# Administer Your Amazon WorkSpaces Applications Images
Available images are listed in the **Image Registry** in the WorkSpaces Applications console, and categorized by visibility as follows:
+ **Public** — Base images that are owned and made available by AWS. Base images include the latest Windows operating system and the WorkSpaces Applications agent software. You can use these base images to create new images that include your own applications. For information about the base images released by AWS, see [WorkSpaces Applications Base Image and Managed Image Update Release Notes](base-image-version-history.md).
+ **Private** — Images that you create and own, and that you have not shared with other AWS accounts.
+ **Shared with others** — Images that you create and own, and that you have shared with one or more AWS accounts in the same AWS Region. When you share an image with another AWS account, you can specify whether the image can be used for an image builder (to create a new image), for a fleet, or both.
+ **Shared with me** — Images that are created and owned by another AWS account in the same AWS Region, and that are shared with your AWS account. Depending on the permissions that the owner provided when sharing the image with your account, you can use this image for image builders, for fleets, or both.
**Topics**
+ [
# Delete a Private Image in Amazon WorkSpaces Applications
](delete-private-image.md)
+ [
# Copy an Image That You Own to Another AWS Region in Amazon WorkSpaces Applications
](copy-image-different-region.md)
+ [
# Share an Image That You Own With Another AWS Account in Amazon WorkSpaces Applications
](share-image-with-another-account.md)
+ [
# Stop Sharing an Image That You Own in Amazon WorkSpaces Applications
](stop-sharing-image-with-all-accounts.md)
+ [
# Keep Your Amazon WorkSpaces Applications Image Up-to-Date
](keep-image-updated.md)
+ [
# Windows Update and Antivirus Software on Amazon WorkSpaces Applications
](windows-update-antivirus-software.md)
+ [
# Programmatically Create a New Image in Amazon WorkSpaces Applications
](create-image-programmatically.md)
+ [
# Manage License Included Applications on Your Image in Amazon WorkSpaces Applications
](license-included-applications.md)
+ [
# Import Image
](import-image.md)
+ [
# Export Image
](export-image.md)
# Delete a Private Image in Amazon WorkSpaces Applications
You can delete your private images when you no longer need them. You can't delete an image that is used by fleets or shared with other AWS accounts. To delete an image that is used by fleets or shared, you must first remove the image from any fleets and remove all image sharing permissions. After you delete an image, you can't recover it.
**To delete a private image**
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, select the private image you want to delete.
1. Choose **Actions**, **Delete**, then choose **Delete** again.
The image is removed from the image registry and deleted.
# Copy an Image That You Own to Another AWS Region in Amazon WorkSpaces Applications
**Important**
For Asia Pacific (Malaysia), Europe (Milan), Europe (Spain), and Israel (Tel Aviv) AWS Regions: Cross-region image copying is only supported for images with WorkSpaces Applications agent versions released on/after October 02, 2025, or images using managed updates released on/after September 05, 2025. Older versions are not eligible for copying between regions. Update your images to meet these minimum version requirements to enable cross-region copy functionality.
You can copy images that you own to another AWS Region. Using the same image across different AWS Regions can help simplify global deployments of your applications on WorkSpaces Applications. By deploying your applications in the AWS Regions that are geographically closest to your users, you can help provide your users with a more responsive experience.
**To copy an image that you own to another AWS Region**
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, select the image that you want to copy to another AWS Region.
1. Choose **Actions**, **Copy**.
1. In the **Copy image** dialog box, in **Destination region**, select the AWS Region that you want to copy the image to.
1. Type a unique name and optionally, a description for the image in **Destination region**.
1. Choose **Copy Image**.
# Share an Image That You Own With Another AWS Account in Amazon WorkSpaces Applications
WorkSpaces Applications images are a regional resource, so you can share an image that you own with other AWS accounts within the same AWS Region. Doing so can be helpful in several different scenarios. For example, if you separate your development and production resources by using different AWS accounts, you can create an image by using your development account. Then you can share the image with your production account. If your organization is an independent software vendor (ISV), you can share optimized images with your customers. Optimized images that have the required applications already installed and configured let your customers get started with your applications quickly, so that they won't need to install and configure those applications themselves.
When you share an image with another AWS account, you specify whether the destination account can use the image in a fleet or create new images by creating an image builder. You continue to own images that you share. This way, you can add, change, or remove permissions as needed for your shared images.
If you share an image with an account and grant the account fleet permissions, the shared image can be used to create or update fleets in that account. If you remove these permissions later, the account can no longer use the image. For fleets in the account that use the shared image, the desired capacity is set to 0, which prevents new fleet instances from being created. Existing sessions continue until the streaming session ends. For new fleet instances to be created, the fleet in that account must be updated with a valid image.
