# Troubleshooting
<a name="troubleshooting"></a>

If you encounter difficulties when working with Amazon WorkSpaces Applications, consult the following troubleshooting resources.

**Topics**
+ [

# General Troubleshooting
](troubleshooting-general.md)
+ [

# Troubleshooting Image Builders
](troubleshooting-image-builder.md)
+ [

# Troubleshooting Fleets
](troubleshooting-fleets.md)
+ [

# Troubleshooting Active Directory
](troubleshooting-active-directory.md)
+ [

# Troubleshooting WorkSpaces Applications User Issues
](troubleshooting-user-issues.md)
+ [

# Troubleshooting Persistent Storage Issues
](troubleshooting-persistent-storage.md)
+ [

# Troubleshooting Notification Codes
](troubleshooting-notification-codes.md)

# General Troubleshooting
<a name="troubleshooting-general"></a>

The following are general issues that might occur when you use Amazon WorkSpaces Applications.

**Topics**
+ [

## SAML federation is not working. The user is not authorized to view WorkSpaces Applications applications.
](#troubleshooting-13)
+ [

## After federating from an ADFS portal, my streaming session doesn't start. I am getting the error "Sorry connection went down".
](#troubleshooting-adfs-upn)
+ [

## I get an invalid redirect URI error.
](#troubleshooting-14)
+ [

## My image builders and fleets never reach the running state. My DNS servers are in a Simple AD directory.
](#fleets-image-builders-dont-run-simple-ad)
+ [

## I've enabled application settings persistence for my users, but their persistent application settings aren't being saved or loaded.
](#app-settings-save-load-failure)
+ [

## I've enabled application settings persistence for my users, but for certain streaming applications, my users’ passwords aren’t persisting across sessions.
](#app-settings-passwords-not-persisting)
+ [

## Google Chrome data is filling the VHD file that contains my users' persistent application settings. This is preventing their settings from persisting. How can I manage the Chrome profile?
](#chrome-filling-up-app-settings-VHD)
+ [

## I set up a custom domain for my embedded WorkSpaces Applications streaming sessions, but my WorkSpaces Applications streaming URLs aren't redirecting to my custom domain.
](#embedded-streaming-sessions-streaming-urls-not-redirected-to-custom-domain)
+ [

## I launched an app on a smartcard-enabled WorkSpaces Applications fleet, and there are a limited number of certificates (or none) available to the app for authentication.
](#no-or-limited-certificates-for-authentication-on-smartcard-fleet)
+ [

## The Certification Propagation service isn't starting on my smartcard-enabled WorkSpaces Applications fleet.
](#certification-propogation-not-starting-on-smartcard-fleet)
+ [

## I can't log in with my Active Directory username or password after SAML authentication.
](#troubleshooting-saml-auth)

## SAML federation is not working. The user is not authorized to view WorkSpaces Applications applications.
<a name="troubleshooting-13"></a>

This might happen because the inline policy that is embedded for the SAML 2.0 federation IAM role does not include permissions to the stack ARN. The IAM role is assumed by the federated user who is accessing an WorkSpaces Applications stack. Edit the role permissions to include the stack ARN. For more information, see [Amazon WorkSpaces Applications Integration with SAML 2.0](external-identity-providers.md) and [Troubleshooting SAML 2.0 Federation with AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html) in the *IAM User Guide*.

## After federating from an ADFS portal, my streaming session doesn't start. I am getting the error "Sorry connection went down".
<a name="troubleshooting-adfs-upn"></a>

Set the claim rule's **Incoming Claim Type** for the **NameID** SAML attribute to **UPN** and try the connection again.

## I get an invalid redirect URI error.
<a name="troubleshooting-14"></a>

This error occurs due to a malformed or invalid WorkSpaces Applications stack relay state URL. Make sure that the relay state configured in your federation setup is the same as the stack relay state that is displayed in the stack details through the WorkSpaces Applications console. If they are the same and the problem still persists, contact AWS Support. For more information, see [Amazon WorkSpaces Applications Integration with SAML 2.0](external-identity-providers.md).

## My image builders and fleets never reach the running state. My DNS servers are in a Simple AD directory.
<a name="fleets-image-builders-dont-run-simple-ad"></a>

WorkSpaces Applications relies on the DNS servers within your VPC to return a non-existent domain (NXDOMAIN) response for local domain names that don’t exist. This enables the WorkSpaces Applications-managed network interface to communicate with the management servers. 

When you create a directory with Simple AD, AWS Directory Service creates two domain controllers that also function as DNS servers on your behalf. Because the domain controllers don't provide the NXDOMAIN response, they can't be used with WorkSpaces Applications.

## I've enabled application settings persistence for my users, but their persistent application settings aren't being saved or loaded.
<a name="app-settings-save-load-failure"></a>

WorkSpaces Applications automatically saves application settings that are created in certain locations on the Windows instance. The settings are saved only if your application saves them to one of these locations. For a list of supported locations, see [How Application Settings Persistence Works](how-it-works-app-settings-persistence.md). If your application is configured to save to C:\$1Users\$1%username% and your users' settings for the application aren’t persisting between sessions, the mount point might not be created. This prevents the settings from being saved to the VHD file that contains your users’ persistent application settings. 

To resolve this issue, follow these steps:

1. On the fleet instance, open File Explorer and browse to the user profile directory at C:\$1Users\$1%username%.

1. Confirm whether this directory contains a symlink, and then do either of the following: 
   + If there is a symlink, confirm that it points to D:\$1%username%.
   + If there isn't a symlink, try to delete the C:\$1Users\$1%username% directory.

     If you can’t delete this directory, identify the file in the directory that is preventing it from being deleted and the application that created the file. Then contact the application vendor for information about how to change the file permissions or move the file.

     If you can delete this directory, contact AWS Support for further guidance to resolve this issue. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## I've enabled application settings persistence for my users, but for certain streaming applications, my users’ passwords aren’t persisting across sessions.
<a name="app-settings-passwords-not-persisting"></a>

This issue occurs when:
+ Users are streaming applications such as Microsoft Outlook, which use the [Microsoft Data Protection API](https://docs.microsoft.com/en-us/windows/desktop/seccng/cng-dpapi).
+ App settings persistence is enabled for streaming instances that are not joined to Active Directory domains. 

In cases where a streaming instance is not joined to an Active Directory domain, the Windows user, PhotonUser, is different on each fleet instance. Due to the way in which the DPAPI security model works, users' passwords don’t persist for applications that use DPAPI in this scenario. In cases where streaming instances are joined to an Active Directory domain and the user is a domain user, the Windows user name is that of the logged in user, and users’ passwords persist for applications that use DPAPI.

## Google Chrome data is filling the VHD file that contains my users' persistent application settings. This is preventing their settings from persisting. How can I manage the Chrome profile?
<a name="chrome-filling-up-app-settings-VHD"></a>

By default, Google Chrome stores both user data and the local disk cache in the Windows user profile. To prevent the local disk cache data from filling the VHD file that contains users' persistent application settings, configure Chrome to save only the user data. To do so, on the fleet instance, open the command line as an administrator and start Chrome with the following parameters to change the location of the disk cache:

`chrome.exe --disk-cache-dir C:\`*path-to-unsaved-location*`\`

Running Chrome with these parameters prevents the disk cache from being persisted between WorkSpaces Applications sessions.

## I set up a custom domain for my embedded WorkSpaces Applications streaming sessions, but my WorkSpaces Applications streaming URLs aren't redirecting to my custom domain.
<a name="embedded-streaming-sessions-streaming-urls-not-redirected-to-custom-domain"></a>

To resolve this issue, verify that when you created your WorkSpaces Applications streaming URL, you replaced the WorkSpaces Applications endpoint with your custom domain. By default, WorkSpaces Applications streaming URLs are formatted as follows:

```
https://appstream2.region.aws.amazon.com/authenticate?parameters=authenticationcode
```

To replace the default WorkSpaces Applications endpoint in your streaming URL, replace **https://appstream2.***region* in the URL with your custom domain. For example, if your custom domain is **training.example.com**, your new streaming URL must follow this format:

```
https://training.example.com/authenticate?parameters=authenticationcode
```

For more information about configuring custom domains for embedded WorkSpaces Applications streaming sessions, see [Configuration Requirements for Using Custom Domains](create-streaming-url-user-authentication.md#configuration-requirements-custom-domains).

## I launched an app on a smartcard-enabled WorkSpaces Applications fleet, and there are a limited number of certificates (or none) available to the app for authentication.
<a name="no-or-limited-certificates-for-authentication-on-smartcard-fleet"></a>

This happens when the application is launched before the [Certificate Propagation](https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service) service is in a running state. 

To resolve this issue, use the PowerShell module [Get-Service](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-service?view=powershell-7.1) to query the Certificate Propagation service’s status, and make sure that it's in a running state before launching your application.

