How do I troubleshoot a Windows WorkSpace that's marked as unhealthy?
Last updated: 2022-10-12
My Amazon WorkSpaces Windows WorkSpace is marked as unhealthy. How can I fix this?
The WorkSpaces service periodically checks the health of a WorkSpace by sending the WorkSpace a status request. A WorkSpace is marked as unhealthy if the WorkSpaces service doesn't receive a response in a timely manner.
Common causes for this issue are:
- An application on the WorkSpace is blocking the network connection between the WorkSpaces service and the WorkSpace.
- High CPU usage on the WorkSpace.
- The agent or service that responds to the WorkSpaces service isn't running.
- The computer name of the WorkSpace changed.
- The WorkSpaces service is in a stopped state or is blocked by antivirus software.
Try the following troubleshooting steps to return the WorkSpace to a healthy state:
Reboot the WorkSpace
If rebooting the WorkSpace doesn't resolve the issue, connect to the WorkSpace by using a Remote Desktop Protocol (RDP) client.
If the WorkSpace is unreachable by using the RDP client, follow these steps:
- Restore the WorkSpace to roll back to the last known good snapshot.
- If the WorkSpace is still unhealthy, rebuild the WorkSpace.
If you can connect to your WorkSpace using RDP, then verify the following to fix the issue:
Verify CPU usage
Open the Windows Task Manager to determine if the WorkSpace is experiencing high CPU usage. If it is, try any of the following troubleshooting steps to resolve the issue:
- Stop any service that's consuming high CPU.
- Resize the WorkSpace to a compute type that's greater than what is currently used.
- Reboot the WorkSpace.
Note: To diagnose high CPU usage, see How do I diagnose high CPU utilization on my EC2 Windows instance when my CPU is not being throttled?
Verify the WorkSpace's computer name
If you changed the computer name of the WorkSpace, change it back to the original name:
- Open the WorkSpaces console, and then expand the unhealthy WorkSpace to show details.
- Copy the Computer Name.
- Connect to the WorkSpace using RDP.
- Open a command prompt, and then enter hostname to view the current computer name.
If the name matches the Computer Name from step 2, skip to the next troubleshooting section.
If the names don't match, enter sysdm.cpl to open system properties. Then, follow the remaining steps in this section.
- Choose Change, and then paste the Computer Name from step 2.
- If prompted, enter your domain user credentials.
Confirm that the WorkSpaces services are running and responsive
If WorkSpaces services are stopped or aren't running, then the WorkSpace is unhealthy. Follow these steps:
- From Services, verify that the WorkSpaces services named SkyLightWorkspacesConfigService, WSP Agent (for the WorkSpaces Streaming Protocol [WSP] WorkSpaces), and PCoIP Standard Agent for Windows are running. Be sure that the start type for both services is set to Automatic. If any of the three services aren't running, start the service.
- Verify that any endpoint protection software, such as antivirus or anti-malware software, explicitly allows the WorkSpaces service components.
- If the status of the three services is Running, then the services might be blocked by antivirus software. To fix this, set up an allow list for the locations where the service components are installed. For more information, see Required configuration and service components for WorkSpaces.
- If WorkSpaces Web Access is turned on for the WorkSpace, verify that the STXHD Hosted Application Service is running. Make sure that the start type is set to Automatic.
- Verify that your management adapter isn't blocked by any application or VPN. Then, ensure that proper connectivity is in place.
Note: If WorkSpaces Web Access is turned on but not in use, update the WorkSpaces directory details to turn off WorkSpaces Web Access. The STXHD Agent can cause an unhealthy WorkSpace.
Verify firewall rules
Important: The firewall must allow listed traffic on the management network interface.
Confirm that Windows Firewall and any third-party firewall that's running have rules to allow the following ports:
- Inbound TCP on port 4172: Establish the streaming connection.
- Inbound UDP on port 4172: Stream user input.
- Inbound TCP on port 8200: Manage and configure the WorkSpace.
- Inbound TCP on ports 8201–8250: Establish the streaming connection and stream user input on WSP.
- Outbound UDP on ports 50002 and 55002: Video streaming.
If your firewall uses stateless filtering, then open ephemeral ports 49152–65535 to allow for return communication.
If your firewall uses stateful filtering, then ephemeral port 55002 is already open.