If you share an image with an account and grant the account image builder permissions, the shared image can be used to create image builders and images in that account. If you remove these permissions later, image builders and images that were created from your image are not affected.
**Important**
After you share an image with an account, you can't control image builders or images in the account that are created from your image. For this reason, grant image builder permissions to an account only if you want to enable the account to make a copy of your image, and retain access to the copy after you stop sharing your image.
**To share an image that you own with another AWS account**
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, select the image that you want to share.
1. Choose **Actions**, **Share**.
1. In the **Share image** dialog box, choose **Add account**.
1. Type the 12-digit AWS account ID of the account that you want to share the image with, and then select whether the account can do one or both of the following:
+ Use the image to launch an image builder, if you want to create a new image.
+ Use the image with a fleet.
To remove an account from the list of accounts that the image is shared with, in the row for the account you want to remove, choose the X icon to the right of the **Use for fleet **option.
1. To share the image with more AWS accounts, repeat step 6 for each account that you want to share the image with.
1. Choose **Share Image**.
**To add or update image sharing permissions for an image that you own**
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, select the image that you want to change the permissions for.
1. Below the image list, choose the **Permissions** tab for the image you selected, then choose **Edit**.
1. In the **Edit image permissions** dialog box, select or clear one or both of the following image sharing options as needed for one or more AWS accounts. If you clear both options for an account, the image is no longer shared with that account.
+ Use the image to launch an image builder, if you want to create a new image.
+ Use the image with a fleet.
To remove an account from the list of accounts that the image is shared with, in the row for the account you want to remove, choose the X icon to the right of the **Use for fleet **option.
1. To edit image sharing permissions for more AWS accounts, repeat step 5 for each account you want to update permissions for.
1. Choose **Update image sharing permissions**.
# Stop Sharing an Image That You Own in Amazon WorkSpaces Applications
Follow these steps to stop sharing an image that you own with any other AWS account.
**To stop sharing an image that you own with any other AWS account**
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, select the image that you want to change the permissions for.
1. Below the image list, choose the **Permissions** tab for the image you selected, then choose **Edit**.
1. In the **Edit image permissions** dialog box, in the row for all AWS accounts that the image is shared with, choose the X icon to the right of the **Use for fleet **option.
1. Choose **Update image sharing permissions**.
# Keep Your Amazon WorkSpaces Applications Image Up-to-Date
You can keep your WorkSpaces Applications image up-to-date by doing either of the following:
+ [Update an Image by Using Managed WorkSpaces Applications Image Updates](keep-image-updated-managed-image-updates.md) – This update method provides the latest operating system updates and driver updates, and the latest WorkSpaces Applications agent software.
+ [Update the WorkSpaces Applications Agent Software by Using Managed WorkSpaces Applications Agent Versions](keep-image-updated-manage-image-versions.md) – This update method provides the latest WorkSpaces Applications agent software.
# Update an Image by Using Managed WorkSpaces Applications Image Updates
WorkSpaces Applications provides an automated way to update your image with the latest operating system updates, license included application updates, driver updates, and WorkSpaces Applications agent software. With managed WorkSpaces Applications image updates, you select the image that you want to update. WorkSpaces Applications creates an image builder in the same AWS account and Region to install the updates and create the new image. After the new image is created, you can test it on a pre-production fleet before updating your production fleets or sharing the image with other AWS accounts.
**Note**
Managed WorkSpaces Applications Image Updates is available for Microsoft Windows Server, Red Hat Enterprise Linux, and Rocky Linux operating systems.
**Note**
After your new image is created, you're responsible for maintaining updates for the operating system. To do so, you can continue using managed WorkSpaces Applications image updates.
You are responsible for maintaining updates for the Amazon EC2 Windows Paravirtual (PV) driver, ENA driver, and AWS NVMe driver. For more information about how to update the drivers, see [Manage device drivers for your EC2 instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-device-drivers.html).
You're also responsible for maintaining your applications and their dependencies. To add other applications, update existing applications, or change image settings, you must start and reconnect to the image builder that you used to create the image. Or, if you deleted that image builder, launch a new image builder that is based on your image. Then, make your changes and create a new image.
## Prerequisites
The following are prerequisites and considerations for working with managed image updates.
+ Make sure that your WorkSpaces Applications account quotas (also referred to as limits) are sufficient to support the creation of a new image builder and a new image. To request a quota increase, you can use the Service Quotas console at [https://console.aws.amazon.com/servicequotas/](https://console.aws.amazon.com/servicequotas/). For information about default WorkSpaces Applications quotas, see [Amazon WorkSpaces Applications Service Quotas](limits.md).