For example, the following script won't launch the application until the Certificate Propagation service is running:

```
$logFile = "$Env:TEMP\AS2\Logging\$(Get-Date -Format "yyyy-MM-dd-HH-mm-ss")_applaunch.log"
New-Item -path $logfile -ItemType File -Force | Out-Null

Function Write-Log {
    Param ([string]$message)
    $stamp = Get-Date -Format "yyyy/MM/dd HH:mm:ss"
    $logoutput = "$stamp $message"
    Add-content $logfile -value $logoutput
}

if (Get-Service -Name "CertPropSvc" | Where-Object -Property Status -eq Running) {

    Write-Log "The Certificate Propagation Service is running. Launching Application..."
    try {
        Start-Process -FilePath "Path to Application" -WindowStyle Maximized -ErrorAction Stop
    }
    catch {
        Write-Log "There was an error launching the application: $_"
        
    }
    
}   
else {

    do {
        
        $status = Get-Service "CertPropSvc" | select-object -ExpandProperty Status
        Write-Log "The Certificate Propagation service status is currently $status"
        Start-Sleep -Seconds 2

    
    } until (Get-Service -Name "CertPropSvc" | Where-Object -Property Status -eq Running)
    
    write-log "The Certificate Propagation Service is running. Launching Application..."
    try {
        Start-Process -FilePath "Path to Application" -WindowStyle Maximized -ErrorAction Stop
    }
    catch {
        Write-Log "There was an error launching the application: $_"
        
    }
}
```

## The Certification Propagation service isn't starting on my smartcard-enabled WorkSpaces Applications fleet.
<a name="certification-propogation-not-starting-on-smartcard-fleet"></a>

If the [Certificate Propagation](https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service) service isn't starting, the service’s startup type might be set to **Disabled**. To resolve this, on the WorkSpaces Applications image builder used to create your fleet’s image, launch the Windows Services Microsoft Management Console, and make sure that the startup type of the Certificate Propagation service isn't set to **Disabled**. 

If the startup type isn't set to **Disabled**, and the service is still not starting on your WorkSpaces Applications fleet, use the PowerShell module [Start-Service](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-service?view=powershell-7.1) to start the Certificate Propagation service when your fleet instance starts. 

For example, the following PowerShell script will start the service if it detects that it's in a stopped state:

```
$logFile = "C:\AppStream\Logging\$(Get-Date -Format "yyyy-MM-dd-HH-mm-ss")_certpropcheck.log"
New-Item -path $logfile -ItemType File -Force | Out-Null

Function Write-Log {
    Param ([string]$message)
    $stamp = Get-Date -Format "yyyy/MM/dd HH:mm:ss"
    $logoutput = "$stamp $message"
    Add-content $logfile -value $logoutput
}

if (Get-Service -Name "CertPropSvc" | Where-Object -Property Status -eq Running) {

    Write-Log "The Certificate Propagation Service is running. Exiting..."
    Exit
}
else {
    do {

        if (Get-Service -Name "CertPropSvc" | Where-Object -Property Status -eq Stopped) {

            Write-Log "The Certificate Propagation Service is stopped, attepmting to start..."
            try {
                Start-Service -Name "CertPropSvc" -ErrorAction Stop
                
            }
            catch {
                Write-Log "There was a problem starting the service: $_"
                break               
            }

            $status = Get-Service "CertPropSvc" | select-object -ExpandProperty Status
            Write-Log "The Certificate Propagation service status is currently $status"
            

        }
        else {
        
            $status = Get-Service "CertPropSvc" | select-object -ExpandProperty Status
            Write-Log "The Certificate Propagation service status is currently $status"
            break
        }
    
    } until (Get-Service -Name "CertPropSvc" | Where-Object -Property Status -eq Running)
}
```

## I can't log in with my Active Directory username or password after SAML authentication.
<a name="troubleshooting-saml-auth"></a>

The nameID in the SAML claim needs to match the username in Active Directory. Some IdPs require an update, refresh, or redeploy after adjusting certain attributes. If you make an adjustment and it is not reflected in your SAML capture, refer to your IdP's documentation or support program regarding the specific steps required to make the change take effect.

# Troubleshooting Image Builders
<a name="troubleshooting-image-builder"></a>

The following are issues that might occur when you use Amazon WorkSpaces Applications image builders.

**Topics**
+ [

## I cannot connect to the internet from my image builder.
](#troubleshooting-01)
+ [

## When I tried installing my application, I see an error that the operating system version is not supported.
](#troubleshooting-02)
+ [

## I want to use a Windows PowerShell script to open my applications.
](#use-powershell-launch-application)
+ [

## I want to make ClickOnce applications available to users.
](#clickonce-applications)
+ [

## When I connect to my image builder, I see a login screen asking me to enter Ctrl\$1Alt\$1Delete to log in. However, my local machine intercepts the key strokes.
](#troubleshooting-03)
+ [

## When I switched between admin and test modes, I saw a request for a password. I don't know how to get a password.
](#troubleshooting-04)
+ [

## I get an error when I add my installed application.
](#troubleshooting-05)
+ [

## I accidentally quit a background service on the image builder and got disconnected. I am now unable to connect to that image builder.
](#troubleshooting-06)
+ [

## The application fails to launch in test mode.
](#troubleshooting-07)
+ [

## The application could not connect to a network resource in my VPC.
](#troubleshooting-08)
+ [

## I customized my image builder desktop, but my changes are not available when connecting to a session after launching a fleet from the image I created.
](#troubleshooting-09)
+ [

## My application is missing a command line parameter when launching.
](#troubleshooting-10)
+ [

## I am unable to use my image with a fleet after installing an antivirus application.
](#troubleshooting-11)
+ [

## My image creation failed.
](#troubleshooting-12)
+ [

## The Image Assistant `create-image` operation failed with an error message that access to the PrewarmManifest.txt is denied
](#create-image-cli-operation-fails)

## I cannot connect to the internet from my image builder.
<a name="troubleshooting-01"></a>

Image builders cannot communicate to the internet by default. To resolve this issue, launch your image builder in a VPC subnet that has internet access. You can enable internet access from your VPC subnet using a [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html). Or, you can configure an internet gateway in your VPC, and attach an Elastic IP address to your image builder. For more information, see [Networking and Access for Amazon WorkSpaces Applications](managing-network.md).

## When I tried installing my application, I see an error that the operating system version is not supported.
<a name="troubleshooting-02"></a>

Only applications that can be installed on Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 can be added to an WorkSpaces Applications image. Check if your application is supported on one of these operating systems, as applicable for your image builder.

## I want to use a Windows PowerShell script to open my applications.
<a name="use-powershell-launch-application"></a>

You can use Windows PowerShell scripts to open your applications in the fleet instance. You might want to do this to configure the application or environment before the application opens. To launch a Windows PowerShell script for your application, specify the PowerShell .exe file in Image Assistant. Navigate to `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`, and specify the following launch parameters: 

-file "C:\$1Path\$1To\$1PowerShell\$1Script.ps1"

**Note**  
To allow the specified script to open the application, you must override the PowerShell script execution policy. To do so, add **-ExecutionPolicy Bypass** to the launch parameter.

## I want to make ClickOnce applications available to users.
<a name="clickonce-applications"></a>

To make a ClickOnce application available to your WorkSpaces Applications users, you must install the application on your image builder first as an Administrator, and then as a Template User. Because ClickOnce applications require a user-specific installation, you must install your application as a Template User to enable users to launch the application from fleet instances. To install the ClickOnce application as an Administrator and then as a Template User, perform these steps.

1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2/home](https://console.aws.amazon.com/appstream2/home).

1. In the left navigation pane, choose **Images**, **Image Builder**.

1. In the list, select the image builder that you want to use, and log into it as an Administrator.

1. Create a batch file that calls the `appref-ms` file within the user profile. Use the %APPDATA% environment variable to replace C:\$1Users\$1username\$1AppData\$1Roaming. Here is an example batch file call:

   ```
   explorer "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Company\ClickOnce.appref-ms"
   ```

1. On the image builder desktop, open Image Assistant. 

1. On the **Configure Apps** page, choose **Switch user**.

1. On the **Local User** tab, choose **Template User**.

1. After you log in as a Template User, install the application again. 

1. On the image builder desktop, open Image Assistant.

1. On the **Configure Apps** page, open the ClickOnce application to verify that it functions correctly. After you finish testing, choose **Switch user**.

1. Log back in as an Administrator and perform the required steps in Image Assistant to finish creating your image.

## When I connect to my image builder, I see a login screen asking me to enter Ctrl\$1Alt\$1Delete to log in. However, my local machine intercepts the key strokes.
<a name="troubleshooting-03"></a>

Your client might intercept certain key combinations locally instead of sending them to the image builder session. To reliably send the Ctrl\$1Alt\$1Delete key combination to the image builder, choose **Admin Commands**, **Send Ctrl\$1Alt\$1Delete**. The **Admin Commands** menu is available on the top right corner of the image builder session toolbar.

## When I switched between admin and test modes, I saw a request for a password. I don't know how to get a password.
<a name="troubleshooting-04"></a>

WorkSpaces Applications usually logs you into the user mode that you choose automatically. On some occasions, the switch might not happen automatically. If a password is requested, choose **Admin Commands**, **Log me in**. This sends a one-time password, securely, to your image builder and pastes it into the **Password** field.

## I get an error when I add my installed application.
<a name="troubleshooting-05"></a>

Check if your application type is supported. You can add applications of the types `.exe`, `.lnk`, and `.bat`.

Check if your application is installed under the `C:\Users` folder hierarchy. Any application installed under `C:\Users` is not supported. Select a different installation folder under `C:\` when installing the application.

## I accidentally quit a background service on the image builder and got disconnected. I am now unable to connect to that image builder.
<a name="troubleshooting-06"></a>

Try stopping the image builder, restarting it and connecting to it again. If the problem persists, you must launch (create) a new image builder. Do not stop any background services running on the image builder instance. Doing so might interrupt your image builder session or interfere with the image creation.

## The application fails to launch in test mode.
<a name="troubleshooting-07"></a>

Check if your application requires elevated user privileges or any special permissions that are usually available only to an administrator. The Image Builder Test mode has the same limited permissions on the image builder instance as your end users have on an WorkSpaces Applications test fleet. If your applications require elevated permissions, they do not launch in the Image Builder Test mode.

