AWS Logo
Menu

Troubleshooting Amazon WorkSpaces Image Creation with Windows Defender ATP

This article walks you through identifying image creation issues caused by Windows Defender ATP and the steps to proceed with creating an image successfully.

eucamazon-workspacesworkspaces
Justin Grego
Amazon Employee
Published Nov 11, 2024

The problem:

When creating an image from an Amazon WorkSpace that has been enrolled in Windows Defender Advanced Threat Protection (ATP), you may encounter issues that result in the image capture timing out and being left in an error state. These issues often arise due to Windows Defender ATP’s security policies, which interfere with the preparation of the image.
The Sysprep process attempts to clean up the machine specific information from the registry, including the device specific information for Windows Defender. The Defender's anti-tamper protection prevents these actions. When this occurs, the following error information is written to the Sysprep log file:
Sysprep is unable to remove the senseGuid and senseId values under the registry key HKLM\Software\Micosoft\Windows\Windows Advanced Threat Protection.
Screenshot showing the registry keys for ATP that sysprep fails to remove.
Furthermore, the Windows Defender Advanced Threat Protection Service is in the Running status and has a startup state of Automatic.

The solution:

For Sysprep to complete its required generalization steps and the WorkSpace image capture process to proceed, you must "Offboard" the Defender ATP client on the WorkSpace. Doing so, removes the tamper protection and allows the associated registry keys to be deleted by Sysprep. Below are the high-level steps to offboard the WorkSpace's Defender agent. Refer to the official Microsoft documentation for further details.
  1. In the Windows Defender console, navigate to Settings, Endpoints, Device management, then Offboarding.
  2. Select your operating system.
  3. For Deployment method, choose Local Script.
  4. Choose Download package and save the .zip file.
    Offboarding steps
  5. Extract the contents of the .zip file to a location the WorkSpace can read from, or copy locally to the WorkSpace.
  6. On the WorkSpace, open an elevated command prompt and run the script.
    • On the Start menu, type cmd.
    • Right-click Command prompt and choose Run as administrator.
    • Enter the full path to the WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd file and press Enter.
  7. The script stops the Windows Defender Advanced Threat Protection Service service, sets it to Manual startup type, and removes the deletion protection on the senseGuid and senseId registry values.
  8. Proceed with creating the WorkSpaces image.
     

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

1 Comment