+ You must own the image that you update. You can't update an image that is shared with you.
+ When WorkSpaces Applications creates an image builder to install the latest operating system updates, driver updates, and WorkSpaces Applications agent software, and creates the new image, you're charged for the image builder instance while it's updating.
+ Supported images must be created from a base image released on 2017-07-24T00:00:00Z or later.
+ English and Japanese are supported display languages. For more information, see [Specify a Default Display Language](configure-default-display-language.md).
+ Use the latest version of SSM Agent. For version information, see [WorkSpaces Applications Base Image and Managed Image Update Release Notes](base-image-version-history.md). For installation information, see [Manually install SSM Agent on EC2 instances for Windows Server](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html).
## How to Update an Image by Using Managed WorkSpaces Applications Image Updates
To update an WorkSpaces Applications image with the latest patches, driver updates, and WorkSpaces Applications agent software, perform the following steps.
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, choose the image that you want to update. Verify that the status of the image is **Available**.
1. Choose **Actions**, **Update**.
1. In the **Update image** dialog box, do the following:
+ For **New image name**, enter an image name that is unique within the AWS account and Region. The image name can't begin with "Amazon," "AWS," or "AppStream."
+ For **New image display name**, you can optionally enter a name to display for the image.
+ For **New image description**, you can optionally provide a description for the image.
+ For **Tags**, you can choose **Add Tag**, and type the key and value for the tag. To add more tags, repeat this step. For more information, see [Tagging Your Amazon WorkSpaces Applications Resources](tagging-basic.md).
1. Choose **Update image**.
If your current image is already up to date, a message notifies you.
1. In the navigation pane, choose **Images**, and then choose **Image Builder**.
1. In the list of image builders, verify that a new image builder appears in the **Updating** state. The name of the image builder includes a random 10-digit suffix.
The image builder is the smallest size in the instance family that you chose for the new image in step 5. No subnet is specified because the image builder is not attached to your virtual private cloud (VPC).
1. Choose **Image Registry** and verify that your new image appears in the list.
While your image is being created, the image status in the image registry of the console appears as **Creating**.
1. After your image is created, WorkSpaces Applications performs a qualification process to verify that the image works as expected.
During this time, the image builder, which is also used for this process, appears in the **Image Builder** list with a status of **Pending Qualification**.
1. After the qualification process successfully completes, a **Success** message appears at the top of the console and the image status in the image registry appears as **Available**.
In addition, the image builder that WorkSpaces Applications created is deleted automatically.
**Note**
Depending on the volume of operating system updates, it might take several hours for an image update to complete. If an issue prevents the image from being updated, a red icon with an exclamation point appears next to the image name, and the image status in the image registry appears as **Failed**. If this occurs, select the image, choose the **Notifications** tab, and review any error notifications. For more information, see the information in the [Image Internal Service](troubleshooting-notification-codes.md#troubleshooting-notification-codes-image) section of the documentation for troubleshooting notification codes.
If the qualification process is not successful, the image builder that WorkSpaces Applications created is still deleted automatically.
1. After WorkSpaces Applications creates the new image, test the image on a pre-production fleet. After you verify that your applications work as expected, update your production fleet with the new image.
# Update the WorkSpaces Applications Agent Software by Using Managed WorkSpaces Applications Agent Versions
WorkSpaces Applications provides an automated way to update your image builder with newer WorkSpaces Applications agent software. Doing so enables you to create a new image whenever a new version of the agent is released. You can then test the image before updating your production fleets. For more information about how to manage the WorkSpaces Applications agent software, see [Manage WorkSpaces Applications Agent Versions](base-images-agent.md).
**Note**
You're responsible for installing and maintaining the updates for the Windows operating system, your applications, and their dependencies.
To keep your WorkSpaces Applications image updated with the latest Windows operating system updates, do one of the following:
+ Install your applications on the latest base image each time a new image is released.
+ Install the updates for the Windows operating system, your applications, and their dependencies on an existing image builder.
+ Install the updates for the Windows operating system, your applications, and their dependencies on a new image builder from an existing image.
After you create a new image with the latest Windows operating system, applications and their dependencies, and the WorkSpaces Applications agent software, test the image on a development fleet. After you verify that your applications work as expected, update your production fleet with the new image.
# Windows Update and Antivirus Software on Amazon WorkSpaces Applications
WorkSpaces Applications streaming instances are non-persistent. When a user streaming session ends, WorkSpaces Applications terminates the instance used by the session and, depending on your scaling policies, provisions a new instance to replace it in your fleet. All fleet instances are provisioned from the same image. Because images cannot be changed once created, all fleet instances used in user streaming sessions have only the Windows and application updates that were installed on the underlying image when the image was created. In addition, because a fleet instance used for a streaming session terminates at the end of the session, any updates made to Windows or to applications on the instance during the streaming session will not persist to future sessions by the same user or other users.
