WorkSpaces Client Disconnection after idle time

Introduction
In the context of Amazon WorkSpaces, “idle time” refers to the period during which a user is not actively using their virtual desktop or workspace session, but if the client software is open, this is not detected because the PCoIP or WSP client is connected.
The WSM Agent has been extended to allow the user to be disconnected from a WorkSpace when they reach the defined idle time inside the vDesktop.
In order to configure the detection of “idle time” and the action after this time (ed disconnection), configure the registry entry on the WorkSpaces. This can be done via two mechanisms:
1) On the Golden Image, by importing the registry file and ensuring that the values below are populated:
• IdleMinutes (already existed before)
• DisconnectOnIdle (new since version 5.6.0)
2) Via Group Policy, by pushing those same keys on the WorkSpaces registry
A new entry has been included in the registry to allow disconnection during periods of inactivity. This new registry key, named “DisconnectOnIdle,” is of the “REG_SZ” type. If the key is absent or set to “false,” no action will be initiated. Modifying the key value to “true” will result in the disconnection of the user once the specified idle time, defined in the “IdleMinutes” key, is reached:

Policy Management for WSP
The default security settings for a WorkSpace user do not allow them to stop or start a service on their WorkSpace, which is necessary for disconnecting a user. We suggest making a modification to the Group Policy Object (GPO) used for deploying the WSM Agent. To accomplish this, install the “Group Policy Management” remote tool on a WorkSpace and perform the necessary changes, with the correct Active Directory permissions. This cannot be done from a Domain Controller or another server in the domain, only an existing Windows WorkSpace:

Create a new GPO in the OU in which WorkSpaces are grouped (if there are many OUs, this GPO can be reused multiple times), by right-clicking the directory in question and choosing “Create a GPO in this domain, and link it here…”:

Name it “WorkSpacesDisconnect” or any other name aligned with your security standards:

Once created, use right button to “Edit…”:

In the new window for Group Policy Management Editor, section Computer configuration > Policies > Windows Settings > Security Settings > System Services. Look for two main services, depending if we use WSP or PCoIP:
• If WSP is in use: the service to modify is called “DCV Server”
• If PCoIP is in use: then the service is called “PCoIP Standard Agent for Windows”

Double click the policy that is not defined and tick the box “Define this policy setting”, while we will choose option “Automatic” for the “Select service startup mode”:

Click on the button “Edit Security” to add the domain group called “Domain Users” by click on “Add”:

Then searching for “Domain Users” and clicking on button “Check Names” to confirm:

Assign permission “Start, stop and pause” to that group:

Click “OK” and it will alert us that the change applies for all users in the GPO that we have to agree by clicking “Yes”:

The service will look now like “Configured”:

Close this editor and go back to the Group Policy Management service to confirm that the new values have been added, in the “Settings” tab:

Policy Management for PCoIP
If your WorkSpaces vDesktop Farm includes a combination of WSP and PCoIP devices, you will have to modify both services. You can use the same GPO Policy, but you must execute each of them from a WorkSpace that uses that particular protocol.
In the example above, we used a WorkSpace with WSP to install the Group Policy Management applet. Below, we do the same from a PCoIP. Steps will be identical but the name of the service varies from “DCV Server” to “PCoIP Standard Agent for Windows”.

Edit again the “WorkSpacesDisconnect” GPO and, in the editor, goto section Computer configuration > Windows Settings > Security Settings > System Services > PCoIP Standard Agent for Windows:

Repeat the same process to enable the policy:

Now we will see both protocols enabled:

Troubleshooting
If the WorkSpace is not being disconnect on Idle then using File Explorer navigate to “%USERPROFILE%\AppData\Local\TempRight\Nuvens”.
The log file will contain any errors that have occurred when attempting to disconnect the WorkSpace. In general these will be related to permissions not allowing the service to be stopped and started.