How do I troubleshoot a Windows WorkSpace that's marked as unhealthy?

Last updated: 2022-07-19

My Amazon WorkSpaces Windows WorkSpace is marked as unhealthy. How can I fix this?

Short description

The WorkSpaces service periodically checks the health of a WorkSpace by sending the WorkSpace a status request. A WorkSpace is marked as unhealthy if the WorkSpaces service doesn't receive a response in a timely manner.

Common causes for this issue are:

  • An application on the WorkSpace is blocking the network connection between the WorkSpaces service and the WorkSpace.
  • High CPU usage on the WorkSpace.
  • The agent or service that responds to the WorkSpaces service isn't running.
  • The computer name of the WorkSpace changed.

Resolution

Try the following troubleshooting steps to return the WorkSpace to a healthy state:

First, reboot the WorkSpace from the WorkSpaces console.

If rebooting the WorkSpace doesn't resolve the issue, connect to the WorkSpace by using a Remote Desktop Protocol (RDP) client.

If the WorkSpace is unreachable by using the RDP client, follow these steps:

  1. Restore the WorkSpace to roll back to the last known good snapshot.
  2. If the WorkSpace is still unhealthy, rebuild the WorkSpace.

If you can connect to your WorkSpace, then verify the following:

Verify CPU usage

Open the Windows Task Manager to determine if the WorkSpace is experiencing high CPU usage. If it is, try any of the following troubleshooting steps to resolve the issue:

  • Stop any service that's consuming high CPU.
  • Resize the WorkSpace to a compute type that's greater than what is currently used.
  • Reboot the WorkSpace.

Note: To diagnose high CPU usage, see How do I diagnose high CPU utilization on my EC2 Windows instance when my CPU is not being throttled?

Verify the WorkSpace's computer name

If you changed the computer name of the WorkSpace, change it back to the original name.

  1. Open the WorkSpaces console, and then expand the unhealthy WorkSpace to show details.
  2. Copy the Computer Name.
  3. Connect to the WorkSpace using RDP.
  4. Open a command prompt, and then enter hostname to view the current computer name.
    If the name matches the Computer Name from step 2, skip to the next troubleshooting section.
    If the names don’t match, enter sysdm.cpl to open system properties. Then, follow the remaining steps in this section.
  5. Choose Change, and then paste the Computer Name from step 2.
  6. If prompted, enter your domain user credentials.

Confirm that the WorkSpace services are running and responsive

If WorkSpace services are stopped or aren't running, then the WorkSpace is unhealthy. Follow these steps:

  1. From Services, verify that the WorkSpace services named SkyLightWorkspacesConfigService, WSP Agent (for the WorkSpaces Streaming Protocol [WSP] WorkSpaces), and PCoIP Standard Agent for Windows are running. Be sure that the start type for both services is set to Automatic. If any of the three services aren't running, start the service.
  2. Verify that any endpoint protection software, such as antivirus or anti-malware software, explicitly allows the WorkSpaces service components.
  3. If WorkSpaces Web Access is turned on for the WorkSpace, verify that the STXHD Hosted Application Service is running. Make sure that the start type is set to Automatic.

Note: If WorkSpaces Web Access is turned on but not in use, then update the WorkSpaces directory details to turn off WorkSpaces Web Access.

    Verify firewall rules

    Important: The firewall must allow listed traffic on the management network interface.

    Confirm that Windows Firewall and any third-party firewall that's running have rules to allow the following ports:

    • Inbound TCP on port 4172: Establish the streaming connection.
    • Inbound UDP on port 4172: Stream user input.
    • Inbound TCP on port 8200: Manage and configure the WorkSpace.
    • Inbound TCP on ports 8201–8250: Establish the streaming connection and stream user input on WSP.
    • Outbound UDP on ports 50002 and 55002: Video streaming.

    If your firewall uses stateless filtering, then open ephemeral ports 49152–65535 to allow for return communication.

    If your firewall uses stateful filtering, then ephemeral port 55002 is already open.