**Note**
If you enabled application settings persistence for your stack, WorkSpaces Applications persists Windows and application configuration changes made by a user to future sessions for the same user if those configuration changes are stored in the user’s Windows profile. However, the application settings persistence feature persists only Windows and application configuration settings. It does not persist software updates to Windows or applications on the streaming instance.
For these reasons, WorkSpaces Applications takes the following approach to Windows Update and antivirus software on WorkSpaces Applications instances.
## Windows Update
Windows Update is not enabled by default on WorkSpaces Applications base images. If you enable Windows Update on an image builder and then try to create an image, Image Assistant displays a warning and disables Windows Update during the image creation process. To ensure that your fleet instances have the latest Windows updates installed, we recommend that you install Windows updates on your image builder, create a new image, and update your fleet with the new image on a regular basis.
## Antivirus Software
If you choose to install antivirus software on your image, we recommend that you do not enable automatic updates for the antivirus software. Otherwise, the antivirus software may attempt to update itself with the latest definition files or other updates during user sessions. This may affect performance. In addition, any updates made to the antivirus software will not persist beyond the current user session. To ensure that your fleet instances always have the latest antivirus updates, we recommend that you do either of the following:
+ Update your image builder and create a new image on a regular basis (for example, by using the [Image Assistant CLI operations](https://docs.aws.amazon.com/appstream2/latest/developerguide/programmatically-create-image.html)).
+ Use an antivirus application that delegates scanning or other operations to an always-up-to-date external server.
**Note**
Even if you do not enable automatic updates for your antivirus software, the antivirus software may perform hard drive scans or other operations that may impact the performance of your fleet instances during user sessions.
On WorkSpaces Applications Windows Server 2025/2022/2019/2016 base images published on or after September 10, 2019, Windows Defender is not enabled by default. On WorkSpaces Applications Windows Server 2016 and Windows Server 2019 base images published on June 24, 2019, Windows Defender is enabled by default.
**To enable Windows Defender manually**
If Windows Defender is not enabled on your base image, you can enable it manually. To do so, complete the following steps.
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the left navigation pane, choose **Images**, **Image Builder**.
1. Choose the image builder on which to enable Windows Defender, verify that it is in the **Running** state, and choose **Connect**.
1. Log in to the image builder with the local **Administrator** account or with a domain account that has local administrator permissions.
1. Open Registry Editor.
1. Navigate to the following location in the registry: **HKLM\$1SOFTWARE\$1Policies\$1Microsoft\$1Windows Defender\$1DisableAntiSpyware**.
1. To edit this registry key, double-click it, or right-click the registry key, and choose **Modify**.
1. In the **Edit DWORD (32-bit) Value** dialog box, in **Value data**, change **1** to **0**.
1. Choose **OK**.
1. Close Registry Editor.
1. Open the Microsoft Management Console (MMC) **Services** snap-in (`services.msc`).
1. In the list of services, do one of the following.
If you are using Microsoft Windows Server 2022/2025, do either of the following:
+ Right-click **Microsoft Defender Antivirus Service**, and choose **Start**.
+ Double-click **Microsoft Defender Antivirus Service**, choose **Start** in the properties dialog box, and then choose **OK**.
If you are using Microsoft Windows Server 2019 or 2016, do either of the following:
+ Right-click **Windows Defender Antivirus Service**, and choose **Start**.
+ Double-click **Windows Defender Antivirus Service**, choose **Start** in the properties dialog box, and then choose **OK**.
1. Close the **Services** snap-in.
# Programmatically Create a New Image in Amazon WorkSpaces Applications
You can create WorkSpaces Applications images programmatically by connecting to an image builder and using the Image Assistant command line interface (CLI) operations. For more information, see [Create Your Amazon WorkSpaces Applications Image Programmatically by Using the Image Assistant CLI Operations](programmatically-create-image.md).
# Manage License Included Applications on Your Image in Amazon WorkSpaces Applications
You can stream the following Microsoft license included applications using WorkSpaces Applications. You can install these applications on your Windows Image, use this custom image to create fleet(s), and then stream these applications. All of the following applications are available in 32-bit and 64-bit architecture:
+ Microsoft Office LTSC Professional Plus 2021/2024
+ Microsoft Visio LTSC Professional 2021/2024
+ Microsoft Project Professional 2021/2024
+ Microsoft Office LTSC Standard 2021/2024
+ Microsoft Visio LTSC Standard 2021/2024
+ Microsoft Project Standard 2021/2024
**Important**
Microsoft Office, Visio, and Project must follow the same versions. For example, you can't mix 2021 applications with 2024 applications.
