Bring Your Own Windows desktop licenses in WorkSpaces - Amazon WorkSpaces
Windows versions supported for BYOLConfirm that your VM meets BYOL requirementsImport a VM as an image into Amazon EC2Create a BYOL image using the WorkSpaces consoleCreate a custom bundle from the BYOL image in WorkSpacesCreate a dedicated directory to use BYOL images for WorkSpacesLaunch your BYOL WorkSpacesVideos on uploading and creating BYOL imagesLink BYOL accounts in WorkSpaces

Bring Your Own Windows desktop licenses in WorkSpaces

If your licensing agreement with Microsoft allows it, you can bring and deploy your Windows 10 or 11 desktop on your WorkSpaces. To do this, you must enable Bring Your Own License (BYOL) and provide a Windows 10 or 11 license that meets the requirements below. For more information about using Microsoft software on AWS, see Amazon Web Services and Microsoft.

To stay compliant with Microsoft licensing terms, AWS runs your BYOL WorkSpaces on hardware that is dedicated to you in the AWS Cloud. By bringing your own license, you can provide a consistent experience for your users. For more information, see WorkSpaces Pricing.

Important

Image creation is not supported on Windows 10 or 11 systems that have been upgraded from one version of Windows 10 or 11 to a newer version of Windows 10 or 11 (a Windows feature/version upgrade). However, Windows cumulative or security updates are supported by the WorkSpaces image-creation process.

Windows versions supported for BYOL

Your VM must run one of the following Windows versions:

  • Windows 10 Version 22H2 (November 2022 Update)

  • Windows 10 Enterprise LTSC 2019 (1809)

  • Windows 10 Enterprise LTSC 2021 (21H2)

  • Windows 11 Enterprise 23H2 (October 2023 release)

  • Windows 11 Enterprise 22H2 (October 2022 release)

All supported OS versions support all of the compute types available in the AWS Region where you're using WorkSpaces. Versions of Windows that are no longer supported by Microsoft are not guaranteed to work and are not supported by AWS Support.

Note

Windows 10 N and Windows 11 N versions are not supported for BYOL at this time.

Confirm that the Windows VM in Amazon WorkSpaces meets the requirements for Microsoft BYOL

After you enable BYOL for your account by following the instructions in Enable BYOL for your eligible WorkSpaces account using the Amazon WorkSpaces console, you must confirm that your VM meets the requirements for BYOL. To do so, perform these steps to download and run the WorkSpaces BYOL Checker PowerShell script. The script performs a series of tests on the VM that you plan to use to create your image.

Important

The VM must pass all tests before you can use it for BYOL.

To download the BYOL Checker script

Before you download and run the BYOL Checker script, verify that the latest Windows security updates are installed on your VM. While this script runs, it disables the Windows Update service.

  1. Download the BYOL Checker script .zip file from https://tools.amazonworkspaces.com/BYOLChecker.zip to your Downloads folder.

  2. In your Downloads folder, create a BYOL folder.

  3. Extract the files from BYOLChecker.zip and copy them to the Downloads\BYOL folder.

  4. Delete the Downloads\BYOLChecker.zip folder so that only the extracted files remain.

Perform these steps to run the BYOL Checker script.

To run the BYOL Checker script

  1. From the Windows desktop, open Windows PowerShell. Choose the Windows Start button, right-click Windows PowerShell, and choose Run as administrator. If you are prompted by User Account Control to choose whether you want PowerShell to make changes to your device, choose Yes.

  2. At the PowerShell command prompt, change to the directory where the BYOL Checker script is located. For example, if the script is located in the Downloads\BYOL directory, enter the following command and press Enter:

    cd C:\Users\username\Downloads\BYOL

  3. Enter the following command to update the PowerShell execution policy on the computer. Doing so allows the BYOL Checker script to run:

    Set-ExecutionPolicy AllSigned

  4. When prompted to confirm whether to change the PowerShell execution policy, enter A to specify Yes to All.

  5. Enter the following command to run the BYOL Checker script:

    .\BYOLChecker.ps1

  6. If a security notification appears, press the R key to Run Once.

  7. In the WorkSpaces Image Validation dialog box, choose Begin Tests.

  8. After each test is completed, you can view the status of the test. For any test with a status of FAILED, choose Info to display information about how to resolve the issue that caused the failure. If any tests display a status of WARNING, choose the Fix All Warnings button.