## The application could not connect to a network resource in my VPC.
<a name="troubleshooting-08"></a>

Check if the image builder was launched in the correct VPC subnet. You might also need to verify that the route tables in your VPC are configured to allow a connection.

## I customized my image builder desktop, but my changes are not available when connecting to a session after launching a fleet from the image I created.
<a name="troubleshooting-09"></a>

Changes that are saved as part of a local user session, such as time settings, are not persisted when creating an image. To persist any local user session changes, add them to the local group policy on the image builder instance.

## My application is missing a command line parameter when launching.
<a name="troubleshooting-10"></a>

You can provide a command line parameter when using image builder to add an application to an image. If the launch parameters for the application do not change for each user, you can enter them while adding an application to the image in the image builder instance.

If the launch parameters are different for every launch, you can pass them programmatically when using the `CreateStreamingURL` API. Set the `sessionContext` and `applicationID` parameters in the API fields. The sessionContext is included as a command line option when launching the application.

If the launch parameters must be computed on the fly, you can launch your application using a script. You can parse the `sessionContext` parameter within your script before launching your application with a computed parameter.

## I am unable to use my image with a fleet after installing an antivirus application.
<a name="troubleshooting-11"></a>

You can install any tools, including antivirus programs, on your WorkSpaces Applications stack by using the image builder before creating an image. However, these programs should not block any network ports or stop any processes that are used by the WorkSpaces Applications service. We recommend testing your application in Image Builder Test mode before creating an image and attempting to use it with a fleet.

## My image creation failed.
<a name="troubleshooting-12"></a>

Verify that you did not make any changes to WorkSpaces Applications services before starting the image creation. Try creating your image again; if it fails, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## The Image Assistant `create-image` operation failed with an error message that access to the PrewarmManifest.txt is denied
<a name="create-image-cli-operation-fails"></a>

The application optimization manifest was created with elevated privileges. To create the image, do either of the following, and then try again:
+ Run the Image Assistant command line interface (CLI) executable file (Image-Assistant.exe) with administrator privileges.
+ Delete the application optimization manifest file.

# Troubleshooting Fleets
<a name="troubleshooting-fleets"></a>

The following are issues that might occur when users connect to Amazon WorkSpaces Applications streaming sessions launched from fleet instances.

**Topics**
+ [

## I tried to increase my fleet capacity, but the update isn't taking effect.
](#troubleshooting-fleet-scale-up-policy-not-working-quota-limit-exceeded)
+ [

## My applications won't work correctly unless I use the Internet Explorer defaults. How do I restore the Internet Explorer default settings?
](#troubleshooting-restore-ie-defaults)
+ [

## I need to persist environment variables across my fleet instances.
](#troubleshooting-persist-environment-variables)
+ [

## I want to change the default Internet Explorer home page for my users.
](#troubleshooting-change-homepage)
+ [

## When my users end a streaming session and then start a new one, they see a message that says no streaming resources are available.
](#troubleshooting-no-resources-available-new-streaming-session)

## I tried to increase my fleet capacity, but the update isn't taking effect.
<a name="troubleshooting-fleet-scale-up-policy-not-working-quota-limit-exceeded"></a>

You can increase your fleet capacity in either of the two following ways:
+ Manually, by increasing the **Minimum capacity** value on the **Scaling Policies **tab for the fleet in the WorkSpaces Applications console.
+ Automatically, by configuring a fleet scaling policy that manages your capacity for the fleet.

If your manual modification or scaling policy exceeds your current WorkSpaces Applications quota for your fleet instance type and size, the new values will not take effect. If you experience this issue, you can use the AWS Command Line Interface (CLI) [describe-scaling-activities](https://docs.aws.amazon.com/cli/latest/reference/application-autoscaling/describe-scaling-activities.html) command to verify whether your capacity request exceeds your quota for the applicable fleet instance type and size. This command uses the following format:

```
aws application-autoscaling describe-scaling-activities
  --service-namespace appstream \
  --resource-id fleet/fleetname \
```

For example, the following command provides information for the **TestFleet** fleet in the **us-west-2** AWS Region.

```
aws application-autoscaling describe-scaling-activities --service-namespace appstream --resource-id fleet/TestFleet --region us-west-2
```

The following JSON output shows that a scaling policy for **TestFleet** with a **Minimum capacity** value of 150 was set. This value exceeds the limit (quota) for **TestFleet**, which is 100, so the new scaling policy doesn’t take effect. In the output, the **StatusMessage** parameter provides detailed information about the cause of the error, including the fleet instance type (in this case, stream.standard.medium), and the current quota, which is 100.

**Note**  
WorkSpaces Applications instance type and size quotas are per Amazon Web Services account, per AWS Region. If you have multiple fleets in the same Region that use the same instance type and size, the total number of instances in all fleets in that Region must be less than or equal to the applicable quota.

```
{
    "ScalingActivities": [
        {
            "ActivityId": "id",
            "ServiceNamespace": "appstream",
            "ResourceId": "fleet/TestFleet",
            "ScalableDimension": "appstream:fleet:DesiredCapacity",
            "Description": "Setting desired capacity to 150.",
            "Cause": "minimum capacity was set to 150",
            "StartTime": 1596828816.136,
            "EndTime": 1596828816.646,
            "StatusCode": "Failed",
            "StatusMessage": "Failed to set desired capacity to 150. Reason: The Instance type 'stream.standard.medium' capacity limit for fleet TestFleet' was exceeded. Requested: 150, Limit: 100 (Service: AmazonAppStream; Status Code: 400; Error Code: LimitExceededException; Request ID: id; Proxy: null)."
```

If you run the `describe-scaling-activities` command and the output indicates that your capacity request exceeds your current quota, you can resolve the issue by:
+ Changing your capacity request to a value that doesn’t exceed your quota.
+ Requesting a quota increase. To request a quota increase, use the [WorkSpaces Applications Limits form](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase&limitType=service-code-appstream2).

## My applications won't work correctly unless I use the Internet Explorer defaults. How do I restore the Internet Explorer default settings?
<a name="troubleshooting-restore-ie-defaults"></a>

If your WorkSpaces Applications environment includes applications that render elements, you might need to restore the Internet Explorer default settings to enable full enable access to the internet. 

**To automatically restore the Internet Explorer default settings**

1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2/home](https://console.aws.amazon.com/appstream2/home).

1. In the left navigation pane, choose **Images**, **Image Builder**.

1. Choose the image builder on which to restore the Internet Explorer default settings, verify that it is in the **Running** state, and choose **Connect**.

1. Log in to the image builder by doing either of the following:
   + If your image builder is not joined to an Active Directory domain, on the **Local User** tab, choose **Template User**.
   + If your image builder is joined to an Active Directory domain, choose the **Directory User** tab, enter the credentials for a domain user who does not have local administrator permissions on the image builder, and then choose **Log in**.

1. Open Internet Explorer and reset your settings by doing the following:

   1. In the upper right area of the Internet Explorer browser window, choose the **Tools** icon, then choose **Internet options**.

   1. Choose the **Advanced** tab, and then choose **Reset**.

   1. When prompted to confirm your choice, choose **Reset** again.

   1. When the **Reset Internet Explorer Settings** message is displayed, choose **Close**.

1. In the upper right area of the image builder desktop, choose **Admin Commands**, **Switch User**.   
![\[Admin Commands dropdown menu with Switch User option highlighted.\]](http://docs.aws.amazon.com/appstream2/latest/developerguide/images/admin-commands-switch-user.png)

1. This disconnects your current session and opens the login menu. Do either of the following: 
   + If your image builder is not joined to an Active Directory domain, on the **Local User** tab, choose **Administrator**.
   + If your image builder is joined to an Active Directory domain, choose the **Directory User** tab, and log in as a domain user who has local administrator permissions on the image builder.

1. On the image builder desktop, open Image Assistant.

1. Follow the required steps in Image Assistant to finish creating your image. For more information, see [Tutorial: Create a Custom WorkSpaces Applications Image by Using the WorkSpaces Applications Console](tutorial-image-builder.md).

## I need to persist environment variables across my fleet instances.
<a name="troubleshooting-persist-environment-variables"></a>

Environment variables enable you to dynamically pass settings across applications. You can make user environment variables and system environment variables available across your fleet instances. You can also create environment variables with limited scope, which is useful when you need to use the same environment variable with different values across different applications. For more information, see [Persist Environment Variables in Amazon WorkSpaces Applications](customize-fleets-persist-environment-variables.md).

## I want to change the default Internet Explorer home page for my users.
<a name="troubleshooting-change-homepage"></a>

You can use Group Policy to set the default home page in Internet Explorer for your users. You can also enable users to change the default page that you set. For more information, see [Change the Default Internet Explorer Home Page for Users' Streaming Sessions in Amazon WorkSpaces Applications](customize-fleets-change-ie-homepage.md).

## When my users end a streaming session and then start a new one, they see a message that says no streaming resources are available.
<a name="troubleshooting-no-resources-available-new-streaming-session"></a>

When a user ends a session, WorkSpaces Applications terminates the underlying instance and creates a new instance if needed to meet the desired capacity of the fleet. If a user tries to start a new session before WorkSpaces Applications creates the new instance and all other instances are in use, the user will receive an error stating that no streaming resources are available. If your users start and stop sessions frequently, consider increasing your fleet capacity. For more information, see [Fleet Auto Scaling for Amazon WorkSpaces Applications](autoscaling.md). Or, consider increasing the maximum session duration for your fleet and instructing your users to close their browser during periods of inactivity rather than ending their session.