Microsoft Office, Visio, and Project must follow the same architecture. For example, you can't mix 32-bit applications with 64-bit applications.
Microsoft Office, Visio, and Project 2021 Standard/Professional versions are supported on Microsoft Windows Server 2019/2022/2025. Microsoft Office, Visio, and Project 2024 Standard/Professional versions are supported on Microsoft Windows Server 2022 and 2025.
To enable this feature, you must use an WorkSpaces Applications Image Builder that uses an WorkSpaces Applications agent released on or after October 2, 2025. For more information, see [Manage WorkSpaces Applications Agent Versions](base-images-agent.md) . Or, your image must use managed WorkSpaces Applications image updates released on or after October 3, 2025. For more information, see [Keep Your Amazon WorkSpaces Applications Image Up-to-Date](keep-image-updated.md).
Outbound TCP on port 1688 must be open on the management network interface of all streaming instances.
All users streaming through a fleet powered by an image with one or more licensed apps incur billing for these apps monthly, regardless of usage. The application entitlement feature doesn't restrict access for specific users.
License included applications on Image Builder aren't activated because they are installed for administrative purposes. Activation occurs when users stream through a fleet instance.
**Topics**
+ [
# View the list of license included applications installed on your image
](view-list-image.md)
+ [
# View the list of license included applications on your image builder
](view-list-apps.md)
+ [
# Install or uninstall license included applications
](install-uninstall-apps.md)
+ [
# Enable updates for license included applications on image builder
](updates-image-builder.md)
+ [
# Enable updates for license included applications on image builder with Powershell
](enable-updates-managed-powershell.md)
+ [
# Enable updates for license included applications on image builder with Managed Image Update
](enable-updates-managed.md)
# View the list of license included applications installed on your image
**View the list of license included applications installed on your image**
To view the list of license included applications installed on your image, follow these steps.
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. Choose **Images** in the left navigation pane and the **Image Registry** tab.
1. Select an image, and choose **View Details**.
1. Review the list of all the installed applications under **License included applications**.
# View the list of license included applications on your image builder
**View the list of license included applications on your image builder**
To view the list of license included applications on your image builder, follow these steps.
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. Choose **Images** in the left navigation pane and the **Image builder** tab.
1. Select an image builder, and choose **View details**.
1. Review the list of applications and their statuses under **License included applications**.
# Install or uninstall license included applications
**Install or uninstall license included applications**
To install or uninstall one or more license included application(s) on your image, follow these steps.
1. Complete one of the following options:
+ Launch an image Builder and configure license included applications. For more information, see [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md).
+ Manage license included applications on your image builder. For more information, see [Attribute-Based Application Entitlements Using a Third-Party SAML 2.0 Identity Provider](application-entitlements-saml.md).
1. When you have an image created with one or more license included applications, you can use this image to create fleets. Users connecting to this fleet can access these applications.
**Important**
All the users streaming through a fleet powered by an image with one or more licensed apps will incur billing for these apps monthly, regardless of usage. The application entitlement feature does not restrict access for specific users.
If you encounter failures during license included app installation or uninstallation, you will see a failure status on your Image Builder's details page. To troubleshoot these issues, we recommend connecting to your Image Builder and enabling verbose logging. For more information see [How to enable Microsoft 365 Apps for enterprise logging](https://learn.microsoft.com/en-us/troubleshoot/microsoft-365-apps/diagnostic-logs/how-to-enable-office-365-proplus-uls-logging). If the problem persists after reviewing the logs and troubleshooting, contact AWS Support for help.
# Enable updates for license included applications on image builder
**Enable updates for license included applications on image builder**
Updates for all license included applications are disabled by default. You can enable updates for these applications on the image builder with an image that includes one or more of these applications. Updates on fleet instances remain disabled to prevent installation during session setup.
There are three options for enabling updates for license included applications on image builder.
To enable updates for license included applications on image builder with the application menu, follow these steps.
1. Open any license included application.
1. Choose **File**, **Account**, **Update Options**, and **Enable Updates**.
# Enable updates for license included applications on image builder with Powershell
To enable updates for license included applications on image builder with Powershell, follow these steps.
+ Run the following command with PowerShell as an administrator:
`Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" -Name UpdatesEnabled -Value True `
# Enable updates for license included applications on image builder with Managed Image Update
To enable updates for license included applications on image builder with Managed Image Update, follow these steps.
+ Use Managed Image Update to receive updates on Microsoft license included applications. For more information, see
[Update an Image by Using Managed WorkSpaces Applications Image Updates](keep-image-updated-managed-image-updates.md).
