Improve Performance and Security by Blocking Ads on domain-joined Windows Amazon WorkSpaces and Amazon AppStream 2.0 using Group Policy
This article will demonstrate deployment of uBlock Origin and uBlock Origin Lite to Mozilla Firefox, Google Chrome, and Microsoft Edge, using Group Policy on domain joined Windows based WorkSpaces and AppStream deployments
uBlock Origin vs uBlock Origin Lite
Download and Install the Mozilla Firefox templates
Create a Firefox Group Policy - uBlock Origin
Create a Firefox Group Policy - uBlock Origin Lite
Download and Install the Google Chrome templates
Create a Google Chrome Group Policy - uBlock Origin Lite
Create a Google Chrome Group Policy - uBlock Origin
Download and Install the Microsoft Edge templates
Create a Microsoft Edge Group Policy - uBlock Origin Lite
- Download the Group Policy template files for each browser you intend to push policies for.
- Add these policies to your domain’s
SYSVOL
folder, orC:\Windows\PolicyDefinitions
on the computer you will use the Group Policy remote administration tools on. - Create a Group Policy Object (GPO), and link it to the OU your WorkSpaces directory is configured to use.
- Validate the OU configuration for your WorkSpaces by navigating to the Directories subsection of the WorkSpaces console, selecting your directory, and choosing “Update Details.” The OU configuration is on the resulting page.
- Edit this new policy and apply a setting which enforces the uBlock Origin extension for each browser you intend to push policies for.
- Launch a browser and validate that the policies have applied successfully.
- uBlock Origin Lite Chrome ID:
ddkjiahejlhfcafbddmgiahcphecmpfh
- uBlock Origin Lite Firefox ID:
uBOLite@raymondhill.net
- uBlock Origin Lite Edge ID:
cimighlppcgcoapaliogpjjdehbnofhn
- Firefox: Use uBlock Origin or uBlock Origin Lite as per your preference. uBlock Origin offers more control, but requires more permissions.
- Chrome: Use uBlock Origin Lite. Chrome is mostly done with the timeline to fully remove Manifest v2, so uBlock Origin will not work on Chrome for much longer.
- If you wish to use uBlock Origin as long as possible, you can use the ExtensionManifestV2Capability configuration element to extend Manifest v2 support as long as possible, as per the Chrome Manifest v2 timeline documentation.
- Edge: uBlock Origin Lite is the future proof option, but you can choose uBlock Origin or uBlock Origin Lite as per your preference. uBlock Origin offers more control, but requires more permissions.
- Edge will also remove Manifest v3 at some point, but unlike Chrome, the timeline has still not been decided, meaning a deployment of uBlock Origin on Edge will have a longer lifecycle before migration to uBlock Origin Lite becomes mandatory.
- Once Edge determines a removal timeline, there will be a policy to extend Manifest v2 further for enterprises, as there currently is with Chrome. See the Edge documentation "Overview and timelines for migration to Manifest v3" for the latest info.
- An AWS account
- An existing deployment of Amazon WorkSpaces or Amazon AppStream 2.0, as well as familiarity with which Active Directory OU or OUs your deployment(s) utilize.
- The steps in this article only apply to domain joined Windows based instances.
- An existing Active Directory deployment.
- Permissions to import new Group Policy templates into Active Directory
- Permissions to create and deploy Group Policies in Active Directory
- Access to a domain joined computer with the Active Directory Remote Server Administration Tools installed. This computer will be referred to as your “management endpoint” in the steps going forward.
- General knowledge of Active Directory administration
- On your management endpoint, download the latest Group Policy definition templates for Firefox.
- Each update post will have a zip file with the templates, with a name syntax such as
policy_templates_v6.5.zip
.
- Extract the Mozilla Firefox policy templates .zip file. Navigate to the
windows
folder within the extracted files. - The
windows
folder will containfirefox.admx
and multiple language folders such asen-US
. Each language folder will include a matchingfirefox.adml
file. - Open a separate Windows Explorer window, and navigate to
\\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions
, wheread.example.com
corresponds to your Active Directory Fully Qualified Domain Name.- Copy
firefox.admx
from your extracted folder into the root of thePolicyDefinitions
folder. - For each language you need require, copy the matching
firefox.adml
from within its folder, to the corresponding language folder withinPolicyDefinitions
.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU
- Select “Link an Existing GPO…”
- Select the policy.
- Select your newly created policy and choose “Edit…”
- Under “Computer Configuration”, expand Policies, Administrative Templates, Mozilla, Firefox, and then select Extensions.
- Under Extensions, select “Extensions Management”.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” choose “Show…”
- In the resulting panel window, paste the JSON from the following code block.
- Select “OK” in the “Show Contents” window, and then select OK in the “Extensions to Install” window.
uBlock0@raymondhill.net
with uBOLite@raymondhill.net
in the JSON block.- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU
- Select “Link an Existing GPO…”
- Select the policy.
- Select your newly created policy and choose “Edit…”
- Under “Computer Configuration”, expand Policies, Administrative Templates, Mozilla, Firefox, and then select Extensions.
- Under Extensions, select “Extensions Management”.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” choose “Show…”
- In the resulting panel window, paste the JSON from the following code block.
- Select “OK” in the “Show Contents” window, and then select OK in the “Extensions to Install” window.