# Troubleshooting Active Directory
<a name="troubleshooting-active-directory"></a>

The following are issues that might occur when you set up and use Active Directory with Amazon WorkSpaces Applications. For help troubleshooting notification codes, see [Troubleshooting Notification Codes](troubleshooting-notification-codes.md).

**Topics**
+ [

## My image builders and fleet instances are stuck in the PENDING state.
](#troubleshooting-active-directory-1)
+ [

## My users aren't able to log in with the SAML application.
](#troubleshooting-active-directory-2)
+ [

## My fleet instances work for one user but don't cycle correctly.
](#troubleshooting-active-directory-3)
+ [

## My user Group Policy objects aren't being successfully applied.
](#troubleshooting-active-directory-4)
+ [

## My WorkSpaces Applications streaming instances aren't joining the Active Directory domain.
](#troubleshooting-active-directory-5)
+ [

## User login is taking a long time to complete on a domain-joined streaming session.
](#troubleshooting-active-directory-6)
+ [

## My users can't access a domain resource in a domain-joined streaming session, but they can access the resource from a domain-joined image builder.
](#troubleshooting-active-directory-8)
+ [

## My users receive the error “Certificate-Based Authentication not available” and are prompted to enter their domain password. Or users receive the error “Disconnected from session” when they are starting a session enabled with certificate-based authentication.
](#troubleshooting-active-directory-9)
+ [

## I'm experiencing domain join failures after changing the Active Directory (AD) service account.
](#troubleshooting-active-directory-10)

## My image builders and fleet instances are stuck in the PENDING state.
<a name="troubleshooting-active-directory-1"></a>

Image builders and fleet instances can take up to 25 minutes to move into a ready state and become available. If your instances are taking longer than 25 minutes to become available, in Active Directory, verify whether new computer objects were created in the correct organizational units (OUs). If there are new objects, the streaming instances will be available soon. If the objects aren't there, check the directory configuration details in your WorkSpaces Applications Directory Config: Directory name (the fully qualified domain name of the directory, service account sign-in credentials, and the OU distinguished name. 

Image builder and fleet errors are displayed in the WorkSpaces Applications console on the **Notifications** tab for the fleet or image builder. Fleet errors are also available using the WorkSpaces Applications API through the [DescribeFleets](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_DescribeFleets.html) operation or the CLI command [describe-fleets](https://docs.aws.amazon.com/cli/latest/reference/appstream/describe-fleets.html).

## My users aren't able to log in with the SAML application.
<a name="troubleshooting-active-directory-2"></a>

WorkSpaces Applications relies on the SAML\$1Subject "NameID" attribute from your identity provider to populate the username field to log in your user. The username can either be formatted as "`domain\username`", or "`user@domain.com`". If you are using "`domain\username`" format, `domain` can either be the NetBIOS name or the fully qualified domain name. If using "`user@domain.com`" format, the UserPrincipalName attribute can be used. If you've verified your SAML\$1Subject attribute is configured correctly and the problem persists, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## My fleet instances work for one user but don't cycle correctly.
<a name="troubleshooting-active-directory-3"></a>

Fleet instances are cycled after a user completes a session, ensuring that each user has a new instance. When the cycled fleet instance is brought online, it joins the domain using the computer name of the previous instance. To ensure that this operation happens successfully, the service account requires **Change Password** and **Reset Password** permissions on the organizational unit (OU) to which the computer object is joining. Check the service account permissions and try again. If the problem persists, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## My user Group Policy objects aren't being successfully applied.
<a name="troubleshooting-active-directory-4"></a>

By default, computer objects apply computer-level policies based on the OU in which the computer object resides, while applying user-level policies based on the OU in which the user resides. If your user-level policies aren't being applied, you can do one of the following: 
+ Move the user-level policies to the OU in which the user Active Directory object resides
+ Enable computer-level loopback processing, which applies the user-level policies in the computer object OU. 

For more information, see [Loopback processing of Group Policy](https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy) at Microsoft Support.

## My WorkSpaces Applications streaming instances aren't joining the Active Directory domain.
<a name="troubleshooting-active-directory-5"></a>

The Active Directory domain to use with WorkSpaces Applications must be accessible through its fully qualified domain name (FQDN) through the VPC in which your streaming instances are launched.

**To test that your domain is accessible**

1. Launch an Amazon EC2 instance in the same VPC, subnet, and security groups that you use with WorkSpaces Applications.

1. Manually join the EC2 instance to your Active Directory domain by using the FQDN (for example, `yourdomain.example.com`) with the service account that you intend to use with WorkSpaces Applications. Use the following command in a Windows PowerShell console:

   ```
   netdom join computer /domain:FQDN /OU:path /ud:user /pd:password
   ```

   If this manual join fails, go to the next step.

1. If you cannot manually join to your domain, open a command prompt and verify that you can resolve the FQDN using the `nslookup` command. For example:

   ```
   nslookup yourdomain.exampleco.com
   ```

   Successful name resolution returns a valid IP address. If you are unable to resolve your FQDN, you might need to update your VPC DNS servers by using a DHCP option set for your domain. Then, come back to this step. For more information, see [DHCP Options Sets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) in the *Amazon VPC User Guide*.

1. If the FQDN resolves, use the `telnet` command to validate connectivity.

   ```
   telnet yourdomain.exampleco.com 389
   ```

   A successful connection shows a blank command prompt window without any connection errors. You might need to install the Telnet Client feature on your EC2 instance. For more information, see [Install Telnet Client](https://technet.microsoft.com/en-us/library/cc771275.aspx) in the Microsoft documentation.

If you were not able to manually join the EC2 instance to your domain, but were successful in resolving the FQDN and testing connectivity with the Telnet Client, your VPC security groups might be preventing access. Active Directory requires certain network port settings. For more information, see [Active Directory and Active Directory Domain Services Port Requirements](https://technet.microsoft.com/en-us/library/dd772723.aspx) in the Microsoft documentation.

## User login is taking a long time to complete on a domain-joined streaming session.
<a name="troubleshooting-active-directory-6"></a>

WorkSpaces Applications performs a Windows login action after users provide their domain password. After successful authentication, WorkSpaces Applications launches the application. The login and launch times are impacted by many variables, such as network contention for the domain controllers or the time it takes to apply Group Policy settings to the streaming instance. If domain authentication takes too long to complete, try performing the following actions.
+ Minimize the network latency from your WorkSpaces Applications Region to your domain controllers by choosing the correct domain controllers. For example, if your fleet is in `us-east-1`, use domain controllers with high bandwidth and low latency to `us-east-1` through Active Directory Sites and Services zone mappings. For more information, see [Active Directory Sites and Services](https://technet.microsoft.com/en-us/library/cc730868.aspx) in the Microsoft documentation.
+ Ensure that your Group Policy settings and user login scripts don't take prohibitively long to apply or run.

If your domain users' login to WorkSpaces Applications fails with the message "An unknown error occurred," you might need to update the Group Policy settings described in [Before You Begin Using Active Directory with Amazon WorkSpaces Applications](active-directory-prerequisites.md). Otherwise, these settings might prevent WorkSpaces Applications from authenticating and logging in your domain users.

## My users can't access a domain resource in a domain-joined streaming session, but they can access the resource from a domain-joined image builder.
<a name="troubleshooting-active-directory-8"></a>

Confirm that your fleet is created in the same VPC, subnets, and security groups as your image builder, and that your user has the permissions required to access and use the domain resource.

## My users receive the error “Certificate-Based Authentication not available” and are prompted to enter their domain password. Or users receive the error “Disconnected from session” when they are starting a session enabled with certificate-based authentication.
<a name="troubleshooting-active-directory-9"></a>

These errors occur if certificate-based authentication was unsuccessful for the session. The “Certificate-Based Authentication not available” error is displayed when certificate-based authentication is enabled to allow fallback to password logon. The “Disconnected from session” error is displayed when certificate-based authentication is enabled without fallback.

The user can refresh the page on the web client or reconnect from the client for Windows, as this may be an intermittent issue with certificate-based authentication. If the problem continues, certificate-based authentication failure can result from one of the following issues:
+ WorkSpaces Applications could not communicate with AWS Private CA, or AWS Private CA did not issue the certificate. Check CloudTrail to determine if a certificate was issued. For more information, see [What Is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html.html) and [Manage Certificate-based Authentication](certificate-based-authentication-manage.md).
+ The domain controller has no domain controller certificate for smart card logon, or it is expired. For more information, see step 7.a in [Prerequisites](certificate-based-authentication-prereq.md).
+ The certificate is not trusted. For more information, see step 7.c in [Prerequisites](certificate-based-authentication-prereq.md).
+ The userPrincipalName format for the SAML\$1Subject NameID is not formatted properly, or does not resolve to the actual domain for the user. For more information, see step 1 in [Prerequisites](certificate-based-authentication-prereq.md).
+ The (optional) ObjectSid attribute in your SAML assertion does not match the Active Directory security identifier (SID) for the user specified in the SAML\$1Subject NameID. Confirm that the attribute mapping is correct in your SAML federation, and that your SAML identity provider is synchronizing the SID attribute for the Active Directory user.
+ The WorkSpaces Applications agent does not support certificate-based authentication. Use WorkSpaces Applications agent version 10-13-2022 or later.
+ There are Group Policy settings that are modifying the default Active Directory settings for smart card logon, or taking action if a smart card is removed from a smart card reader. These settings may cause additional unexpected behavior other than the errors listed above. Certificate-based authentication presents a virtual smart card to the instance operating system, and removes it after logon is complete. For more information, see [Primary Group Policy settings for smart cards](https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#primary-group-policy-settings-for-smart-cards) and [Additional smart card Group Policy settings and registry keys](https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#additional-smart-card-group-policy-settings-and-registry-keys). Do not enable **Smart card sign in for Active Directory** in your stack if you want to use certificate-based authentication. For more information, see [Smart Cards](feature-support-USB-devices-qualified.md#feature-support-USB-devices-qualified-smart-cards).
+ The CRL distribution point for the private CA is not online or accessible from either the WorkSpaces Applications fleet instance or the domain controller. For more information, see step 5 in [Prerequisites](certificate-based-authentication-prereq.md).