  9. If applicable, resolve any issues that cause test failures and warnings, and repeat StepĀ 7 and StepĀ 8 until the VM passes all tests. All failures and warnings must be resolved before you export the VM.

  10. The BYOL script checker generates two log files, BYOLPrevalidationlogYYYY-MM-DD_HHmmss.txt and ImageInfo.text. These files are located in the directory that contains the BYOL Checker script files.

    Tip

    Do not delete these files. If an issue occurs, they might be helpful in troubleshooting.

  11. After your VM passes all tests, you get a Validation Successful message.

    You will also see a prompt to run Sysprep. Close the prompt and don't run Sysprep yet.

  12. Shut down the VM and export it. For more information, see Export your VM from its virtualization environment in the VM Import/Export User Guide.

  13. (Optional) Start the VM and run the BYOL Checker script one more time. All validations should pass. A screen will pop up again with a button to run Sysprep. Choose Run Sysprep. If Sysprep is successful, your exported VM that you exported from step 12 can be imported into Amazon Elastic Compute Cloud (Amazon EC2).

    If Sysprep is unsuccessful, review the Sysprep logs in the %WINDIR%\System32\Sysprep\Panther path, roll back to the exported VM from step 12, resolve the reported issues, and complete step 12 again by exporting the fixed VM. You will then re-run the BYOL Checker script to ensure the issues have been resolved.

    The most common reason for a Sysprep failure is that the Modern AppX Packages have not been uninstalled for all users. Use the Remove-AppxPackage PowerShell cmdlet to remove the AppX Packages.

  14. Import the VM that you exported in step 12 into Amazon EC2.

Common error messages and their solutions

PowerShell version 4.0 or later must be installed. For more information, see Microsoft Windows PowerShell.

Microsoft Office must be uninstalled before import. For more information, see Uninstall Office from a PC.

Uninstall the PCoIP Agent. For information about uninstalling the PCoIP agent, see Uninstalling the Teradici PCoIP Software Client for Mac

Disable Windows updates by following the following steps:

  1. Press Windows key + R. Type services.msc, then press Enter.

  2. Right-click on Windows Update, then choose Properties.

  3. Under the General tab, set the Startup type to Disabled.

  4. Choose Stop.

  5. Click Apply, and then choose OK.

  6. Restart your computer.

You must enable Automount. Run the following command in powershell as an administrator.

C:\> diskpart
DISKPART> automount enable

Automatic mounting of new volumes enabled.

WorkSpaces_BYOL account must be enabled. For more information, see Enable BYOL for your account for BYOL using the Amazon WorkSpaces console.

Network interface must be changed to use DHCP. For more information, see Change TCP/IP settings.

Local disk must have enough space and requires you to free up 20 GB or more.

Only the C and D drives can be present on a WorkSpace that's used for importing an image. Remove all other drives, including virtual drives.

Use a Windows 10 or Windows 11 operating system.

System must be unjoined from AD domain. For more information, see Azure Active Directory device management FAQ.

System must be unjoined from Azure domain. For more information, see Azure Active Directory device management FAQ.

Public firewall profile must be disabled. For more information, see Turn Microsoft Defender Firewall on or off.

VMWare tools must be uninstalled. For more information, see Uninstalling and manually installing VMware Tools in VMware Fusion (1014522).

The disk must be smaller than 80 GB. Reduce the disk size.

Volumes must be MBR partitioned for Windows 10 and GPT partitioned for Windows 11. For more information, see Manage disks.

Install all updates and reboot the operating system.

