GPO and value for Disconnection after idle time

In the context of Amazon WorkSpaces, "idle time" refers to the period during which a user is not actively using their virtual desktop or workspace session, but AWS does not measure it.

The WorkSpaces Performance Monitor Agent has been enhanced to allow users to be disconnected from their WorkSpace once they reach the defined idle time inside the virtual desktop (vDesktop). To configure the detection of "idle time" and the subsequent action (such as disconnection), follow one of these two methods to populate the necessary registry values:

Mechanism 1: On the Golden Image

  1. Import the Registry File: Ensure the registry file contains the required keys and values.

  2. Verify the Values: Ensure that the following registry values are populated correctly for the WorkSpaces Performance Monitor Agent:

    • IdleMinutes: The amount of time (in minutes) after which the user is considered idle.

    • DisconnectOnIdle: A boolean value to indicate if the user should be disconnected after the idle time (True or False).

    Import the registry settings before creating new WorkSpaces from the golden image.

Mechanism 2: Via GPO (Group Policy)

  1. Create or Edit a GPO:

    • In Group Policy Management, create or edit a GPO applied to your WorkSpaces OU.

  2. Configure the Registry Entries:

    • In the Group Policy Editor, navigate to Computer Configuration > Preferences > Windows Settings > Registry.

    • Right-click and select New > Registry Item.

  3. Add the Necessary Registry Keys:

    • IdleMinutes:

      • Action: Create

      • Hive: HKEY_USERS

      • Key Path: .DEFAULT\Software\Nuvens

      • Value Name: IdleMinutes

      • Value Type: REG_DWORD (32-bit)

      • Value Data: Set the idle time in minutes (e.g., 15 for 15 minutes of inactivity).

    • DisconnectOnIdle:

      • Action: Create

      • Hive: HKEY_USERS

      • Key Path: .DEFAULT\Software\Nuvens

      • Value Name: DisconnectonIdle

      • Value Type: REG_SZ

      • Value Data: True (to disconnect the user after the defined idle time).

Ensure Disconnection on Idle:

The new registry entry allows you to define whether the user should be disconnected during periods of inactivity. Both methods ensure the necessary registry values are applied to the WorkSpaces, enforcing the idle time detection and disconnection policy.

Policy Management for WSP By default, WorkSpace users do not have the required permissions to start or stop services on their WorkSpace, which is essential for disconnecting a user based on idle time. We recommend modifying the Group Policy Object (GPO) used to deploy the WorkSpaces Performance Monitor Agent to grant these permissions. To do this, install the Group Policy Management remote tool on a WorkSpace and make the necessary changes, ensuring you have the appropriate Active Directory permissions.

This modification cannot be performed from a Domain Controller or any other server in the domain. It must be done from an existing Windows WorkSpace, as it relies on the PCoIP or WSP protocol values specific to the WorkSpace environment.

To create a new GPO in the OU where the WorkSpaces are grouped (and reuse it if there are multiple OUs), follow these steps:

  1. Open Group Policy Management.

  2. Locate the OU where your WorkSpaces are grouped.

  3. Right-click the OU and select "Create a GPO in this domain, and link it here…".

  4. Provide a name for the new GPO.

  5. Click OK to create and link the GPO to the selected OU.

This GPO can then be reused across other OUs as needed.

Name the GPO "WorkSpacesDisconnect" or any other name that aligns with your organization's security standards. This naming convention will help easily identify the purpose of the GPO within your Group Policy Management structure.

Once the GPO is created, right-click on it and select "Edit…" to open the Group Policy Management Editor, where you can configure the necessary settings for the WorkSpacesDisconnect policy.

In the Group Policy Management Editor window, navigate to:

Computer Configuration > Policies > Windows Settings > Security Settings > System Services.

Here, you'll need to modify the appropriate service based on the protocol in use:

  • If WSP is in use: Locate and modify the service called "DCV Server".

  • If PCoIP is in use: Locate and modify the service called "PCoIP Standard Agent for Windows".

Adjust the security settings for the relevant service to allow users to start or stop it as needed for disconnection purposes.

Double-click the policy for the service that is "Not defined", then:

  1. Check the box for "Define this policy setting".

  2. Under "Select service startup mode", choose the option "Automatic".

This setting ensures the service will start automatically and allows the WorkSpaces Performance Monitor Agent to manage user disconnection based on idle time.