Additional troubleshooting steps involve reviewing the WorkSpaces Applications instance Windows event logs. A common event to review for logon failure is [4625(F): An account failed to log on](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625). For more information about capturing log information, see [Persisting application and Windows event logs](https://docs.aws.amazon.com/whitepapers/latest/best-practices-for-deploying-amazon-appstream-2/monitoring.html#persisting-application-and-windows-event-logs). Alternatively, to troubleshoot an active WorkSpaces Applications session as an administrator, you can connect to the logs using an Event Viewer on another computer. For more information, see [How to Select Computers in Event Viewer](https://learn.microsoft.com/en-us/host-integration-server/core/how-to-select-computers-in-event-viewer1). Or ,you can connect by using Remote Desktop to connect to the instance private IP address from another computer that can connect to Remote Desktop Services in your WorkSpaces Applicationsvirtual private cloud (VPC). Use the AWS CLI to determine the IP address for the session based on the AWS Region, WorkSpaces Applications stack name, fleet name, user ID, and authentication type. For more information, see the [AWS Command Line Interface.](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/appstream/index.html#cli-aws-appstream)

If the problem persists, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## I'm experiencing domain join failures after changing the Active Directory (AD) service account.
<a name="troubleshooting-active-directory-10"></a>

If you have an existing fleet with an image based on the August 2024 [Microsoft Windows Server operating system update](https://learn.microsoft.com/en-us/windows-server/get-started/windows-server-release-info), and if you change your Active Directory (AD) service account for that fleet, your fleet instances might encounter domain join failures during provisioning.

Microsoft has released a patch [KB5020276](https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8), which modifies the behavior of domain join operations. WorkSpaces Applications reuses existing computer objects when joining your streaming instances to your AD domains. This computer object is generated using the AD service account that you provide when you create a fleet or Directory Config with WorkSpaces Applications. Prior to this Microsoft patch, new AD service accounts could reuse existing computer objects created by WorkSpaces Applications, as long as they had "Create Computer Object" permissions configured in the organizational unit (OU). 

When the Microsoft patch is enforced, starting on August 13, 2024, and if you change your AD service account for an existing WorkSpaces Applications fleet, the new service account will no longer be able to reuse the existing computer objects in the AD. This results in domain join failures on WorkSpaces Applications fleets, with one of the following error messages under fleet notifications:
+ DOMAIN\$1JOIN\$1INTERNAL\$1SERVICE\$1ERROR "The group name could not be found."
+ An account with the same name exists in Active Directory. Re-using the account was blocked by security policy

To control which account can reuse the existing computer objects, Microsoft has implemented a new Group Policy setting called **Domain controller: Allow computer account re-use during domain join**. This setting allows you to specify a list of trusted service accounts that bypass the check during the domain join operation. For your self-managed AD configuration, we recommend following the [Microsoft documented steps](https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8#bkmk_take_action) to add your AD service account to the new allow list policy, using Group Policies on a domain controller.

For Managed Active Directory (MAD), you must restart your WorkSpaces Applications fleet after you make changes to your WorkSpaces Applications domain join service account. 

If the problem persists, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

# Troubleshooting WorkSpaces Applications User Issues
<a name="troubleshooting-user-issues"></a>

## Enable advanced logging
<a name="troubleshooting-advanced-logging"></a>

To help troubleshoot issues that your users might experience, you can enable advanced logging on any WorkSpaces Applications client. Advanced logging generates log files that contain diagnostic information and debugging-level details, including verbose performance data.

**Note**  
To get an AWS review of advanced logging files, and receive technical support for issues with your WorkSpaces Applications clients, contact Support. For more information, see the [AWS Support Center Console](https://console.aws.amazon.com/support/home#/). 

### Enable advanced logging for web access
<a name="troubleshooting-advanced-logging-web"></a>

If users are using SAML, User Pool, or have access to the Application Catalogue page, follow these steps:

1. Load the catalog page.

1. Open **Developer tools** and choose the **Console** tab.

1. In the browser console, enter **window.siteConfig.logLevel = "INFO"** and choose **Enter**.

1. Launch the application, and you should see **Logging** on the **Console** tab.

1. Reproduce the issue.

1. Right-click on the **Console** tab and choose **Save all Messages to File**.

### Enable advanced logging for Windows clients
<a name="troubleshooting-advanced-logging-windows"></a>

To enable advanced logging for Windows clients, follow these steps:

1. On the client machine, go to `%localappdata%\AppStreamClient\app-<versionID>`.

1. Open `Log4Net.config` in Notepad.

1. Change the root level of logging from **INFO** to **DEBUG**.

1. Save the file.

1. Restart the WorkSpaces Applications Client and try connecting again.

1. Gather the logs from `C:\Users\%USERNAME%\AppData\Local\Amazon\AppStreamClient\'` by zipping the complete folder.

The following are specific issues that might occur for your users when they use WorkSpaces Applications.

**Topics**
+ [

## Enable advanced logging
](#troubleshooting-advanced-logging)
+ [

## My users' WorkSpaces Applications client installations fail, and they're getting a message stating that .NET Framework 4.6 is required.
](#troubleshooting-client-no-internet-net-framework-462-fails)
+ [

## My users' USB driver installations fail when they install the WorkSpaces Applications client, and now they can't use their USB devices with WorkSpaces Applications.
](#troubleshooting-client-no-internet-usb-driver-install-fails)
+ [

## My WorkSpaces Applications client users are getting disconnected from their WorkSpaces Applications session after every 60 minutes.
](#troubleshooting-client-users-disconnected-every-60-minutes)
+ [

## My users can’t copy and paste between their local device and their streaming session.
](#copy-paste-doesnt-work)
+ [

## Some keyboard shortcuts aren’t working for users during their streaming sessions.
](#keyboard-shortcuts-dont-work)
+ [

## My users' drawing tablets are not working with the streaming applications I deployed.
](#troubleshooting-client-users-drawing-tablets-not-working)
+ [

## The Japanese language input method doesn't work for my users during their streaming sessions
](#japanese-language-input-method-doesnt-work-for-users)
+ [

## My user sees an error about reaching the max number of streaming sessions when they try to launch an application from the application catalog.
](#troubleshooting-max-sessions)
+ [

## My user sees a black screen or the desktop, and their application doesn’t launch on an Elastic fleet. No error appears.
](#troubleshooting-black-screen)

## My users' WorkSpaces Applications client installations fail, and they're getting a message stating that .NET Framework 4.6 is required.
<a name="troubleshooting-client-no-internet-net-framework-462-fails"></a>

When users install the WorkSpaces Applications client, WorkSpaces Applications also installs .NET Framework version 4.6.2, if that version or a later version is not already installed. If the PC on which the client is being installed is not connected to the internet, .NET Framework can't be installed. In this case, a message prompts users to install .NET Framework version 4.6 manually. However, when users choose **Install**, an error message is displayed stating that the installation failed. Users are then prompted to try installing the latest version of the .NET Framework manually. When they choose **Close**, they exit the installation.

To resolve this issue, users must establish an internet connection from the PC on which they plan to install the client, and then download and install .NET Framework version 4.6.2 or later on the same PC. For a list of the .NET Framework versions available for download, see [Download .NET Framework](https://dotnet.microsoft.com/download/dotnet-framework).

**Note**  
Users who have version 1.1.156 of the WorkSpaces Applications client installed must have .NET Framework version 4.7.2 or later installed on the same PC.

## My users' USB driver installations fail when they install the WorkSpaces Applications client, and now they can't use their USB devices with WorkSpaces Applications.
<a name="troubleshooting-client-no-internet-usb-driver-install-fails"></a>

When users install the WorkSpaces Applications client, they choose whether to install the WorkSpaces Applications USB driver. The driver is required to use USB devices with applications streamed through WorkSpaces Applications. However, the USB driver installation fails if both of the following occur:
+ The root certificate used to sign the `AppStreamUsbDriver.exe` file is not present in the Windows certificate store.
+ The PC on which the client is being installed is not connected to the internet. 

In this case, the certificate for the Amazon AppStream USB driver can't be validated, and an error message notifies users that the USB driver installation failed. When users choose **OK**, the WorkSpaces Applications client installation is completed without the USB driver. Although users can still use the WorkSpaces Applications client for application streaming, their USB devices won't work with applications streamed through WorkSpaces Applications. 

To resolve this issue, users must establish an internet connection from the PC on which they plan to install the WorkSpaces Applications client, and reinstall the client.

## My WorkSpaces Applications client users are getting disconnected from their WorkSpaces Applications session after every 60 minutes.
<a name="troubleshooting-client-users-disconnected-every-60-minutes"></a>

If you have configured identity federation using SAML 2.0 for access to WorkSpaces Applications, depending on your identity provider (IdP), you may need to configure the information that the IdP passes as SAML attributes to AWS as part of the authentication response. This includes configuring the **Attribute** element with the `SessionDuration` attribute set to `https://aws.amazon.com/SAML/Attributes/SessionDuration`.

`SessionDuration` specifies the maximum amount of time that a federated streaming session for a user can remain active before reauthentication is required. Although `SessionDuration` is an optional attribute, we recommend that you include it in the SAML authentication response. If you do not specify this attribute, the session duration is set to a default value of 60 minutes.

