step 3: Connect to the WorkSpace . 103Next steps . 104Launch using AD Connector . 104Before you begin . 105Step 1: Create an AD Connector . 105Step 2: Create a WorkSpace . 106Step 3: Connect to the WorkSpace . 106Next steps . 107Launch using a trusted domain . 107Before you begin . 108Step 1: Establish a trust relationship . 108Step 2: Create a WorkSpace . 108Step 3: Connect to the WorkSpace . 109Next steps . 110Administer WorkSpace users . 111Manage WorkSpaces users . 111Edit user information . 111Add or delete users . 111Send an invitation email . 112iv

Amazon WorkSpaces Administration GuideCreate multiple WorkSpaces for a user .Customize how users log in to their WorkSpaces .Enable self-service WorkSpace management capabilities for your users .Enable Amazon Connect audio optimization for your users .Requirements .Enable Amazon Connect audio optimization .Update directory's Amazon Connect audio optimization details .Delete directory's Amazon Connect audio optimization .Administer your WorkSpaces .Manage Windows WorkSpaces .Install the Group Policy administrative template for PCoIP .Install the Group Policy administrative template files for WSP .Set the maximum lifetime for a Kerberos ticket .Configure device proxy server settings for internet access .Manage your Amazon Linux WorkSpaces .Control PCoIP Agent behavior on Amazon Linux WorkSpaces .Enable or disable clipboard redirection for Amazon Linux WorkSpaces .Enable or disable audio-in redirection for Amazon Linux WorkSpaces .Enable or disable time zone redirection for Amazon Linux WorkSpaces .Grant SSH access to Amazon Linux WorkSpaces administrators .Override the default shell for Amazon Linux WorkSpaces .Protect custom repositories from unauthorized access .Use the Amazon Linux Extras Library repository .Use smart cards for authentication on Linux WorkSpaces .Manage the running mode .AutoStop WorkSpaces .Modify the running mode .Stop and start an AutoStop WorkSpace .Modify a WorkSpace .Change volume sizes .Change bundle types .Customize WorkSpace branding .Import custom branding .Describe custom branding .Delete custom branding .Tag WorkSpaces resources .WorkSpace maintenance .Maintenance windows for AlwaysOn WorkSpaces .Maintenance windows for AutoStop WorkSpaces .Manual maintenance .Encrypted WorkSpaces .Prerequisites .Limits .Overview of WorkSpaces encryption using AWS KMS .WorkSpaces encryption context .Grant WorkSpaces permission to use a KMS Key on your behalf .Encrypt a WorkSpace .View encrypted WorkSpaces .Reboot a WorkSpace .Rebuild a WorkSpace .Restore a WorkSpace .Upgrade Windows 10 BYOL WorkSpaces .Prerequisites .Considerations .Known limitations .Summary of registry key settings .Perform an in-place upgrade 61162163163164164164165

Amazon WorkSpaces Administration GuideTroubleshooting .Update your WorkSpace registry using a PowerShell script .Migrate a WorkSpace .Migration limits .Migration scenarios .What happens during migration .Best practices .Troubleshooting .How billing is affected .Migrating a WorkSpace .Delete a WorkSpace .Bundles and images .Create a custom image and bundle .Requirements to create Windows custom images .Requirements to create Amazon Linux custom images .Best practices .(Optional) Step 1: Specify a custom computer name format for your image .Step 2: Run the Image Checker .Step 3: Create a custom image and custom bundle .What's included with Windows WorkSpaces custom images .What's included with Amazon Linux WorkSpace custom images .Update a custom bundle .Copy a custom image .Share or unshare a custom image .Delete a custom bundle or image .Delete a bundle .Delete an image .Bring Your Own Windows desktop licenses .Requirements .Windows versions supported for BYOL .Add Microsoft Office to Your BYOL image .Step 1: Check the eligibility of your account for BYOL using the Amazon WorkSpaces console .Step 2: Enable BYOL for your account for BYOL using the Amazon WorkSpaces console .Step 3: Run the BYOL Checker PowerShell script on a Windows VM .Step 4: Export the VM from your virtualization environment .Step 5: Import the VM as an image into Amazon EC2 .Step 6: Create a BYOL image using the WorkSpaces console .Step 7: Create a custom bundle from the BYOL image .Step 8: Register a dedicated directory for WorkSpaces .Step 9: Launch your BYOL WorkSpaces .Monitor your WorkSpaces .Monitor using CloudWatch metrics .WorkSpaces metrics .Dimensions for WorkSpaces metrics .Monitoring example .Monitor using CloudWatch Events .WorkSpaces events .Create a rule to handle WorkSpaces events .Understanding AWS sign-in events for smart card users .Example events for AWS sign-in scenarios .Business continuity .Cross-Region redirection .Prerequisites .Limitations .Step 1: Create connection aliases .(Optional) Step 2: Share a connection alias with another account .Step 3: Associate connection aliases with directories in each Region 211216216217218218219219

Amazon WorkSpaces Administration GuideStep 4: Configure your DNS service and set up DNS routing policies .Step 5: Send the connection string to your WorkSpaces users .What happens during cross-Region redirection .Disassociate a connection alias from a directory .Unshare a connection alias .Delete a connection alias .IAM permissions to associate and disassociate connection aliases .Security considerations if you stop using cross-Region redirection .Security .Data protection .Encryption at rest

Network connection lost. Check your network connection or contact your administrator for help." when trying to connect to a WSP WorkSpace . 249 The WorkSpaces client gives my users a network error, but they are able to use other network-