To disable the AutoLogon registry:

  1. Press Windows key + R and type Regedit.exe in the command prompt.

  2. Scroll down to HKEY_LOCAL_Machine\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

  3. Add a value for DontDisplayLastUserName.

  4. For Type, enter REG_SZ.

  5. For Value, enter 0.

Note

  • The value DontDisplayLastUserName determines whether the logon dialog box displays the username of the last user that logged onto the PC.

  • The value does not exist by default. If it exists, you must set it to 0 or the value of DefaultUser will be wiped and AutoLogon will fail.

RealTimeUniversal Registry Key must be enabled. For more information, see Configure time settings for Windows Server 2008 and later.

Number of bootable partitions must not exceed one.

To remove additional partitions

  1. Press the Windows logo + R keys to open Run box. Enter msconfig and press the Enter key on the keyboard to open the System Configuration window.

  2. Choose the Boot tab from the window and check if the OS you want to use is set to Current OS; Default OS. If it isn't set, choose your desired OS from the window and choose Set as default on the same window.

  3. To delete another partition, choose that partition, then select Delete, Apply, OK.

If the error still shows up, boot your computer from the installation or repair disc, and follow these steps.

  1. Skip the initial languages screen, and then choose Repair your computer on the main install screen.

  2. On the Choose an option screen, choose Troubleshoot.

  3. On the Advanced options screen, choose Command Prompts.

  4. In the command prompt, enter bootrec.exe /fixmbr, then press Enter.

A 64 bit OS image must be used. For more information, see Windows versions supported for BYOL.

The Image Rearm count must not be 0. The rearm feature allows you to extend the activation period for the trial version of Windows. The Create Image process requires that the rearm count be a value other than 0.

To check the Windows rearm count

  1. On the Windows Start menu, choose Windows System, then choose Command Prompt.

  2. In the Command Prompt, enter cscript C:\Windows\System32\slmgr.vbs /dlv, and then press Enter.

  3. To reset the rearm count to a value other than 0. For more information, see Sysprep (Generalize) a Windows installation.

Windows must not have been upgraded from a previous version.

You must uninstall your antivirus software. Run BYOLChecker to get details for the antivirus software to uninstall.

The Legacy BIOS BootMode must be used for Windows 10.For more information, see Boot modes.

List of SysPrep error messages and error fixes

Modern AppX Packages might still be installed for your users. Remove the AppX package by running the Powershell cmdlet, Remove-AppxPackage.

To disable reserved storage

  1. Open the Registry Editor but entering regedit.exe.

  2. Navigate to the registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\ReserveManager.

  3. Change the value of the ShippedWithReserves parameter from 1 to 0.

  4. Change the value of ActiveScenario to 0.

  5. Disable Reserved Storage in Windows using the following command:

    DISM.exe /Online /Set-ReservedStorageState /State:Disabled

You must uninstall your antivirus software. Run the BYOLChecker to get details for the antivirus software to uninstall. For more information, see Confirm that the Windows VM in Amazon WorkSpaces meets the requirements for Microsoft BYOL.

SysPrep failure reason couldn't be determined. Contact AWS support at https://aws.amazon.com/support.

Import a VM as an image into Amazon EC2 in preparation to create a BYOL image for WorkSpaces

After you export your VM by following the instructions in Export a VM from your virtualization environment in Amazon WorkSpaces, review the requirements for importing Windows operating systems from a VM. Take action as needed. For more information, see VM Import/Export Requirements.

Note

Importing a VM with an encrypted disk is not supported. If you've opted in to default encryption for Amazon Elastic Block Store (Amazon EBS) volumes, you must deselect that option before importing your VM.

Import your VM into Amazon EC2 as an Amazon Machine Image (AMI). Use one of the following methods:

  • Use the import-image command with the AWS CLI. For more information, see import-image in the AWS CLI Command Reference.

  • Use the ImportImage API operation. For more information, see ImportImage in the Amazon EC2 API Reference.

For more information, see Importing a VM as an Image in the VM Import/Export User Guide.

Create a BYOL image using the WorkSpaces console

After you import your VM into Amazon EC2 by following the instructions in Import a VM as an image into Amazon EC2 in preparation to create a BYOL image for WorkSpaces, perform these steps to create an WorkSpaces BYOL image.