To resolve this issue, configure your SAML-compatible IdP to include the `SessionDuration` value in the SAML authentication response, and set the value as required. For more information, see [Step 5: Create Assertions for the SAML Authentication Response](external-identity-providers-setting-up-saml.md#external-identity-providers-create-assertions).

**Note**  
If your users access their streaming applications in WorkSpaces Applications by using the WorkSpaces Applications native client or by using the web browser on the new experience, their sessions are disconnected after their session duration expires. If your users access their streaming applications in WorkSpaces Applications by using a web browser on the old/classic experience, after the users' session duration expires and they refresh their browser page, their sessions are disconnected.

If your users sign in to the new portal experience with a SAML-compatible IdP, and they continue to have random disconnections, it might be due to the session cookies used by the WorkSpaces Applications session being invalidated by other web applications using `aws.amazon.com` as a subdomain. The following are common user scenarios:
+ If a user initiates a new WorkSpaces Applications session in the same browser, the existing WorkSpaces Applications session will be disconnected.
+ If a user initiates any other web applications in the same browser, resulting in a new user authentication under the `aws.amazon.com` domain, the existing WorkSpaces Applications session will be disconnected.
+ If a user signs into an AWS Management Console with new IAM credentials in the same browser, the existing WorkSpaces Applications session will be disconnected.

You can resolve this issue by using the new relay state endpoints to configure your SAML 2.0 federation, and by using the WorkSpaces Applications client version 1.1.1300 and later. For more information, see Table 1 on [Step 6: Configure the Relay State of Your Federation](external-identity-providers-setting-up-saml.md#external-identity-providers-relay-state).

## My users can’t copy and paste between their local device and their streaming session.
<a name="copy-paste-doesnt-work"></a>

WorkSpaces Applications takes advantage of the [W3C specification](https://www.w3.org/TR/2017/WD-clipboard-apis-20170929/) for enabling asynchronous clipboard operations in web applications. This enables users to copy and paste content between their local device and their streaming session in the same ways that they copy and paste between applications on their local device, including using keyboard shortcuts. 

The only browser that currently supports the W3C asynchronous clipboard specification is Google Chrome version 66 or later, which supports copying and pasting only for text. For all other browsers, users can use the clipboard feature in the WorkSpaces Applications web portal, which provides a dialog box for copying or pasting text.

If your users run into issues using the clipboard during their streaming sessions, you can provide them with the following information: 
+ **I’m using Chrome version 66 or later, and keyboard shortcuts aren’t working.** 

  Chrome displays a prompt for you to choose whether to allow WorkSpaces Applications to access content copied to the clipboard. Choose **Allow** to enable pasting to your remote session. If you’re copying text from your remote session to your local device, both the Chrome application and the tab containing your streaming session must stay in focus on your local device long enough for the text to be copied from your streaming session. Small amounts of text should be copied almost immediately, but for large amounts of text, you might need to wait 1 to 2 seconds before switching away from Chrome or from the tab containing your streaming session. The time required to copy the text varies based on network conditions.
+ **Copying and pasting doesn’t work when I try to copy and paste a large amount of text.**

  WorkSpaces Applications has a default limit of 20 MB for the amount of text that you can copy and paste between your local device and your streaming session. If you try to copy more than 20 MB, no text is copied. However, the text will be truncated if your admin set a limit and you go beyond that limit. This limit doesn’t apply if you try to copy and paste text between applications on your local device or between applications in your streaming session. Administrators can also limit the number of characters that you copy/paste in/out of your streaming sessions. If you need to copy or paste text more than 20 MB or the specified limit between your local device and your streaming session, you can divide it into smaller chunks or upload it as a file instead.
+ **I’m using the WorkSpaces Applications web portal clipboard feature to paste text to my streaming session and it’s not working.**

  In some cases, after you paste text into the clipboard dialog box and the dialog box closes, nothing happens when you try to use keyboard shortcuts to paste the text in your streaming session. This issue occurs because when the clipboard dialog box appears, it takes the focus away from your streaming application. After the dialog box closes, the focus might not automatically return to your streaming application. Clicking your streaming application should return the focus to it and enable you to use keyboard shortcuts to paste your text into your streaming session.

## Some keyboard shortcuts aren’t working for users during their streaming sessions.
<a name="keyboard-shortcuts-dont-work"></a>

The following keyboard shortcuts work on users' local computers, but are not passed to WorkSpaces Applications streaming sessions:

Windows:
+ Win\$1L
+ Ctrl\$1Alt\$1Del

Mac:
+ Ctrl\$1F3 
+ All shortcuts that use Alt or Option key combinations

This issue is due to the following limitations on users’ local computers:
+ The keyboard shortcuts are filtered by the operating system that is running on users’ local computers and not propagated to the browsers on which users are accessing WorkSpaces Applications. This behavior applies to the Windows Win\$1L and Ctrl\$1Alt\$1Del keyboard shortcuts and Mac Ctrl\$1F3 keyboard shortcut.
+ When used with web applications, some keyboard shortcuts are filtered by the browser and don’t generate an event for the web applications. As a result, the web applications can’t respond to the keyboard shortcuts typed by users. 
+ The keyboard shortcuts are translated by the browser before a keyboard event is generated and so are not translated correctly. For example, Alt key combinations and Option key combinations on Mac computers are translated as if they are Alt Graph key combinations on Windows. When this occurs, the results are not as the users intend when they use these key combinations. 

## My users' drawing tablets are not working with the streaming applications I deployed.
<a name="troubleshooting-client-users-drawing-tablets-not-working"></a>

If your users' drawing tablets are not working with streaming applications, make sure that you meet the requirements and understand additional considerations for enabling this feature. Following are the requirements and considerations for enabling your users to use drawing tablets during WorkSpaces Applications streaming sessions. 

**Note**  
Drawing tablets are supported for users who access WorkSpaces Applications by using the WorkSpaces Applications client, or through a supported web browser.
+ To enable your users to use this feature, you must configure your WorkSpaces Applications fleet to use an image that runs Windows Server 2019.
+ To use this feature, users must access WorkSpaces Applications by using the WorkSpaces Applications client, or through the Google Chrome or Mozilla Firefox browsers only.
+ Streaming applications must support Windows Ink technology. For more information, see [Pen interactions and Windows Ink in Windows apps](https://docs.microsoft.com/en-us/windows/uwp/design/input/pen-and-stylus-interactions).
+ Some applications, such GIMP, must detect drawing tablets on the streaming instance to support pressure sensitivity. If this is the case, your users must use the WorkSpaces Applications client to access WorkSpaces Applications and stream these applications. In addition, you must qualify your users' drawing tablets, and users must share their drawing tablets with WorkSpaces Applications every time they start a new streaming session.
+ This feature is not supported on Chromebooks.

## The Japanese language input method doesn't work for my users during their streaming sessions
<a name="japanese-language-input-method-doesnt-work-for-users"></a>

To enable your users to use the Japanese language input method during their WorkSpaces Applications streaming sessions, do the following:
+ Configure your fleet to use the Japanese input method. To do so, enable the Japanese input method on your image builder when you create an image, and then configure your fleet to use the image. For more information, see [Specify a Default Input Method](configure-default-input-method.md). Doing so enables WorkSpaces Applications to automatically configure your image to use a Japanese keyboard. For more information, see [Japanese Keyboards](special-considerations-japanese-language-settings.md#special-considerations-japanese-language-keyboards).
+ Ensure that the Japanese input method is also enabled on the user's local computer. 

If the fleet instance and the user’s local computer don't use the same language input method, the mismatch might result in unexpected keyboard inputs on the fleet instance during the user’s streaming sessions. For example, if the fleet instance uses the Japanese input method and the user’s local computer uses the English input method, during a streaming session, the local computer will send keys to the fleet instance that have different key mappings than the fleet instance. 

To verify whether the Japanese input method is enabled for a fleet instance, enable the **Desktop** stream view for the fleet. For more information, see Step 6 in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).

### Windows Keyboard Shortcuts
<a name="japanese-language-input-method-windows-keyboard-shortcuts"></a>

Following are Windows keyboard shortcuts for switching Japanese input modes and for Japanese conversions. For these keyboard shortcuts to work, the WorkSpaces Applications streaming session must be active.

**Windows keyboard shortcuts for switching Japanese input modes**


| Keyboard shortcut | Description | 
| --- | --- | 
|  半角/全角/漢字 (Hankaku/Zenkaku/Kanji) Or Alt\$1`  |  Switches the input mode between alphanumeric and Japanese mode  | 
|  無変換 (Muhenkan)  |  Converts characters to Hiragana, full-width Katakana, and half-width Katakana in sequence  | 
|  カタカナ/ひらがな/ローマ字 (Katakana/Hiragana/Romaji)  |  Changes the input mode to Hiragana  | 
|  Shift\$1カタカナ/ひらがな/ローマ字 (Katakana/Hiragana/Romaji)  |  Changes the input mode to Katakana  | 
|  Alt\$1カタカナ/ひらがな/ローマ字  (Katakana/Hiragana/Romaji)  |  Switches the input mode between Japanese Romaji and Japanese Kana  | 

**Windows keyboard shortcuts for Japanese conversions**


| Keyboard shortcut | Description | 
| --- | --- | 
|  変換 (Henkan) \$1 Space  |  Lists conversion options  | 
|  F6  |  Converts to Hiragana  | 
|  F7  |  Converts to full-width Katakana  | 
|  F8  |  Converts to half-width Katakana  | 
|  F9  |  Converts to full-width Romaji  | 
|  F10  |  Converts to half-width Romaji  | 

### Mac Keyboard Shortcuts
<a name="japanese-language-input-method-mac-keyboard-shortcuts"></a>

For information about Mac keyboard shortcuts for switching Japanese input methods and for Japanese conversions, see the following articles in the Mac Support documentation.

