Desktop and Application Streaming
Improve performance and security by blocking ads on Windows Amazon WorkSpaces
Web browsing is typically a source of significant resource usage, which results in slower systems for end users. This drives costs upwards, as compute resources are increased to meet this demand.
This blog post will demonstrate how to use Group Policy with Windows editions of Amazon WorkSpaces. You will deploy uBlock Origin to three major web browsers: Mozilla Firefox, Google Chrome, and Microsoft Edge. The default filters for uBlock Origin block a wide variety of advertisement, malware, and annoyance domains from loading. This reduces your web browser’s resource requirements, freeing up system resource usage for your line of business applications.
In addition to reducing system resource consumption, this also boosts security for your organization. On December 21, 2022, the FBI recommended taking steps to block advertisements (ads) for security reasons, due to brand impersonation in search result ads.
Security Considerations
Before deploying this extension, validate that your organization is comfortable with the required permissions for the extension to function.
If your organization requires an alternative with reduced permissions, consider uBlock Origin Lite. This is a new variant of uBlock Origin from the same developers. It uses the Manifest V3 framework for reduced permissions. The uBlock Origin Lite GitHub contains an FAQ with more information on the differences.
The steps in this guide are intended for uBlock Origin, but can be adapted to use uBlock Origin Lite instead. To do so, substitute uBlock Origin Lite’s extension ID in the provided Group Policy JSON example blocks.
• uBlock Origin Lite Chrome ID: ddkjiahejlhfcafbddmgiahcphecmpfh
• uBlock Origin Lite Firefox ID: uBOLite@raymondhill.net
Walkthrough
In this article, you complete the following tasks:
- Download the Group Policy template files for each browser you intend to push policies for.
- Add these policies to your domain’s
SYSVOL
folder, orC:\Windows\PolicyDefinitions
on the computer you will use the Group Policy remote administration tools on. - Create a Group Policy Object (GPO), and link it to the OU your WorkSpaces directory is configured to use.
- Validate the OU configuration for your WorkSpaces by navigating to the Directories subsection of the WorkSpaces console, selecting your directory, and choosing “Update Details.” The OU configuration is on the resulting page.
- Edit this new policy and apply a setting which enforces the uBlock Origin extension for each browser you intend to push policies for.
- Launch a browser and validate that the policies have applied successfully.
Prerequisites
For this walkthrough, you should have the following prerequisites:
- An AWS account
- An existing deployment of Amazon WorkSpaces, as well as familiarity with which Active Directory OU or OUs your deployment(s) utilize.
- The steps in this article only apply to Windows based instances.
- An existing Active Directory deployment.
- Permissions to import new Group Policy templates into Active Directory
- Permissions to create and deploy Group Policies in Active Directory
- Access to a domain joined computer with the Active Directory Remote Server Administration Tools installed. This computer will be referred to as your “management endpoint” in the steps going forward.
- General knowledge of Active Directory administration
Download the browser Group Policy templates
In this section, you will download the Group Policy templates for each browser you intend to manage. If you have these templates in place, you can skip this section.
- On your management endpoint, download the latest Group Policy templates for each browser you intend to administer.
- Mozilla Firefox: https://github.com/mozilla/policy-templates/releases
- Each update post will have a zip file with the templates, with a name syntax such as
policy_templates_v5.7.zip
.
- Each update post will have a zip file with the templates, with a name syntax such as
- Google Chrome: https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
- Microsoft Edge: https://aka.ms/EdgeEnterprise
- Under “download the latest”, look for the Windows 64-bit section, and the “Download Windows 64-bit Policy” link.
- Mozilla Firefox: https://github.com/mozilla/policy-templates/releases
Install the Mozilla Firefox templates
- Extract the Mozilla Firefox policy definitions .zip file. Navigate to the windows folder.
- The windows folder will contain
firefox.admx
and multiple language folders such asen-US
. Each language folder will include a matchingfirefox.adml
file. - Open a separate Windows Explorer window, and navigate to
\\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions
, where ad.example.com corresponds to your Active Directory Fully Qualified Domain Name.- Copy
firefox.admx
from your extracted folder into the root of the PolicyDefinitions folder. - For each language you need require, copy the matching
firefox.adml
from within its folder, to the corresponding language folder withinPolicyDefinitions
.
