Desktop and Application Streaming
Configuring Windows Remote Assistance for Amazon WorkSpaces and Amazon AppStream 2.0
In this guide we look at how configuring Windows Remote Assistance for Amazon WorkSpaces and Amazon AppStream 2.0 can expand the remote support options available for your AWS End User Computing (AWS EUC) infrastructure.
This guide has been created to demonstrate how you can leverage the built-in Windows Remote Assistance tooling across your AWS EUC infrastructure without additional 3rd party software, agents or expense.
This guide also provides PowerShell examples for enabling the Windows Remote Assistance feature across your AWS EUC infrastructure and additionally a PowerShell tool to simplify the session discovery and selection where end users may have multiple sessions across different AppStream 2.0 fleets or multiple WorkSpaces directories.
Time to read | 20 minutes |
Time to complete | 30 minutes |
Cost to complete | $0 |
Learning level | 300 |
Services used | AWS Identity and Access Management (IAM) |
Overview of Solution
To demonstrate how you can leverage the built-in Windows Remote Assistance across your Amazon AppStream 2.0 or Amazon WorkSpaces (AWS EUC) infrastructure the remote support agents (1) run the Windows Remote Assistance tool which, via direct network connectivity (2) can list, connect and control the AppStream 2.0 or WorkSpaces sessions (3) of the end users (4).
The remote support agents can also be running their own WorkSpaces or AppStream 2.0 session to support the end user(s).
The end users are prompted that a remote support agent is attempting to access and the user has control to enable remote view or allow keyboard and mouse control of their AWS EUC session.
In order for remote assistance to be successful:
- Windows Remote Assistance feature must be enabled on the remote support agents endpoint and on the end users AWS EUC session(s).
- The remote support agent must be a member of an Active Directory security group that gives the agent rights to start a remote assistance session.
- The remote support agent must be able to connect directly to the IP address of the end users AWS EUC session(s).
- The end user must still approve the view and control access requests.
Walkthrough
The following overview details the steps to successfully find and start an Amazon WorkSpaces or Amazon AppStream 2.0 remote assistance session.
Prerequisites
For this guide you should have the following prerequisites:
- An AWS Account.
- The remote support agent must be a member of an Active Directory security group that gives the agent rights to start a remote assistance session.
- The remote support agents endpoint must have internet access to connect to the requisite APIs
- An Active Directory (AD) Group Policy Object (GPO) that remotely enables the Windows Remote Assistance feature across your Windows based AWS EUC infrastructure:
- This example PowerShell script enables Windows Remote Assistance via PowerShell: https://aws-desktopandapplicationstreaming-blog.s3.amazonaws.com/Artifacts/eucblog-144/aws-euc-winra-install.ps1
- A VPC security group that allows the remote support agents to directly communicate with the Amazon WorkSpaces or AppStream 2.0 infrastructure to be remotely assisted.
- AWS IAM access using one of the following:
- An IAM user with CLI access
- This can be a directly attached policy, attached based on group membership, or be a role assumption.
- Federated / Single Sign-On CLI access (AWS SSO or any 3rd party supporting temporary CLI credentials).
- An AppStream 2.0 instance with an IAM Role attached.
- An IAM user with CLI access
- A local copy of our example PowerShell script on the remote support agents Windows endpoint:
- This example PowerShell script enables the remote support agents to easily discover all AWS EUC sessions and, once a session is selected, will start Windows Remote Assistance automatically: https://aws-desktopandapplicationstreaming-blog.s3.amazonaws.com/Artifacts/eucblog-144/aws-euc-winra.ps1
- The Remote Support agents endpoint must be able to route to the AWS EUC instances.
- The Remote Support agents endpoint must have the AWS Tools for PowerShell installed.
Step by Step
Step 1. Create your GPO for Windows Remote Assistance Feature Installation
- On an Active Directory domain joined Windows device where the Remote Server Administration Tools (RSAT) for Windows are installed, connect as a user that has rights to create and link Group Policies.
- Open Active Directory Group Policy Management (gpmc.msc).
- Edit a new GPO and browse to Computer Configuration > Policies > Windows Settings > Scripts (Startup) > PowerShell Scripts Tab.
- Download our example PowerShell script onto your device and insert this script into the GPO as a Computer Startup PowerShell script: https://aws-desktopandapplicationstreaming-blog.s3.amazonaws.com/Artifacts/eucblog-144/aws-euc-winra-install.ps1
- Save the GPO configuration.
- Link the new GPO to an AD Organizational Unit (OU) that contains your AppStream 2.0 and Amazon WorkSpaces instances as well as any OU that contains your remote support agents computer objects
- As this is a computer startup script any computers where this new GPO applies will need to be rebooted for the script to run.