# Import Image
You can create WorkSpaces Applications images by importing your customized EC2 AMIs. Here's how it works:
1. Customize your EC2 AMI using any preferred method including [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/).
1. Import your customized AMI into WorkSpaces Applications to create a WorkSpaces Applications image
1. Optionally, use Image Builder for additional image customization
Images created through AMI import are of `type = "custom"`, while WorkSpaces Applications provided images are of `type = "native"`.
You can use stream.\$1 instance types for images with `type = "native"`. To use any of the following instance type you must import your AMI and create an image with `type = "custom"`.
+ GeneralPurpose.\$1
+ MemoryOptimized.\$1
+ ComputeOptimized.\$1
+ Accelerated.\$1
## Prerequisites for image import
All these prerequisites are important for a successful workflow execution. Supported AMI configurations and other mandatory requirements are listed below.
### Required AMI Properties
EBS
+ Less or equal to 500GB size
+ You can import an AMI with < 200 GB, however, the imported image will use minimum 200GB.
+ GP2
+ You can import an AMI with gp2 or gp3 EBS volume type, however, the imported image will use gp2.
+ One volume per image
+ `/dev/sda1` Root Device Name
+ Image Type: Machine
+ Architecture: x86\$164
+ Virtualization Type: HVM
+ Boot Mode: UEFI
+ TPM Support: v2.0. This is required, Refer to [https://docs.aws.amazon.com/ec2/latest/windows-ami-reference/ami-windows-tpm.html\$1ami-windows-tpm-find](https://docs.aws.amazon.com/ec2/latest/windows-ami-reference/ami-windows-tpm.html#ami-windows-tpm-find) to find a TPM enabled AMI.
+ ENA Support: true
+ Platform: Windows
+ Platform Details: Windows
### Operating System Properties
Windows Server 2022/2025 **Full Base**
+ Windows Server **Core** is not supported
+ Windows with SQL Server is not supported
Agents
+ EC2 Launch V2 Version >= 2.1.1
+ SSM Agent required
Drivers
+ EC2 ENA Driver Version >= 2.9.0
+ EC2 NVMe Driver Version >= 1.6.0
Library Support
+ .NET Framework 4.8 or greater
+ Installed by default in Windows Server 2022/2025
+ PowerShell 5.1 or greater
+ Installed by default in Windows Server 2022/2025
+ Windows Features: Remote Desktop Services Licensing and Remote Desktop Services Session Host must not be installed
+ Ports: Ports 8000, 8300, and 8443 must be unblocked and unoccupied
+ Boot Mode: UEFI
If you want to use image with graphics instances such as Accelerated.g4dn, Accelerated.g5, Accelerated.G6, or Accelerated.G6e you much install proper GRID driver on your AMI. For more details please refer to [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvidia-GRID-driver.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvidia-GRID-driver.html). If the drivers are not setup correctly the streaming will work, however, graphics card may not available.
**Important**
"Owner Account Id" of the AMI must be your AWS account id. You cannot import a public EC2 AMI.
Perform any Windows updates and disable automatic Windows updates before importing the image.
Import of encrypted EC2 AMIs is currently not supported
### IAM Role Requirements
**Important**
"Create an IAM role with the following permissions to use for image import:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowModifyImageAttributeWithTagCondition",
"Effect": "Allow",
"Action": "ec2:ModifyImageAttribute",
"Resource": "*"
},
{
"Sid": "AllowDescribeImages",
"Effect": "Allow",
"Action": "ec2:DescribeImages",
"Resource": "*"
}
]
}
```
Add the following trust relationship for this IAM role
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appstream.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
## To import an image
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the left navigation pane, choose **Images** and then choose **Image registry**.
1. Choose **Import Image**.
1. **AMI ID** - Enter an AMI ID for AMI that you would like to import to WorkSpaces Applications. You can also search for your AMI using this field.
1. **Image name** - Enter a unique name for the image that will be created because of import operation.
1. **Display name** *(Optional)* - Enter a to display for the image.
1. **Description** *(Optional)* – Enter a description for the image.
1. **IAM Role** - Select the IAM role that you have created for image import. For more details refer to [IAM Role Requirements](#iam-role-requirements).
1. **Manage WorkSpaces Applications agent** – Select this option if you want to always use the latest WorkSpaces Applications agent version, your streaming instances are automatically updated with the latest features, performance improvements, and security updates that are available from AWS when a new agent version is released.
1. **Runtime validation** *(Optional)*: Select this option and service will provision an instance with the image being imported and run streaming tests.
+
**Note**
These streaming tests will be executed in the background, you cannot connect to this instance via WorkSpaces Applications client.