- Copy
Install the Google Chrome templates
- Extract the Google Chrome
policy_templates.zip
file. It will contain three folders,chromeos
,mac
andwindows
. Navigate to thewindows
folder. - The windows folder will contain three subfolders,
adm
,admx
, andexamples
. Navigate toadmx
. - The
admx
folder will containchrome.admx
and multiple language folders such asen-US
. Each language folder will include a matchingchrome.adml
file. - Open a separate Windows Explorer window, and navigate to
\\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions
, wheread.example.com
corresponds to your Active Directory Fully Qualified Domain Name. - Copy
chrome.admx
from your extracted folder into the root of thePolicyDefinitions
folder. - For each language you require, copy the matching
chrome.adml
from within its folder, to the corresponding language folder withinPolicyDefinitions
.
Install the Microsoft Edge templates
The Microsoft Edge templates are packaged in a cab file which contains a zip file.
- Open the cab file named
MicrosoftEdgePolicyTemplates.cab
, which will containMicrosoftEdgePolicyTemplates.zip
. - Open the zip file. Windows will prompt you for a folder to place the zip file into.
- Navigate to the folder you selected, and extract the zip file.
- The extracted folder will contain four subfolders,
examples
,html
,mac
, andwindows
. Navigate towindows
. - Within the
windows
folder, choose theadmx
folder. - The
admx
folder will containmsedge.admx
and multiple language folders such asen-US
. Each language folder will include a matchingmsedge.adml
file. - Open a separate Windows Explorer window, and navigate to
\\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions
, wheread.example.com
corresponds to your Active Directory Fully Qualified Domain Name. - Copy
msadge.admx
from your extracted folder into the root of thePolicyDefinitions
folder. - For each language you require, copy the matching
msedge.adml
from within its folder, to the corresponding language folder withinPolicyDefinitions
.
Create a Firefox Group Policy
Now you will create the GPO which enforces uBlock Origin installation on Mozilla Firefox.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU
- Select “Link an Existing GPO…”
- Select the policy.
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Select your newly created policy and choose “Edit…”
- Under “Computer Configuration”, expand Policies, Administrative Templates, Mozilla, Firefox, and then select Extensions.
- Under Extensions, select “Extensions Management”.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” choose “Show…”
- In the resulting panel window, paste the JSON from the following code block.
- Select “OK” in the “Show Contents” window, and then select OK in the “Extensions to Install” window.
{
"uBlock0@raymondhill.net": {
"installation_mode": "force_installed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
"default_area": "navbar"
}
}
The example format will install uBlock Origin, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This enables users to disable filtering on individual websites if they suspect it might be causing an issue.
If you wish to install uBlock Origin Lite instead, replace uBlock0@raymondhill.net
with uBOLite@raymondhill.net
in the JSON block.
Create a Google Chrome Group Policy
Now you will create the GPO which enforces uBlock Origin installation on Google Chrome.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU.
- Select “Link an Existing GPO…”
- Select the policy.
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Select your newly created Group Policy and choose “Edit…”.
- Under “Computer Configuration”, expand Policies, Administrative Templates, Google, Google Chrome, and then select Extensions.
- Under Extensions, select “Extension management settings” to open the extended configuration menu.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
- The complete block is provided next, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
- Select “OK” in the “Show Contents” window, and then select OK in the “Extension management settings” window. The policy is now saved.
Here is the example install JSON as one line, ready to be pasted into the configuration:
{ "cjpalhdlnbpafiamejdnhcphjbkeiagm": { "toolbar_pin": "force_pinned", "installation_mode": "force_installed", "update_url": "https://clients2.google.com/service/update2/crx" } }
Here is the example install JSON in block format:
{
"cjpalhdlnbpafiamejdnhcphjbkeiagm": {
"toolbar_pin": "force_pinned",
"installation_mode": "force_installed",
"update_url": "https://clients2.google.com/service/update2/crx"
}
}
The example format will install uBlock Origin, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This allows users to disable filtering on individual websites if they suspect it might be causing an issue.
Create a Microsoft Edge Group Policy
Now you will create the group policy which enforces uBlock Origin installation on Microsoft Edge.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU.
- Select “Link an Existing GPO…”
- Select the policy.
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Select your newly created Group Policy and choose “Edit…”
- Under “Computer Configuration”, expand Policies, Administrative Templates, Microsoft Edge, and then select Extensions.
- Under Extensions, select “Configure extension management settings”.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
- The full block is provided, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
- Select “OK” in the “Extension management settings” window. The policy is now saved.