- On your management endpoint, download the latest Google Chrome Group Policy definition templates.
- Extract the Google Chrome
policy_templates.zip
file. It will contain three folders,chromeos
,mac
andwindows
. Navigate to thewindows
folder. - The windows folder will contain three subfolders,
adm
,admx
, andexamples
. Navigate toadmx
. - The
admx
folder will containchrome.admx
and multiple language folders such asen-US
. Each language folder will include a matchingchrome.adml
file. - Open a separate Windows Explorer window, and navigate to
\\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions
, wheread.example.com
corresponds to your Active Directory Fully Qualified Domain Name. - Copy
chrome.admx
from your extracted folder into the root of thePolicyDefinitions
folder. - For each language you require, copy the matching
chrome.adml
from within its folder, to the corresponding language folder withinPolicyDefinitions
.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU.
- Select “Link an Existing GPO…”
- Select the policy.
- Select your newly created Group Policy and choose “Edit…”.
- Under “Computer Configuration”, expand Policies, Administrative Templates, Google, Google Chrome, and then select Extensions.
- Under Extensions, select “Extension management settings” to open the extended configuration menu.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
- The complete block is provided next, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
- Select “OK” in the “Show Contents” window, and then select OK in the “Extension management settings” window. The policy is now saved.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU.
- Select “Link an Existing GPO…”
- Select the policy.
- Select your newly created Group Policy and choose “Edit…”.
- Under “Computer Configuration”, expand Policies, Administrative Templates, Google, Google Chrome, and then select Extensions.
- Under Extensions, select “Extension management settings” to open the extended configuration menu.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
- The complete block is provided next, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
- Select “OK” in the “Show Contents” window, and then select OK in the “Extension management settings” window. The policy is now saved.
- On your management endpoint, download the latest Microsoft Edge Group Policy definition templates.
- Under “download the latest”, look for the Windows 64-bit section, and the “Download Windows 64-bit Policy” link.
- Open the cab file named
MicrosoftEdgePolicyTemplates.cab
, which will containMicrosoftEdgePolicyTemplates.zip
. - Open the zip file. Windows will prompt you for a folder to place the zip file into.
- Navigate to the folder you selected, and extract the zip file.
- The extracted folder will contain four subfolders,
examples
,html
,mac
, andwindows
. Navigate towindows
. - Within the
windows
folder, choose theadmx
folder. - The
admx
folder will containmsedge.admx
and multiple language folders such asen-US
. Each language folder will include a matchingmsedge.adml
file. - Open a separate Windows Explorer window, and navigate to
\\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions
, wheread.example.com
corresponds to your Active Directory Fully Qualified Domain Name. - Copy
msadge.admx
from your extracted folder into the root of thePolicyDefinitions
folder. - For each language you require, copy the matching
msedge.adml
from within its folder, to the corresponding language folder withinPolicyDefinitions
.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU.
- Select “Link an Existing GPO…”
- Select the policy.
- Select your newly created Group Policy and choose “Edit…”
- Under “Computer Configuration”, expand Policies, Administrative Templates, Microsoft Edge, and then select Extensions.
- Under Extensions, select “Configure extension management settings”.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
- The full block is provided, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
- Select “OK” in the “Extension management settings” window. The policy is now saved.
- On your management endpoint, open
gpmc.msc
. - Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
- If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
- Alternate select the additional OU.
- Select “Link an Existing GPO…”
- Select the policy.
- Select your newly created Group Policy and choose “Edit…”
- Under “Computer Configuration”, expand Policies, Administrative Templates, Microsoft Edge, and then select Extensions.
- Under Extensions, select “Configure extension management settings”.
- Switch the “Not Configured” radio option to “Enabled”.
- Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
- The full block is provided, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
- Select “OK” in the “Extension management settings” window. The policy is now saved.
- Log into a WorkSpace or AppStream instance whose Computer Object is in the OU linked to the Group Policy object you created.
- Open a PowerShell or Command Prompt window with administrative rights
- Run the following command:
gpupdate /force
gpresult /r /scope:computer
in an administrator PowerShell or Command Prompt window. This will confirm if the WorkSpaces instance is receiving the intended group policy configuration. You must open PowerShell or Command Prompt with administrator permissions to see Computer scoped Group Policy objects.chrome://policies
chrome://extensions
edge://policies
edge://extensions
about://policies
about://addons
- In the Group Policy Management Editor, edit your Firefox policy. Navigate to Computer Configuration > Policies > Administrative Templates > Mozilla > Firefox > Extensions.
- Open the “Extensions Management” setting.
- In the resulting window, under “Options”, you’ll see the JSON which configures the extension installation.
- In the JSON block, the value for
installation_mode
will be set to eitherforce_installed
ornormal_installed
. Change this value toblocked
as shown in the following code block. This will remove the extension and prevent it from being reinstalled.- If you would like to leave it as an option for end users, you can also use
allowed
instead ofblocked
. This will not remove the extension, and users will be allowed to add it.
- Close out of the settings for the Group Policy.
gpupdate /force
. Chrome and Edge will immediately update with the changes from Group Policy with no need for the user to restart their browser. Firefox will not apply the settings until the next time the browser is restarted.admx
and adml
template files which were added to your domain’s SYSVOL
folder.Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.