Create a custom image and custom bundle

• What's included with Windows WorkSpaces custom images (p. 156)

• What's included with Amazon Linux WorkSpace custom images (p. 157)

Requirements to create Windows custom images

• The status of the WorkSpace must be Available and its modiﬁcation state must be None.

• All applications and user proﬁles on WorkSpaces images must be compatible with Microsoft Sysprep.

• All applications to be included in the image must be installed on the C drive.

• The user proﬁle must exist, must be located at D:\Users\username, and its total size (ﬁles and data) must be less than 10 GB.

• The C drive must have at least 12 GB of available space.

• All application services running on the WorkSpace must use a local system account instead of domain user credentials. For example, you cannot have a Microsoft SQL Server Express installation running with a domain user's credentials.

• The WorkSpace must not be encrypted. Image creation from an encrypted WorkSpace is not currently supported.

• The following components are required in an image. Without these components, the WorkSpaces that you launch from the image will not function correctly:

• Windows PowerShell version 3.0 or later

• Remote Desktop Services

• AWS PV drivers

• Windows Remote Management (WinRM)

• Teradici PCoIP agents and drivers

• STXHD agents and drivers

• AWS and WorkSpaces certiﬁcates

• Skylight agent

Requirements to create Amazon Linux custom images

• The status of the WorkSpace must be Available and its modiﬁcation state must be None.

• All applications to be included in the image must be installed outside of the user volume (the /home directory).

• The root volume (/) should be less than 97% full.

Best practices

• The WorkSpace must not be encrypted. Image creation from an encrypted WorkSpace is not currently supported.

• The following components are required in an image. Without these components, the WorkSpaces that you launch from the image will not function correctly:

• Cloud-init

• Teradici PCoIP agents and drivers

• Skylight agent

Best practices

Before you create an image from a WorkSpace, do the following:

• Use a separate VPC that is not connected to your production environment.

• Deploy the WorkSpace in a private subnet and use a NAT instance for outbound traﬃc.

• Use a small Simple AD directory.

• Use the smallest volume size for the source WorkSpace, and then adjust the volume size as needed when creating the custom bundle.

• Install all operating system updates (except Windows feature/version updates) and all application updates on the WorkSpace. For more information, see the Important note (p. 145) at the start of this topic.

• Delete cached data from the WorkSpace that shouldn't be included in the bundle (for example, browser history, cached ﬁles, and browser cookies).

• Delete conﬁguration settings from the WorkSpace that shouldn't be included in the bundle (for example, email proﬁles).

• Switch to dynamic IP address settings using DHCP.

• Make sure that you haven't exceeded your quota for WorkSpace images allowed in a Region. By default, you're allowed 40 WorkSpace images per Region. If you've reached this quota, new attempts to create an image will fail. To request a quota increase, use the WorkSpaces Limits form.

• Make sure that you aren't trying to create an image from an encrypted WorkSpace. Image creation from an encrypted WorkSpace is not currently supported.

• If you're running any antivirus software on the WorkSpace, disable it while you're attempting to create an image.

• If you have a ﬁrewall enabled on your WorkSpace, make sure that it isn't blocking any necessary ports.

For more information, see IP address and port requirements for WorkSpaces (p. 18).

• For Windows WorkSpaces, don't conﬁgure any Group Policy Objects (GPOs) before image creation.

• For Windows WorkSpaces, do not customize the default user proﬁle (C:\Users\Default) before creating an image. We recommend making any customizations to the user proﬁle through GPOs, and applying them after image creation. GPOs can be easily modiﬁed or rolled back, and are therefore less prone to error than customizations made to the default user proﬁle.

• For Linux WorkSpaces, see also the "Best Practices to Prepare Your Amazon WorkSpaces for Linux Images" whitepaper.

• If you want to use smart cards on Linux WorkSpaces with WorkSpaces Streaming Protocol (WSP) enabled, see Use smart cards for authentication (p. 37) for the customizations that you must make to your Linux WorkSpace before creating your image.

(Optional) Step 1: Specify a custom computer name format for your image

For the WorkSpaces launched from your custom or Bring Your Own License (BYOL) images, you can specify a custom preﬁx for the computer name format instead of using the default computer name format (p. 73). To specify a custom preﬁx, follow the appropriate procedure for your image type.

To specify a custom computer name format for custom images

1. On the WorkSpace that you're using to create your custom image, open C:\ProgramData\Amazon

\EC2-Windows\Launch\Sysprep\Unattend.xml in Notepad or another text editor. For more information about working with the Unattend.xml ﬁle, see Answer ﬁles (unattend.xml) in the Microsoft documentation.