+ We recommend using this option to get higher confidence that your image is suitable for WorkSpaces Applications.
+ You will be billed for the hourly price of that instance.
+ You can avoid running runtime validation if you are re-importing your AMI after making minor changes that may not affect the streaming test, and if runtime validation passed the last time, you imported this AMI.
+ **Choose instance type** *(Optional)*: Select the right instance family, type, and size for running the streaming test. It is recommended that you use the same instance which you are planning to use for fleet creation.
1. **Applications catalog and launch performance manifest** *(Optional)*: Provide details to create applications catalog for your end users and improve the launch performance of your applications.
+ **Application catalog**: To create an application catalog specify details about the applications installed your image. For each application that you plan to stream, you can specify the name, display name, executable file to launch, and icon to display.
+ **Launch performance**: Adding files to the application optimization manifest reduces the time that it takes for the application to launch for the first time on a new fleet instance. The optimization manifest is a line-delimited text file that is per application.
To learn more refer to [Applications Details](applications-details.md).
1. **Tags** *(Optional)* - Choose **Add Tag** and type the key and value for the tag. To add more tags, repeat this step. For more information, see [Tagging Your Amazon WorkSpaces Applications Resources](tagging-basic.md).
1. **Import Image** – Review all the information you have entered and choose **Import Image**. Service will run compatibility checks to make sure AMI is compatible with WorkSpaces Applications.
+ If the static checks fail, you will receive an error straight away.
+ If the static checks pass, your import request will be submitted and depending upon the options you have selected it could take 30-60 min to create a new WorkSpaces Applications image with `type = "custom"`
# Applications Details
Applications details contains information about pre-warm manifests and app catalog configurations.
## Application PreWarm Manifests
When creating WorkSpaces Applications images you may specify applications to be made available to your users. To speed up the application's launch time you can prepare a PreWarm manifest. This is essentially a catalog of the files that your application needs to launch when users launch your application. During instance provisioning these files will be prepared ahead of session connections to speed up application launch times in user sessions.
Prewarm manifests must be pre-created on your AMI before being imported into the WorkSpaces Applications environment. You can choose to either create one common Prewarm manifest file or one per each application. This changes how you will import your AMI later.
### Common Prewarm Manifest
For each application you wish to prewarm, launch the application and perform any initial interactions your users may perform. Then, use the following command targeting the directory where your applications data is stored.
```
dir -path "C:\Path\To\Folder\To\Optimize" -Recurse -ErrorAction SilentlyContinue | %{$_.FullName} | Out-File "C:\ProgramData\Amazon\Photon\Prewarm\PrewarmManifest.txt" -encoding UTF8 -append
```
This will append the files to optimize for each application into the common `C:\\ProgramData\\Amazon\\Photon\\Prewarm\\PrewarmManifest.txt` file. There is no additional action needed to perform application prewarming. WorkSpaces Applications will look for the prewarm file at the above location and use it if it is present.
This process is optional and as the size of the prewarm manifest increases, fleet provisioning time will also increase. So take care to balance optimization with fleet provisioning.
### Application Specific Manifests
During image import, you may wish to specify separate application manifest files per application for easier tracking of the prewarm assets per application. To do this perform the same steps as above, but instead of creating a common `C:\\ProgramData\\Amazon\\Photon\\Prewarm\\PrewarmManifest.txt` file, create a file per application on your AMI.
For each application you wish to prewarm, launch the application and perform any initial interactions your users may perform. Then, use the following command targeting the directory where your applications data is stored.
```
dir -path "C:\Path\To\Folder\To\Optimize" -Recurse -ErrorAction SilentlyContinue | %{$_.FullName} | Out-File "C:\Path\To\My\PreWarm.txt" -encoding UTF8 -append
```
We will use these application prewarm files during the image import process. Again this is completely optional. You may choose to use this method, the Common Prewarm Manifest method, or no Prewarm manifest at all.
## Application Catalog Configs
`AppCatalogConfig` which allows you to specify the applications you wish to register to your WorkSpaces Applications image during AMI import. The `AppCatalogConfig` is a JSON list of Application configuration objects of the following structure.
```
[
{
"Name": "Rufus", //Required and must be unique among the list of applications
"DisplayName": "Rufus",
"AbsoluteAppPath": "Rufus", //Required
"AbsoluteIconPath": "Rufus",
"AbsoluteManifestPath": "Rufus",
"WorkingDirectory": "Rufus",
"LaunchParameters": "Rufus"
}
...