Click on the "Edit Security" button, then:

  1. In the Security window, click "Add".

  2. In the Select Users, Computers, or Groups dialog, type "Domain Users" and click OK.

  3. Assign the necessary permissions for Domain Users to start, stop, and restart the service.

  4. Click OK to apply the changes.

This will ensure that the Domain Users group has the appropriate permissions to manage the service for user disconnections.

After clicking "Add", follow these steps:

  1. In the Select Users, Computers, or Groups dialog, type "Domain Users".

  2. Click the "Check Names" button to confirm the group is recognized in the domain.

  3. Once confirmed, click OK to add Domain Users.

This ensures that the Domain Users group is properly selected for security permissions on the service.

Once "Domain Users" is added, follow these steps to assign the required permissions:

  1. In the Permissions window, locate the "Domain Users" group.

  2. Under the Permissions section, check the box for "Start, stop and pause".

  3. Click Apply, then OK to save the changes.

This will grant the Domain Users group the ability to start, stop, and pause the service as needed for managing user disconnection.

After assigning the permissions:

  1. Click "OK".

  2. An alert will appear notifying you that the changes will apply to all users affected by the GPO.

  3. Confirm by clicking "Yes" to agree.

This will finalize the changes, applying the updated permissions to all users under the GPO.

After completing the steps, the service will now display as "Configured" in the Group Policy Management Editor under System Services. This indicates that the settings, including the startup mode and security permissions, have been successfully applied.

After closing the Group Policy Management Editor, return to the Group Policy Management Console.

  1. In the GPO you've edited (e.g., "WorkSpacesDisconnect"), select the "Settings" tab.

  2. Review the displayed settings to confirm that the new values, such as the modified service configurations and security permissions, have been successfully added.

This step ensures that the changes have been applied and are reflected in the policy settings.

Policy Management for PCoIP If your WorkSpaces vDesktop Farm includes a mix of both WSP and PCoIP devices, you will need to modify both services. You can use the same GPO policy, but you must apply the changes from a WorkSpace running the specific protocol. In the example above, we used a WorkSpace with WSP to install the Group Policy Management applet. Similarly, you will repeat the process from a PCoIP WorkSpace. The steps remain the same, with the only difference being the service name, which changes from "DCV Server" to "PCoIP Standard Agent for Windows".

To continue modifying the WorkSpacesDisconnect GPO, follow these steps:

  1. Open Group Policy Management and right-click the "WorkSpacesDisconnect" GPO. Select "Edit".

  2. In the Group Policy Management Editor, navigate to:

    Computer Configuration > Windows Settings > Security Settings > System Services.

  3. Locate the service named "PCoIP Standard Agent for Windows".

  4. Proceed with configuring this service as needed, following similar steps as with the WSP service.

Repeat the same process to enable the policy for the "PCoIP Standard Agent for Windows" service:

  1. Double-click on the "PCoIP Standard Agent for Windows" service.

  2. Check the box for "Define this policy setting".

  3. Under "Select service startup mode", choose "Automatic".

  4. Click "Edit Security".

  5. Add the "Domain Users" group by clicking "Add", then type "Domain Users", and click "Check Names" to confirm.

  6. Grant "Start, stop, and pause" permissions to the Domain Users group.

  7. Click "OK" and confirm the alert by clicking "Yes".

Once completed, the service will be marked as Configured, just like for the WSP service.

Now, both protocols—WSP and PCoIP—will be enabled and configured in the Group Policy. You will see both services, "DCV Server" for WSP and "PCoIP Standard Agent for Windows", marked as Configured under the System Services section of the GPO. This confirms that both protocols are set up to manage user disconnections based on idle time.

If the WorkSpace is not disconnecting as expected during idle time, you can troubleshoot by checking the log file. To do this, use File Explorer and navigate to:

%USERPROFILE%\AppData\Local\Temp\Nuvens

The log file in this folder will contain any errors that occurred during attempts to disconnect the WorkSpace. Typically, these issues are related to permissions that prevent the service from being stopped and started.

PreviousGPO and values for WorkSpaces Performance Monitor AgentNextIAM Policies in JSON format

Last updated