Note

To access the C: drive from the Windows File Explorer on your WorkSpace, enter C:\ in the address bar.

2. In the <settings pass="specialize"> section, make sure that <ComputerName> is set to an asterisk (*). If <ComputerName> is set to any other value, your custom computer name settings will be ignored. For more information about the <ComputerName> setting, see ComputerName in the Microsoft documentation.

3. In the <settings pass="specialize"> section, set <RegisteredOrganization> and

<RegisteredOwner> to your preferred values.

During Sysprep, the values that you specify for <RegisteredOwner> and

<RegisteredOrganization> are concatenated together, and the ﬁrst 7 characters of the combined string are used to create the computer name. For example, if you specify Amazon.com for <RegisteredOrganization> and EC2 for <RegisteredOwner>, the computer names for the WorkSpaces created from your custom bundle will start with EC2AMAZ-xxxxxxx.

Note

The <RegisteredOrganization> and <RegisteredOwner> values in the <settings pass="oobeSystem"> section are ignored by Sysprep.

4. Save your changes to the Unattend.xml ﬁle.

To specify a custom computer name format for BYOL images

1. Open C:\Program Files\Amazon\Ec2ConfigService\Sysprep2008.xml in Notepad or another text editor.

2. In the <settings pass="specialize"> section, uncomment <ComputerName>*</

ComputerName>, and make sure that <ComputerName> is set to an asterisk (*). If

<ComputerName> is set to any other value, your custom computer name settings will be ignored.

For more information about the <ComputerName> setting, see ComputerName in the Microsoft documentation.

3. In the <settings pass="specialize"> section, set <RegisteredOrganization> and

<RegisteredOwner> to your preferred values.

During Sysprep, the values that you specify for <RegisteredOwner> and

Step 2: Run the Image Checker

Note

The <RegisteredOrganization> and <RegisteredOwner> values in the <settings pass="oobeSystem"> section are ignored by Sysprep.

4. Save your changes to the Sysprep2008.xml ﬁle.

Step 2: Run the Image Checker

Note

The Image Checker is available only for Windows WorkSpaces. If you are creating an image from a Linux WorkSpace, skip to Step 3: Create a custom image and custom bundle (p. 155).

To conﬁrm that your Windows WorkSpace meets the requirements for image creation, we recommend running the Image Checker. The Image Checker performs a series of tests on the WorkSpace that you want to use to create your image, and provides guidance on how to resolve any issues it ﬁnds.

Important

• The WorkSpace must pass all of the tests run by the Image Checker before you can use it for image creation.

• Before you run the Image Checker, verify that the latest Windows security and cumulative updates are installed on your WorkSpace.

• The Image Checker does not check the user proﬁle size for Windows 10 WorkSpaces. If you have a Windows 10 WorkSpace, make sure that the user proﬁle size is less than 10 GB.

To get the Image Checker, do one of the following:

• Reboot your WorkSpace (p. 131). The Image Checker is downloaded automatically during the reboot and installed at C:\Program Files\Amazon\ImageChecker.exe.

• Download the Amazon WorkSpaces Image Checker from https://tools.amazonworkspaces.com/

ImageChecker.zip and extract the ImageChecker.exe ﬁle. Copy this ﬁle to C:\Program Files

\Amazon\.

To run the Image Checker

1. Open the C:\Program Files\Amazon\ImageChecker.exe ﬁle.

2. In the Amazon WorkSpaces Image Checker dialog box, choose Run.

3. After each test is completed, you can view the status of the test.

For any test with a status of FAILED, choose Info to display information about how to resolve the issue that caused the failure. For more information about how to resolve these issues, see Tips for resolving issues detected by the Image Checker (p. 150).

If any tests display a status of WARNING, choose the Fix All Warnings button.

The tool generates an output log ﬁle in the same directory where the Image Checker is located. By default, this ﬁle is located at C:\Program Files\Amazon

\ImageChecker_yyyyMMddhhmmss.log.

Tip

Do not delete this log ﬁle. If an issue occurs, this log ﬁle might be helpful in troubleshooting.

4. If applicable, resolve any issues that cause test failures and warnings, and repeat the process of running the Image Checker until the WorkSpace passes all tests. All failures and warnings must be resolved before you can create an image.

Step 2: Run the Image Checker

5. After your WorkSpace passes all tests, you see a Validation Successful message. You are now ready to create a custom bundle.

Tips for resolving issues detected by the Image Checker

In addition to consulting the following tips for resolving issues that are detected by the Image Checker, be sure to review the Image Checker log ﬁle at C:\Program Files\Amazon

\ImageChecker_yyyyMMddhhmmss.log.