Note

To perform this procedure, verify that you have AWS Identity and Access Management (IAM) permissions to:

  • Call WorkSpaces ImportWorkspaceImage.

  • Call Amazon EC2 DescribeImages on the Amazon EC2 image that you want to use to create the BYOL image.

  • Call Amazon EC2 ModifyImageAttribute on the Amazon EC2 image that you want to use to create the BYOL image. Make sure that the launch permissions on the Amazon EC2 image are not restricted. The image must be shareable throughout the BYOL image creation process.

For an example IAM policy specific to BYOL WorkSpaces, see Identity and access management for WorkSpaces. For more information about working with IAM permissions, see Changing Permissions for an IAM User in the IAM User Guide.

To create a Graphics.g4dn, GraphicsPro.g4dn, Graphics, or GraphicsPro bundle from your image, contact the AWS Support Center to get your account added to the allow list. After your account is on the allow list, you can use the AWS CLI import-workspace-image command to ingest the Graphics.g4dn, GraphicsPro.g4dn, Graphics, or GraphicsPro image. For more information, see import-workspace-image in the AWS CLI Command Reference.

To create an image from the Windows VM

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Images.

  3. Choose Create BYOL image.

  4. On the Create BYOL image page, do the following:

    • For AMI ID, choose the EC2 Console link, and choose the Amazon EC2 image that you imported as described in the previous section (Import a VM as an image into Amazon EC2 in preparation to create a BYOL image for WorkSpaces). The image name must begin with ami- and be followed by the identifier for the AMI (for example, ami-1234567e).

    • For Image name, enter a unique name for the image.

    • For Description, enter a description to help you quickly identify the image.

    • For Instance type, choose the appropriate bundle type (either Regular, Graphics.g4dn, Graphics, or GraphicsPro), depending on which protocol you want to use for your image, either PCoIP or DCV. If you want to create a GraphicsPro.g4dn bundle, choose Graphics.g4dn. For non-GPU-enabled bundles (bundles other than Graphics.g4dn, GraphicsPro.g4dn, Graphics, or GraphicsPro), choose Regular.

      Note

      • GraphicsPro images can be created only for the PCoIP protocol.

      • Windows 11 images can be created only for the DCV protocol.

      • Graphics and GraphicsPro Images are not supported for Windows 11.

    • (Optional) For Select applications, choose which version of Microsoft Office you want to subscribe to. For more information, see Add Microsoft Office to your BYOL image in Amazon WorkSpaces.

    • (Optional) For Tags, choose Add new tag to associate tags with this image. For more information, see Tag resources in WorkSpaces Personal.

  5. Choose Create BYOL image.

    While your image is being created, the image's status on the Images page of the console appears as Pending. The BYOL ingestion process takes a minimum of 90 minutes. If you have subscribed to Office as well, expect the process to take a minimum of 3 hours.

    Pending Windows updates will be installed during the BYOL ingestion process.

    If the image validation does not succeed, the console displays an error code. When the image creation is complete, the status changes to Available.

Create a custom bundle from the BYOL image in WorkSpaces

After you create your BYOL image by following the instructions in Create a BYOL image using the WorkSpaces console, you can use the image to create a custom bundle. For information, see Create a custom WorkSpaces image and bundle for WorkSpaces Personal.

Create a dedicated directory to use BYOL images for WorkSpaces

To use BYOL images for WorkSpaces, you must create a directory for this purpose.

To create a directory for WorkSpaces, see Create a directory for WorkSpaces Personal. Ensure that you choose Enable Dedicated WorkSpaces when creating the directory.

If you've already registered an AWS Managed Microsoft AD directory or an AD Connector directory for WorkSpaces that doesn't run on dedicated hardware, you can set up a new AWS Managed Microsoft AD directory or AD Connector directory for this purpose. You can also deregister the directory and then register it again as a directory for dedicated WorkSpaces. To learn more about registering and deregistering an existing AWS Directory Service directory, see Register an existing AWS Directory Service directory with WorkSpaces Personal.