Step 2. Create your GPO to Authorize Access To Windows Remote Assistance
Security Note: In this step you will assign the ability to use Windows Remote Assistance to any user who is a member of a specific AD group. These users will have ability to send a remote assistance request to any of the computer objects that this policy applies to (provided these computers also meet all prerequisites in this article). Before implementation you should consult your internal company policy for allowing remote access to limit social engineering. If your organization has no policy, it should be made clear to the end user(s) from whom they accept assistance and to the remote support agents whom they can offer access.
- On an Active Directory domain joined Windows device where the RSAT for Windows are installed, connect as a user that has rights to create and link Group Policies.
- Open Active Directory Group Policy Management (gpmc.msc):
- Edit the existing GPO you created in the previous steps, or create a new GPO, and browse to Computer Configuration > Policies > Administrative Templates > System > Remote Assistance > Configure Offer Remote Assistance.
- Enable Configure Offer Remote Assistance and Ensure Permit remote control of this computer is set to: ‘Allow helpers to remotely control the computer’.
- Select ‘Show’.
- Add only the AD users and groups that should have permission to remotely control your instance. In our following example we have added an AD group called ‘eucdomain\aws-euc-remoteassistance-admins’.
- Select OK and save the GPO change
- Link the GPO to an AD OU that contains your AppStream 2.0 and Amazon WorkSpaces instances.
Note: End Users will still be prompted once to allow remote view and another time to allow remote control. These changes will apply to all machines listed in the linked OUs.
Step 3. VPC Security Group Creation
For details on how to add or modify security groups for new or existing WorkSpaces see our Security groups for your WorkSpaces documentation or for Amazon AppStream 2.0 see Security Groups in Amazon AppStream 2.0
- Open the VPC Management Console
- In the left hand pane select > SECURITY > security groups.
- Select ‘create security group’.
- Ensure you create this security group in the correct VPC where your AWS EUC Infrastructure is located.
- Allow inbound traffic from your remote support agents endpoints to your WorkSpaces and/or AppStream 2.0 instances via the following ports only:
- DCOM TCP Port 135
- Ephemeral TCP 49152 – 65535
- Ensure the source IP range explicitly allows the previous list of ports from the remote supporting agents source IP ranges. For example if the remote support agents endpoints are connected to a 192.168.0.0/24 network then your source would be 192.168.0.0/24
Note: The Windows dynamic ports range can be reduced in scope if desired: see The default dynamic port range for TCP/IP has changed since Windows Vista and in Windows Server 2008
Step 4. IAM Policy Creation
Now we will describe how to create the IAM role.
- Open the AWS IAM Console
- In the left hand pane select > Access Management > Policies.
- Select Create Policy.
- Choose ‘JSON’.
- Paste the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "appstream:DescribeStacks", "appstream:ListAssociatedFleets", "appstream:DescribeSessions", "workspaces:DescribeWorkspaces", "workspaces:DescribeWorkspacesConnectionStatus" ], "Resource": "*" } ] }
- Choose Next: Tags.
- Choose Next: Review
- Give the policy an appropriate policy name and select Create Policy.
- Attach this new IAM policy to a user or specific role in AWS so when remote support agents run the script they have the appropriate permission to obtain the WorkSpaces and AppStream 2.0 instances and session details.
Step 5. Download the Script for the Remote Support Agents
This section describes how the remote support agents will download their PowerShell script to automate the session selection for Windows Remote Assistance,
Note: Depending on your security settings your PowerShell execution policy may need to be adjusted so the end users can run the script.
- Download a local copy of our example PowerShell script on each remote support agents endpoint to automate Windows Remote Assistance: https://aws-desktopandapplicationstreaming-blog.s3.amazonaws.com/Artifacts/eucblog-144/aws-euc-winra.ps1
- Select the PowerShell script and in the context menu choose ‘Run With PowerShell’.
- Type in a full or partial match username to discover if they have any WorkSpaces or AppStream 2.0 sessions:
- Choose the corresponding SessionID to start a remote assist session and press enter or alternatively use the keyboard combination of Control and C to quit.
- The end user will be prompted to accept the remote assistance session.
- The remote support agent can now request control.
- Repeat these steps for each Windows Remote Assist session.
Note: If some of the column data is truncated simply maximise the PowerShell window.
Conclusion
Whether you are already using AWS EUC services or if you are just starting your EUC in the cloud journey, as you have seen from this guide, you can leverage the built in Windows Remote Assistance technology to help your end users on Amazon WorkSpaces or AppStream 2.0 sessions without the need for additional expenses or 3rd party software.
Check out Amazon WorkSpaces and Amazon AppStream 2.0 services today to get started.