PowerShell version 3.0 or later must be installed Install the latest version of Microsoft Windows PowerShell.

Important

The PowerShell execution policy for a WorkSpace must be set to allow RemoteSigned scripts.

To check the execution policy, run the Get-ExecutionPolicy PowerShell command. If the execution policy is not set to Unrestricted or RemoteSigned, run the Set-ExecutionPolicy – ExecutionPolicy RemoteSigned command to change the value of the execution policy. The RemoteSigned setting allows the execution of scripts on Amazon WorkSpaces, which is required to create an image.

Only the C and D drives can be present

Only the C and D drives can be present on a WorkSpace that's used for imaging. Remove all other drives, including virtual drives.

No pending reboot due to Windows Updates can be detected

• The Create Image process can't be run until Windows has been rebooted to ﬁnish installing security or cumulative updates. Reboot Windows to apply these updates, and make sure that no other pending Windows security or cumulative updates need to be installed.

• Image creation is not supported on Windows 10 systems that have been upgraded from one version of Windows 10 to a newer version of Windows 10 (a Windows feature/version upgrade). However, Windows cumulative or security updates are supported by the WorkSpaces image-creation process.

The Sysprep ﬁle must exist and can't be blank

If there are problems with your Sysprep ﬁle, contact the AWS Support Center to get your EC2Conﬁg or EC2Launch repaired.

The user proﬁle size must be less than 10 GB

The user proﬁle (D:\Users\username) must be less than 10 GB total. Remove ﬁles as needed to reduce the size of the user proﬁle.

Drive C must have enough free space

You must have at least 12 GB of free space on drive C. Remove ﬁles as needed to free up space on drive C.

No services can be running under a domain account

To run the Create Image process, no services on the WorkSpace can be running under a domain account.

All services must be running under a local account.

To run services under a local account

1. Open C:\Program Files\Amazon\ImageChecker_yyyyMMddhhmmss.log and ﬁnd the list of services that are running under a domain account.

Step 2: Run the Image Checker

2. In the Windows search box, enter services.msc to open the Windows Services Manager.

3. Under Log On As, look for the services that are running under domain accounts. (Services running as Local System, Local Service, or Network Service do not interfere with image creation.)

4. Select a service that is running under a domain account, and then choose Action, Properties.

5. Open the Log On tab. Under Log on as, choose Local System account.

6. Choose OK.

Amazon WorkSpaces Application Manager (Amazon WAM) must be installed

If you have used Amazon WAM to assign applications to your users, you must set up the Amazon WAM installer on your WorkSpace. When you are ﬁnished, the Amazon WAM shortcut will appear on your WorkSpace desktop.

The WorkSpace must be conﬁgured to use DHCP

You must conﬁgure all network adapters on the WorkSpace to use DHCP instead of static IP addresses.

To set all network adapters to use DHCP

1. In the Windows search box, enter control panel to open the Control Panel.

2. Choose Network and Internet.

3. Choose Network and Sharing Center.

4. Choose Change adapter settings, and select an adapter.

5. Choose Change settings of this connection.

6. On the Networking tab, select Internet Protocol Version 4 (TCP/IPv4), and then choose Properties.

7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Obtain an IP address automatically.

8. Choose OK.

9. Repeat this process for all network adapters on the WorkSpace.

Remote Desktop Services must be enabled

The Create Image process requires Remote Desktop Services to be enabled.

To enable Remote Desktop Services

1. In the Windows search box, enter services.msc to open the Windows Services Manager.

2. In the Name column, ﬁnd Remote Desktop Services.

3. Select Remote Desktop Services, and then choose Action, Properties.

4. On the General tab, for Startup type, choose Manual or Automatic.

5. Choose OK.

A user proﬁle must exist

The WorkSpace that you're using to create images must have a user proﬁle (D:\Users\username). If this test fails, contact the AWS Support Center for assistance.

The environment variable path must be properly conﬁgured

The environment variable path for the local machine is missing entries for System32 and for Windows PowerShell. These entries are required for Create Image to run.

Step 2: Run the Image Checker

To conﬁgure your environment variable path

1. In the Windows search box, enter environment variables and then choose Edit the system environment variables.

2. In the System Properties dialog box, open the Advanced tab, and choose Environment Variables.

3. In the Environment Variables dialog box, under System variables, select the Path entry and then choose Edit.

4. Choose New, and add the following path:

C:\Windows\System32

5. Choose New again, and add the following path:

C:\Windows\System32\WindowsPowerShell\v1.0\

6. Choose OK.

7. Restart the WorkSpace.

Tip

The order in which items appear in the environment variable path matters. To determine the correct order, you might want to compare the environment variable path of your WorkSpace with one from a newly created WorkSpace or a new Windows instance.