**Note**  
Because WorkSpaces Applications streaming sessions run on Windows instances, Mac users might experience different key mappings.
+ Keyboard shortcuts for switching Japanese input methods — [Set up and switch to a Japanese input source on Mac](https://support.apple.com/guide/japanese-input-method/set-up-and-switch-to-japanese-jpim10267/mac)
+ Keyboard short link cuts for Japanese conversions — [Keyboard shortcuts for Japanese conversions on Mac](https://support.apple.com/guide/japanese-input-method/keyboard-shortcuts-jpim10263/6.2.1/mac)

## My user sees an error about reaching the max number of streaming sessions when they try to launch an application from the application catalog.
<a name="troubleshooting-max-sessions"></a>

With WorkSpaces Applications Elastic fleets, you specify a maximum number of users that can stream concurrently using the max concurrency parameter. Any user that tries to stream beyond that value receives this error. To resolve this issue, you can increase the maximum number of concurrent streams, or advise your user to wait for another user to complete their streaming session.

**Note**  
You might need to request a limit increase to increase the instance type and size limit.

## My user sees a black screen or the desktop, and their application doesn’t launch on an Elastic fleet. No error appears.
<a name="troubleshooting-black-screen"></a>

This can happen if the application launch path is incorrect, and AppStream 2.0 can't launch the application. You can validate the application launch path by using Desktop View on the fleet to navigate the root volume. Validate that the application executable exists at the path specified.

If you're not able to find the app block's VHD or setup script on the streaming instance, AppStream 2.0 might not have been able to download them from the S3 bucket. Validate that the VPC you specified has access to S3. For more information, see [Using Amazon S3 VPC Endpoints for WorkSpaces Applications Features](managing-network-vpce-iam-policy.md).

# Troubleshooting Persistent Storage Issues
<a name="troubleshooting-persistent-storage"></a>

Amazon WorkSpaces Applications supports the following options for persistent storage: Home folders, Google Drive for G Suite, and OneDrive for Business. Because content synchronization behaviors are consistent across these persistent storage solutions, we recommend that you review [Home Folder Content Synchronization](home-folders-content-synchronization.md) for information about expected behavior.

The following are issues that might occur when you or your users use WorkSpaces Applications persistent storage. 

**Topics**
+ [

## My stack's home folders aren't working correctly.
](#troubleshooting-s3-failures)
+ [

## My users can't access their home folder directory from one of our applications.
](#alternate-path-accessing-home-folders)
+ [

## My users receive a “Device is not ready” error message when they access their home folder from one of our applications.
](#alternate-path-accessing-home-folders)
+ [

## I removed or replaced a file in a user’s home folder in Amazon S3, but my users don’t see the changes in their home folder on the fleet instance during their streaming sessions.
](#removed-replaced-folder-in-s3-users-dont-see-changes-on-fleet-instance)
+ [

## Persistent storage isn't performing as expected. My users' files are taking longer than expected to save to persistent storage.
](#troubleshooting-persistent-storage-applications-take-long-time-to-save-to-home-folder)
+ [

## My users are getting errors that files are already in use when their files are not in use.
](#troubleshooting-persistent-storage-application-errors-files-already-in-use)
+ [

## When a folder contains thousands of files, WorkSpaces Applications might take a long time to display the list of files.
](#troubleshooting-persistent-storage-delay-listing-thousands-of-files-in-folder)

## My stack's home folders aren't working correctly.
<a name="troubleshooting-s3-failures"></a>

Problems with home folder backup to an S3 bucket can occur in the following scenarios:
+ There is no internet connectivity from the streaming instance, or there is no access to the private Amazon S3 VPC endpoint, if applicable.
+ Network bandwidth consumption is too high. For example, multiple large files are being downloaded or streamed by the user while the service is trying to back up a home folder that contains large files to Amazon S3.
+ A file is larger than 5 GB.
+ An administrator deleted the bucket created by the service.
+ An administrator incorrectly edited the Amazon S3 permissions for the `AmazonAppStreamServiceAccess` service role.

For more information, see the [Amazon Simple Storage Service User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/).

## My users can't access their home folder directory from one of our applications.
<a name="alternate-path-accessing-home-folders"></a>

Some applications do not recognize the redirect that displays the home folder as a top-level folder in File Explorer. If this is the case, your users can access their home folder from within an application during a streaming session by choosing **File Open** from the application interface and browsing to either of the following directories: 
+ Non-domain-joined Windows instances: C:\$1Users\$1PhotonUser\$1My Files\$1Home Folder
+ Domain-joined Windows instances: C:\$1Users\$1%username%\$1My Files\$1Home Folder
+ Linux instances: \$1/MyFiles/HomeFolder

## My users receive a “Device is not ready” error message when they access their home folder from one of our applications.
<a name="alternate-path-accessing-home-folders"></a>

Persistent storage mounting happens after a user logs in, and it can take several seconds. A “Device is not ready” error can happen if your application is trying to access the files from the home folder before persistent storage mounting is complete. We recommend that you try again after waiting for a few minutes.

To avoid this issue, you can use session scripts and monitor the storage mounting status. Then, start the streaming session after mounting is complete. This also improves your end-users’ experience. For more information, see [Use Session Scripts to Manage Your Amazon WorkSpaces Applications Users' Streaming Experience](use-session-scripts.md).

## I removed or replaced a file in a user’s home folder in Amazon S3, but my users don’t see the changes in their home folder on the fleet instance during their streaming sessions.
<a name="removed-replaced-folder-in-s3-users-dont-see-changes-on-fleet-instance"></a>

Differences between content that is stored in a user’s home folder in an S3 bucket and content that is available to a user on a fleet instance during their streaming sessions may be due to the way in which home folder content stored in Amazon S3 buckets is synchronized with home folder content stored on AppStream 2.0 fleet instances. 

At the beginning of a user’s WorkSpaces Applications streaming session, WorkSpaces Applications catalogs the user’s home folder files stored in the Amazon S3 bucket for your Amazon Web Services account and Region. When a user uses a streaming application to open a file in their home folder on their fleet instance, AppStream 2.0 downloads the file to the fleet instance. 

Changes that a user makes to files on a fleet instance during their active streaming session are uploaded to their home folder in the S3 bucket every few seconds, or at the end of the user’s streaming session. 

If a user opens a file in their home folder on a fleet instance during a streaming session and then closes the file without making any changes or saving the file, and you remove the file from that user’s home folder in an S3 bucket during the streaming session, the file is removed from the fleet instance if the user refreshes the folder. If the user modifies the file and saves the file locally, the file remains available to the user on the fleet instance during their current streaming session. The file is also uploaded to the S3 bucket again. However, the file may or may not be available to the user on the fleet instance during their next streaming session. 

The availability of the file on the fleet instance during a user’s next streaming session depends on whether the user changed the file on the fleet instance before or after you changed the file in the S3 bucket.

For more information, see [Home Folder Content Synchronization](home-folders-content-synchronization.md).

## Persistent storage isn't performing as expected. My users' files are taking longer than expected to save to persistent storage.
<a name="troubleshooting-persistent-storage-applications-take-long-time-to-save-to-home-folder"></a>

During WorkSpaces Applications streaming sessions, saving large files and directories associated with compute-intensive applications to persistent storage can take longer than saving files and directories required for basic productivity applications. For example, it might take longer for applications to save a large amount of data or frequently modify the same files than it would to save files created by applications that perform a single write action. It might also take longer to save many small files.

If your users save files and directories associated with compute-intensive applications and WorkSpaces Applications persistent storage options aren't performing as expected, we recommend that you use a Server Message Block (SMB) solution such as Amazon FSx for Windows File Server or an AWS Storage Gateway file gateway. Following are examples of files and directories associated with compute-intensive applications that are more suitable for use with these SMB solutions:
+ Workspace folders for integrated development environments (IDEs)
+ Local database files
+ Scratch space folders created by graphics simulation applications

For more information, see:
+  [https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html)
+ [Using Amazon FSx with Amazon WorkSpaces Applications ](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-with-amazon-appstream-2-0/)
+ [File gateways](https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#file-gateway-concepts) in the *AWS Storage Gateway User Guide*

**Note**  
Before proceeding with further troubleshooting, first ensure that the issue your users are experiencing with saving files and directories is associated with WorkSpaces Applications persistent storage only, and not another cause. To rule out other causes, have your users try saving the files or directories to the Temporary Files directory that is available on their streaming instance.

## My users are getting errors that files are already in use when their files are not in use.
<a name="troubleshooting-persistent-storage-application-errors-files-already-in-use"></a>

This behavior is typically occurs in the following cases:
+ When users' files are still being uploaded after the files were last saved 
+ Files that are modified frequently (for example, database files)

Large file uploads might take significant time. Also, each attempt to upload the file might result in another file update, which can lead to repeated file upload attempts.

To resolve this issue, we recommend that you use a Server Message Block (SMB) solution such as Amazon FSx for Windows File Server or an AWS Storage Gateway file gateway. For more information, see:
+  [https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html)
+ [Using Amazon FSx with Amazon WorkSpaces Applications ](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-with-amazon-appstream-2-0/)
+ [File gateways](https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html#file-gateway-concepts) in the *AWS Storage Gateway User Guide*

## When a folder contains thousands of files, WorkSpaces Applications might take a long time to display the list of files.
<a name="troubleshooting-persistent-storage-delay-listing-thousands-of-files-in-folder"></a>

WorkSpaces Applications uses API calls to retrieve the content of folders that are stored in WorkSpaces Applications persistent storage. There is a limit to the number of items that an API call can retrieve each time the call runs. For this reason, if WorkSpaces Applications must retrieve thousands of files in a single folder, it might take more time to display the list of all the files than it would to display the list of files in a folder that contains fewer files.

