How do I troubleshoot a Windows WorkSpace that is marked as unhealthy?

Last updated: 2020-11-23

My Amazon WorkSpaces Windows WorkSpace is marked as unhealthy. How can I fix this?

Short description

The Amazon WorkSpaces service periodically checks the health of a WorkSpace by sending it a status request. The WorkSpace is marked as unhealthy if a response isn’t received from the WorkSpace in a timely manner. Common causes for this problem are:

  • An application on the WorkSpace is blocking network connection between the Amazon WorkSpaces service and the WorkSpace.
  • High CPU utilization on the WorkSpace.
  • The computer name of the Workspace changed.
  • The agent or service that responds to the Amazon WorkSpaces service isn't in the running state.


Try the following troubleshooting steps to return the WorkSpace to a healthy state:

First, reboot the WorkSpace from the Amazon WorkSpaces console.

Then, if rebooting the WorkSpace doesn't resolve the issue, connect to the WorkSpace using Remote Desktop Connection (RDP).

If the WorkSpace is unreachable by RDP, follow these steps:

  1. Restore the WorkSpace to roll back to the last known good snapshot.
  2. If the WorkSpace is still unhealthy, rebuild the WorkSpace.

If you can connect to your WorkSpace, verify the following:

Verify CPU utilization

Open Task Manager to determine if the WorkSpace is experiencing high CPU utilization. If it is, try any of the following troubleshooting steps to resolve the issue:

  • Stop any service that is consuming high CPU.
  • Resize the WorkSpace to a compute type greater than what is currently used.
  • Reboot the WorkSpace.

Note: To diagnose high CPU utilization, see How do I diagnose high CPU utilization on my EC2 Windows instance when my CPU is not being throttled?

Verify the WorkSpace's computer name

If you changed the computer name of the WorkSpace, change it back to the original name.

  1. Open the Amazon WorkSpaces console, and then expand the unhealthy WorkSpace to show details.
  2. Copy the Computer Name.
  3. Connect to the WorkSpace using RDP.
  4. Open a command prompt, and then enter hostname to view the current computer name.
    If the name matches the Computer Name from step 2, skip to the next troubleshooting section.
    If the names don’t match, enter sysdm.cpl to open system properties, and then follow the remaining steps in this section.
  5. Choose Change, and then paste the Computer Name from step 2.
  6. Enter your domain user credentials if prompted.

Confirm that WorkSpaces services are running and responsive

If WorkSpaces services are stopped or hindered by endpoint protection software, the WorkSpace is considered unhealthy. Follow these steps:

  1. From Services, verify that the following WorkSpace services are in a running state. If either service isn't running, start the service. Both services must be in running state with the start type set to Automatic.
    PCoIP Standard Agent for Windows
  2. Verify that any endpoint protection software (for example, antivirus or anti-malware) explicitly allows the WorkSpaces service components.
  3. If Web Access is enabled for the WorkSpace, verify that the STXHD Hosted Application Service is in running state and with Automatic start type. A WorkSpace is marked as unhealthy if Web Access is enabled and there is an issue with the service.
    Note: If Web Access is enabled but not used, update the Amazon WorkSpaces directory details to disable Web Access.

Verify firewall rules

Important: The firewall must allow listed traffic on the management network interface.

Confirm that Windows Firewall and any third-party firewall that is running have rules to allow the following ports:

  • Inbound TCP on port 4172: Establish the streaming connection.
  • Inbound UDP on port 4172: Stream user input.
  • Inbound TCP on port 8200: Manage and configure the WorkSpace.
  • Outbound UDP on port 55002: PCoIP streaming.

If your firewall uses stateless filtering, then open ephemeral ports 49152-65535 to allow return communication.

If your firewall uses stateful filtering, then ephemeral port 55002 is already open.