Windows Modules Installer must be enabled

The Create Image process requires the Windows Modules Installer service to be enabled.

To enable the Windows Modules Installer service

1. In the Windows search box, enter services.msc to open the Windows Services Manager.

2. In the Name column, ﬁnd Windows Modules Installer.

3. Select Windows Modules Installer, and then choose Action, Properties.

4. On the General tab, for Startup type, choose Manual or Automatic.

5. Choose OK.

Amazon SSM Agent must be disabled

The Create Image process requires the Amazon SSM Agent service to be disabled.

To disable the Amazon SSM Agent service

1. In the Windows search box, enter services.msc to open the Windows Services Manager.

2. In the Name column, ﬁnd Amazon SSM Agent.

3. Select Amazon SSM Agent, and then choose Action, Properties.

4. On the General tab, for Startup type, choose Disabled.

5. Choose OK.

SSL3 and TLS version 1.2 must be enabled

To conﬁgure SSL/TLS for Windows, see How to Enable TLS 1.2 in the Microsoft Windows documentation.

Only one user proﬁle can exist on the WorkSpace

There can be only one WorkSpaces user proﬁle (D:\Users\username) on the WorkSpace that you're using to create images. Delete any user proﬁles that don't belong to the intended user of the WorkSpace.

Step 2: Run the Image Checker

For image creation to work, your WorkSpace can have only three user proﬁles on it:

• The user proﬁle of the intended user of the WorkSpace (D:\Users\username)

• The default user proﬁle (also known as Default Proﬁle)

• The Administrator user proﬁle

If there are additional user proﬁles, you can delete them through the advanced system properties in the Windows Control Panel.

To delete a user proﬁle

1. To access the advanced system properties, do one of the following:

• Press the Windows key+Pause Break, and then choose Advanced system settings in the left pane of the Control Panel > System and Security > System dialog box.

• In the Windows search box, enter control panel. In the Control Panel, choose System and Security, then choose System, and then choose Advanced system settings in the left pane of the Control Panel > System and Security > System dialog box.

2. In the System Properties dialog box, on the Advanced tab, choose Settings under User Proﬁles.

3. If any proﬁle is listed other than the Administrator proﬁle, the Default Proﬁle, and the proﬁle of the intended WorkSpaces user, select that additional proﬁle and choose Delete.

4. When asked if you want to delete the proﬁle, choose Yes.

5. If necessary, repeat Steps 3 and 4 to remove any other proﬁles that don't belong on the WorkSpace.

6. Choose OK twice and close the Control Panel.

7. Restart the WorkSpace.

No AppX packages can be in a staged state

One or more AppX packages are in a staged state. This might cause a Sysprep error during image creation.

To remove all staged AppX packages

1. In the Windows search box, enter powershell. Choose Run as Administrator.

2. When asked "Do you want to allow this app to make changes to your device?", choose Yes.

3. In the Windows PowerShell window, enter the following commands to list all staged AppX packages, and press Enter after each one.

$workSpaceUserName = $env:username

$allAppxPackages = Get-AppxPackage -AllUsers

$packages = $allAppxPackages | Where-Object { `

(($_.PackageUserInformation -like "*S-1-5-18*" -and ! ($_.PackageUserInformation -like "*$workSpaceUserName*")) -and `

($_.PackageUserInformation -like "*Staged*" -or $_.PackageUserInformation -like "*Installed*")) -or `

((!($_.PackageUserInformation -like "*S-1-5-18*") -and $_.PackageUserInformation -like "*$workSpaceUserName*") -and `

$_.PackageUserInformation -like "*Staged*") }

4. Enter the following command to remove all staged AppX packages, and press Enter.

Step 2: Run the Image Checker

$packages | Remove-AppxPackage -ErrorAction SilentlyContinue

5. Run the Image Checker again. If this test still fails, enter the following commands to remove all AppX packages, and press Enter after each one.

Get-AppxProvisionedPackage -Online | Remove-AppxProvisionedPackage -Online -ErrorAction SilentlyContinue

Get-AppxPackage -AllUsers | Remove-AppxPackage -ErrorAction SilentlyContinue

Windows must not have been upgraded from a previous version

Image creation is not supported on Windows systems that have been upgraded from one version of Windows 10 to a newer version of Windows 10 (a Windows feature/version upgrade).

在文檔中 Amazon WorkSpaces (頁 154-171)