To resolve this issue, if you have thousands of files in one folder, we recommend that you divide this content into groups of fewer files and store each group in a different folder. Doing so reduces the number of API calls that are required to display the list of files in each folder. 

# Troubleshooting Notification Codes
<a name="troubleshooting-notification-codes"></a>

The following are notification codes and resolution steps for notifications that you might see when you set up and use Amazon WorkSpaces Applications. These notifications can be found in the **Notifications** tab in the WorkSpaces Applications console, after selecting an image builder or fleet. You can also get fleet notifications by using the WorkSpaces Applications API operation [DescribeFleets](https://docs.aws.amazon.com/appstream2/latest/APIReference/API_DescribeFleets.html) or the [describe-fleets](https://docs.aws.amazon.com/cli/latest/reference/appstream/describe-fleets.html) CLI command.

## Active Directory Internal Service
<a name="troubleshooting-notification-codes-ad-internal"></a>

Follow these steps if you receive an internal service error when you set up and use Active Directory with Amazon WorkSpaces Applications. 

**INTERNAL\$1SERVICE\$1ERROR**  
**Message**: The user name or password is incorrect.  
**Resolution**: This error might occur when the computer object that was created in the Microsoft Active Directory domain for the resource was deleted or disabled. You can resolve this error by enabling the computer object in the Active Directory domain, and then starting the resource again. You might also need to reset the computer object account in the Active Directory domain. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## Active Directory Domain Join
<a name="troubleshooting-notification-codes-ad"></a>

The following are notification codes and resolution steps for issues with domain join that you might encounter when you set up and use Active Directory with Amazon WorkSpaces Applications. 

**DOMAIN\$1JOIN\$1ERROR\$1ACCESS\$1DENIED**  
**Message**: Access is denied.  
**Resolution**: The service account specified in the directory configuration does not have permissions to create the computer object or reuse an existing one. Validate the permissions and start the image builder or fleet. For more information, see [Granting Permissions to Create and Manage Active Directory Computer Objects](active-directory-permissions.md).

**DOMAIN\$1JOIN\$1ERROR\$1LOGON\$1FAILURE**  
**Message**: The username or password is incorrect.  
**Resolution**: The service account specified in the directory configuration has an invalid username or password. Update the configuration and re-create the image builder or fleet that had the error.

**DOMAIN\$1JOIN\$1NERR\$1PASSWORD\$1EXPIRED**  
**Message**: The password of this user has expired.  
**Resolution**: The password for the service account specified in the WorkSpaces Applications directory configuration has expired. Change the password for the service account in your Active Directory domain, update the configuration, and then re-create the image builder or fleet that had the error.

**DOMAIN\$1JOIN\$1ERROR\$1DS\$1MACHINE\$1ACCOUNT\$1QUOTA\$1EXCEEDED**  
**Message**: Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.  
**Resolution**: The service account specified on the directory configuration does not have permissions to create the computer object or reuse an existing one. Validate the permissions and start the image builder or fleet. For more information, see [Granting Permissions to Create and Manage Active Directory Computer Objects](active-directory-permissions.md).

**DOMAIN\$1JOIN\$1ERROR\$1INVALID\$1PARAMETER**  
**Message**: A parameter is incorrect. This error is returned if the `LpName` parameter is NULL or the `NameType` parameter is specified as `NetSetupUnknown` or an unknown nametype.  
**Resolution**: This error can occur when the distinguished name for the OU is incorrect. Validate the OU and try again. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**DOMAIN\$1JOIN\$1ERROR\$1MORE\$1DATA**  
**Message**: More data is available.  
**Resolution**: This error can occur when the distinguished name for the OU is incorrect. Validate the OU and try again. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**DOMAIN\$1JOIN\$1ERROR\$1NO\$1SUCH\$1DOMAIN**  
**Message**: The specified domain either does not exist or could not be contacted.  
**Resolution**: The streaming instance was unable to contact your Active Directory domain. To ensure network connectivity, confirm your VPC, subnet, and security group settings. For more information, see [My WorkSpaces Applications streaming instances aren't joining the Active Directory domain.](troubleshooting-active-directory.md#troubleshooting-active-directory-5)

**DOMAIN\$1JOIN\$1NERR\$1WORKSTATION\$1NOT\$1STARTED**  
**Message**: The Workstation service has not been started.  
**Resolution**: An error occurred starting the Workstation service. Ensure that the service is enabled in your image. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**DOMAIN\$1JOIN\$1ERROR\$1NOT\$1SUPPORTED**  
**Message**: The request is not supported. This error is returned if a remote computer was specified in the `lpServer` parameter and this call is not supported on the remote computer.  
**Resolution**: Contact AWS Support for assistance. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**DOMAIN\$1JOIN\$1ERROR\$1FILE\$1NOT\$1FOUND**  
**Message**: The system cannot find the file specified.  
**Resolution**: This error occurs when an invalid organizational unit (OU) distinguished name is provided. The distinguished name must start with **OU=**. Validate the OU distinguished name and try again. For more information, see [Finding the Organizational Unit Distinguished Name](active-directory-oudn.md).

**DOMAIN\$1JOIN\$1INTERNAL\$1SERVICE\$1ERROR**  
**Message**: The account already exists.  
**Resolution**: This error can occur in the following scenarios:  
+ If the issue isn't permissions-related, check the Netdom logs for errors and make sure that you provided the correct OU.
+ The service account specified in the directory configuration does not have permissions to create the computer object or reuse an existing one. If this is the case, validate the permissions and start the image builder or fleet. For more information, see [Granting Permissions to Create and Manage Active Directory Computer Objects](active-directory-permissions.md).
+ After WorkSpaces Applications creates the computer object, it is moved from the OU in which it was created. In this case, the first image builder or fleet is created successfully, but any new image builder or fleet that uses the computer object fails. When Active Directory searches for the computer object in the specified OU and detects that an object with the same name exists elsewhere in the domain, the domain join is not successful. 
+ The name of the OU specified in the WorkSpaces Applications Directory Config includes spaces before or after the commas in the directory configuration. In this case, when a fleet or image builder attempts to rejoin the Active Directory domain, WorkSpaces Applications cannot cycle the computer objects correctly and the domain rejoin does not succeed. To resolve this issue for a fleet, do the following:

  1. Stop the fleet.

  1. Edit the Active Directory domain settings for the fleet to remove the Directory Config and Directory OU to which the fleet is joined. For more information, see [Step 3: Create a Domain-Joined Fleet](active-directory-directory-setup.md#active-directory-setup-fleet).

  1. Update the WorkSpaces Applications Directory Config to specify an OU that doesn't contain spaces. For more information, see [Step 1: Create a Directory Config Object](active-directory-directory-setup.md#active-directory-setup-config).

  1. Edit the Active Directory domain settings for the fleet to specify the Directory Config with the updated Directory OU.

  To resolve this issue for an image builder, do the following:

  1. Delete the image builder.

  1. Update the WorkSpaces Applications Directory Config to specify an OU that doesn't contain spaces. For more information, see [Step 1: Create a Directory Config Object](active-directory-directory-setup.md#active-directory-setup-config).

  1. Create a new image builder and specify the Directory Config with the updated Directory OU. For more information, see [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md).

## Image Internal Service
<a name="troubleshooting-notification-codes-image"></a>

If you receive an internal service error after you use managed WorkSpaces Applications image updates to initiate an image update, follow these steps.

**INTERNAL\$1SERVICE\$1ERROR**  
**Message**: WorkSpaces Applications could not update image *image-name*. Failed to update/install/configure/disable <software name>. Check your source image and try again. If this problem persists, contact AWS Support.  
**Resolution**: This error can occur when there is an issue with the source image. Try to update the image again.  
If updating again doesn't work, make sure that you're using the latest version of SSM Agent. For version information, see [WorkSpaces Applications Base Image and Managed Image Update Release Notes](base-image-version-history.md). For installation information, see [Manually install SSM Agent on EC2 instances for Windows Server](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-win.html).   
If the error continues to occur, launch an image builder from the image. For more information, see [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md). If you can't launch image builder from the image, there is another issue with the image that needs to be resolved before you can use managed AppStream 2.0 image updates to update the image. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

## Session Provisioning
<a name="troubleshooting-notification-codes-session-provisioning"></a>

The following are notification codes and resolution steps for issues with session provisioning that you might encounter when your end users try to provision the streaming session. 

**Note**  
"X" below equals the number of sessions that encountered a given error code.

**USER\$1PROFILE\$1MOUNTING\$1FAILURE**  
**Message**: X session(s) encountered user profile mounting failures.   
**Resolution**: To troubleshoot this issue, check if any user profiles have been corrupted or if any third party processes on instance are interfering with user profile mounting. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**USER\$1PROFILE\$1DOWNLOADING\$1FAILURE**  
**Message**: X session(s) encountered user profile downloading failures.  
**Resolution**: To troubleshoot this issue, check your network configuration. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).

**HOME\$1FOLDER\$1MOUNTING\$1FAILURE**  
**Message**: X session(s) encountered home folder mounting failures.  
**Resolution**: To troubleshoot this issue, check your network configuration. If you continue to encounter this error, contact AWS Support. For more information, see [AWS Support Center](https://console.aws.amazon.com/support/home#/).