Here is the example install JSON as one line, ready to be pasted into the configuration:
{"odfafepnkmbhccpbejgmiehpchacaeak":{"toolbar_state":"force_shown","installation_mode":"force_installed","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"}}
Here is the example install JSON in block format:
{
"odfafepnkmbhccpbejgmiehpchacaeak": {
"toolbar_state": "force_shown",
"installation_mode": "force_installed",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx"
}
}
The example format will install uBlock Origin, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This enables users to disable filtering on individual websites if they suspect it might be causing an issue.
Testing
You may now close the Group Policy Editor and test the policy. Note that while the policy should replicate quickly, every Active Directory environment is different. If the Group Policy Object was created on a domain controller in a different Site, there might be a replication delay. This will vary depending on the size and configuration of your Active Directory setup.
To test the policy:
- Log into a WorkSpaces instance whose Computer Object is in the OU linked to the Group Policy object you created.
- Open a PowerShell or Command Prompt window with administrative rights
- Run the following command:
gpupdate /force
Chrome and Edge will apply the new policy immediately, even if they were open when the policy was being updated. uBlock Origin will install and be visible in the list of extensions, and will be pinned to the right of the navigation URL bar.
However, if Firefox was running when the policy was updated, it will need to be restarted for the policy to take effect. If you need to ensure the policy is applied right away, you can Reboot your WorkSpaces. After the policy applied, you will see uBlock Origin the list of extensions, and it will be pinned to the right of the navigation bar.
If you do not see uBlock Origin, you can use gpresult /r /scope:computer
in an administrator PowerShell or Command Prompt window. This will confirm if the WorkSpaces instance is receiving the intended group policy configuration.
Additionally, each browser has an internal URL where you can validate the policies it is receiving. They are:
Google Chrome:
chrome://policies
chrome://extensions
Microsoft Edge:
edge://policies
edge://extensions
Mozilla Firefox:
about://policies
about://addons
Rollback
If you would like to roll back the changes at any point, you can do so with the following procedure.
For Chrome and Edge, the only action required is either disabling or deleting the Group Policy object which installs the extension.
You can disable a Group Policy by disabling the link between the Group Policy Object and the OU that your computer objects are in. The next time Windows updates group policy, the extension will be removed automatically.
For Firefox, disabling or deleting the Group Policy will not uninstall the extension. In order to uninstall the extension, you will need to alter the Group Policy object to uninstall the extension instead of installing it.
- In the Group Policy Management Editor, edit your Firefox policy. Navigate to Computer Configuration > Policies > Administrative Templates > Mozilla > Firefox > Extensions.
- Open the “Extensions Management” setting.
- In the resulting window, under “Options”, you’ll see the JSON which configures the extension installation.
- In the JSON block, the value for
installation_mode
will be set to eitherforce_installed
ornormal_installed
. Change this value toblocked
as shown in the following code block. This will remove the extension and prevent it from being reinstalled.- If you would like to leave it as an option for end users, you can also use
allowed
instead ofblocked
. This will not remove the extension, and users will be allowed to add it.
- If you would like to leave it as an option for end users, you can also use
- Close out of the settings for the Group Policy.
{
"uBlock0@raymondhill.net": {
"installation_mode": "blocked",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
"default_area": "navbar"
}
}
Windows updates group policy every 90 minutes with a randomized offset of up to 30 minutes by default. You can also update immediately with gpupdate /force
. Chrome and Edge will immediately update with the changes from Group Policy with no need for the user to restart their browser. Firefox will not apply the settings until the next time the browser is restarted.
To complete the rollback, remove any admx
and adml
template files which were added to your domain’s SYSVOL
folder.
Conclusion
In this post, you imported Group Policy templates for managing Microsoft Edge, Google Chrome, and Mozilla Firefox. You deployed Group Policy Objects for those browsers. These ensure the uBlock Origin extension is installed automatically for your Windows WorkSpaces on those web browsers.
The uBlock Origin extension will be visible in the extensions toolbar of your browser. When selected, the extension offers additional controls, such as the ability to allowlist a website with no adblocking. There is a useful reference guide for that functionality available here. There is additional reading on the administrative configurations available here.
With uBlock Origin deployed, end users browsing the internet will see a decrease in CPU/RAM usage from the web browser on many websites. The reduction in resource usage can be attributed to blocking the loading of unnecessary web elements, freeing system resources for usage elsewhere. This also helps increase organizational security by reducing the attack surface for malware.
Dan is a Senior AWS End User Compute Solutions Architect, focusing on helping customers configure and optimize end-user computing solutions. Dan also focuses on EC2, Microsoft, and Linux based workloads. Dan has been at AWS since March 2016, and was a Premium Support escalation engineer and Specialist Technical Account Manager prior to becoming a specialist Solutions Architect. |