Launch your BYOL WorkSpaces

After you register a directory for dedicated WorkSpaces by following the instructions in Create a BYOL image using the WorkSpaces console, you can launch your BYOL WorkSpaces Personal and WorkSpaces Pool in this directory.

To launch a personal WorkSpace, see Create a WorkSpace in WorkSpaces Personal.

To launch a WorkSpaces Pool, you have to launch a personal WorkSpace, create an image of that personal WorkSpace, then use that image to launch a pool.

To create an image for BYOL WorkSpaces Pools

  1. Launch a personal WorkSpace with the BYOL image you want to use for your WorkSpaces Pools. For information about how to launch WorkSpaces Personal, see Create a directory for WorkSpaces Personal.

  2. Login in to the personal WorkSpace and make sure all your Windows updates are installed.

  3. Update your Amazon EC2 configurations. To update your EC2 configurations using Windows 10, see Install the latest version of EC2Config. To update your EC2 configurations using Windows 11, see Install the latest version of EC2Launch.

  4. Add a Windows defender exclusion list. For more information, see Add an exclusion to Windows Security .

    Add the following folders to the exclusion list in Windows Defender:

    • C:\Program Files\Amazon\*

    • C:\ProgramData\Amazon\*

    • C:\Program Files\NICE\*

    • C:\ProgramData\NICE\*

    • C:\Program Files (x86)\AWS Tools\*

    • C:\Program Files (x86)\AWS SDK for .NET\*

    • C:\AWSEUC\* (This is for the session script)

  5. Disable Windows update on startup by entering the following command.

    Open powershell as admin- 
    Run following command -
    
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Force
    New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 1 -Force

  6. Reboot the WorkSpace. For more information, see Reboot a WorkSpace in WorkSpaces Personal.

    Note

    We recommend doing the following before you begin creating an image for BYOL WorkSpaces Pools

    • Remove unnecessary startup applications.

    • Remove or disable unnecessary scheduled tasks. Open the start menu, choose Scheduled tasks, select the tasks you want to disable and then choose Disable.

  7. Run image checker after the reboot by entering the following command.

    C:\Program Files\Amazon\ImageChecker.exe

    For more information on creating a custom WorkSpaces image, see Create a custom WorkSpaces image and bundle for WorkSpaces Personal.

  8. Resolve any errors found by the image checker. For more information, see Tips for resolving issues detected by the Image Checker.

  9. After all tests have passed the image checker, go back to the WorkSpaces console.

  10. In the navigation pane, under WorkSpaces, choose Personal. Choose the BYOL personal WorkSpaces, then choose Actions, Create image.

  11. In the navigation pane, choose Images. Under Images, check if the image is created.

You can now launch WorkSpaces Pools with the image you created. For more information about launching WorkSpaces Pools, see Create a WorkSpaces Pool.

Videos on uploading and creating BYOL images

For a demonstration on uploading BYOL images, watch the following videos.

For a demonstration on creating BYOL images with Microsoft Hyper-V, watch the following video.

For a demonstration on creating BYOL images with VMware Workstation, watch the following video.

You can use BYOL linking to link accounts and share BYOL configurations. BYOL configurations include the CIDR range used by your accounts and the images you use to create WorkSpaces with your Windows license. All accounts that are linked share the same underlying hardware infrastructure.

The account enabled for BYOL linking is the primary owner of the underlying hardware infrastructure, and is called the Source account. The Source account manages access to the underlying hardware infrastructure. Target accounts are the accounts that are linked to the Source account.

Important

APIs for BYOL account linking are not available in the AWS GovCloud (US) Region.

Note

The AWS accounts that you want to link with must be part of your organization and under the same payer account. You can only link accounts within the same Region.

To link the Source and Target accounts

  1. Send an invitation link from your Source account to the Target account by using the CreateAccountLinkInvitation API.

  2. Accept the pending link from your Target account by using the AcceptAccountLinkInvitation API.

  3. Verify the link has been established by using the GetAccountLink or ListAccountLinks API.