// Up to 50 applications total
]
```
The only required fields per application are the `Name` and the `AbsoluteAppPath`. The details of each field as follows:
Name [**Required**]
+ A given name for your application to identify it
+ Between 1 and 100 characters
+ Allowed characters regex `^[a-zA-Z0-9][a-zA-Z0-9_.-]{0,99}$`
+ Must be unique in a given AppCatalogConfig
DisplayName
+ The display name for a given application to display to users
+ Between 0 and 100 characters
+ Allowed characters regex `^[a-zA-Z0-9][a-zA-Z0-9_. -]{0,99}$`
AbsoluteAppPath [**Required**]
+ The path to the executable to launch your application
+ This is the executable that will be launched when users select your application
+ Between 1 and 32767 characters
+ This character length upper limit is to support extended file paths in Windows. Ensure your AMI and application is properly configured to support Windows extended file paths if using file paths larger than 260 characters.
+ Use escaped file path strings such as
+ `"C:\\Windows\\System32\\notepad.exe"`
AbsoluteManifestPath
+ Only applicable if you are using [Application Specific Manifests](#application-specific-manifests)
+ Path to prewarm manifest file for this application
+ Between 0 and 32767 characters
+ This character length upper limit is to support extended file paths in Windows. Ensure your AMI and application is properly configured to support Windows extended file paths if using file paths larger than 260 characters.
+ Use escaped file path strings such as
+ `"C:\\Path\\To\\PrewarmManifest.txt"`
AbsoluteIconPath
+ Path to icon file on the AMI to use for the application.
+ This icon will be shown to users when streaming to this image.
+ If none is provided the icon will be derived from the executable itself.
+ Take care to select icon files with appropriately handled background transparency for a good client experience for your users
+ Use PNG images
+ Between 1 and 32767 characters
+ This character length upper limit is to support extended file paths in Windows. Ensure your AMI and application is properly configured to support Windows extended file paths if using file paths larger than 260 characters.
+ Use escaped file path strings such as
+ `"C:\\Path\\To\\ApplicationIcon.png"`
WorkingDirectory
+ The working directory to launch your application in
+ Between 0 and 32767 characters
+ This character length upper limit is to support extended file paths in Windows. Ensure your AMI and application is properly configured to support Windows extended file paths if using file paths larger than 260 characters.
+ Use escaped file path strings such as
+ `"C:\\Path\\To\\Working\\Directory"`
LaunchParameters
+ A string to use as the launch parameters for the executable specified in `AbsoluteAppPath`
+ Between 0 and 1024 characters
+ Use escaped strings with the full list of required launch parameters such as the following example which shows how you may use PowerShell scripts as your applications by using the PowerShell executable as your app with a script provided in the launch parameters
+ AbsoluteAppPath
+ `"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"`
+ LaunchParameters
+ `"-File \"C:\\Path\\To\\App\\Script.ps1\""`
### Sample AppCatalogConfig
This is a bare bones example of an AppCatalogConfig for Notepad, Google Chrome, and Mozilla Firefox
```
[
{
"Name": "Notepad",
"DisplayName": "Notepad",
"AbsoluteAppPath": "C:\\Windows\\System32\\notepad.exe"
},
{
"Name": "Chrome",
"DisplayName": "Chrome",
"AbsoluteAppPath": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"LaunchParameters": "https://www.amazon.com/"
},
{
"Name": "Firefox",
"DisplayName": "Firefox",
"AbsoluteAppPath": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"LaunchParameters": "https://aws.amazon.com/"
}
]
```
# Export Image
You can export your images to create EC2 AMIs. Later you can [Import Image](import-image.md) those AMIs back to create WorkSpaces Applications images. This helps you to use your own AMI customization tools for customizing of your images.
**Note**
During export following components will be removed from your images
WorkSpaces Applications agent
Microsoft license included applications, which were added using Image Builder
Only Microsoft Windows Server 2022 and 2025 images can be exported.
## IAM Role Requirements
**Important**
Create an IAM role with the following permissions to use for export import:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCopyImage",
"Effect": "Allow",
"Action": "ec2:CopyImage",
"Resource": "*"
},
{
"Sid": "AllowDescribeImages",
"Effect": "Allow",
"Action": "ec2:DescribeImages",
"Resource": "*"
},
{
"Sid": "AllowCreateTags",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*"
}
]
}
```
Add the following trust relationship for this IAM role
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appstream.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
## To export an image
1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).
1. In the navigation pane, choose **Images**, **Image Registry**.
1. In the image list, select the private image you want to export.
1. Choose **Actions**, **Export**.
1. In the **Export image** dialog box, type a unique **AMI name** and optionally **AMI Description** for the AMI.
1. **IAM Role** - Select the IAM role that you have created for image export.
1. You optionally copy tags from your Image to AMI by checking the **Copy tags in export** checkbox.
1. Choose **Export Image**.