AWS Logo
Menu

Improve Performance and Security by Blocking Ads on domain-joined Windows Amazon WorkSpaces and Amazon AppStream 2.0 using Group Policy

This article will demonstrate deployment of uBlock Origin and uBlock Origin Lite to Mozilla Firefox, Google Chrome, and Microsoft Edge, using Group Policy on domain joined Windows based WorkSpaces and AppStream deployments

Dan Garibay
Amazon Employee
Published Dec 21, 2024

Overview

Web browsing is typically a source of significant resource usage, which results in slower systems for end users. This drives costs upwards, as compute resources are increased to meet this demand.
This article will demonstrate how to use Group Policy with Active Directory domain joined Windows based Amazon WorkSpaces or AppStream 2.0 setups to automatically deploy an adblocker.
For Mozilla Firefox, this post will cover deploying uBlock Origin or uBlock Origin Lite. For Google Chrome and Microsoft Edge, this post will cover deploying uBlock Origin Lite, as the imminent removal of Manifest v2 means that uBlock Origin will not remain an option on those browsers for long.
The default filters for uBlock Origin/uBlock Origin Lite block a wide variety of advertisement, malware, and annoyance domains from loading. This reduces your web browser’s resource requirements, freeing up system resource usage for your line of business applications.
In addition to reducing system resource consumption, this also boosts security for your organization. On December 21, 2022, the FBI recommended taking steps to block advertisements (ads) for security reasons, due to brand impersonation in search result ads.
In this article, you complete the following tasks:
  1. Download the Group Policy template files for each browser you intend to push policies for.
  2. Add these policies to your domain’s SYSVOL folder, or C:\Windows\PolicyDefinitions on the computer you will use the Group Policy remote administration tools on.
  3. Create a Group Policy Object (GPO), and link it to the OU your WorkSpaces directory is configured to use.
    1. Validate the OU configuration for your WorkSpaces by navigating to the Directories subsection of the WorkSpaces console, selecting your directory, and choosing “Update Details.” The OU configuration is on the resulting page.
  4. Edit this new policy and apply a setting which enforces the uBlock Origin extension for each browser you intend to push policies for.
  5. Launch a browser and validate that the policies have applied successfully.

Security Considerations

Before deploying uBlock Origin, validate that your organization is comfortable with the required permissions for it to function. If your organization requires an alternative with reduced permissions, consider uBlock Origin Lite.
Firefox is the only browser with long term support for uBlock Origin as of the time of writing.

uBlock Origin vs uBlock Origin Lite

Google Chrome and Microsoft Edge are in the end of removing support for Manifest v2, which is required for uBlock Origin to function. Going forward, uBlock Origin Lite will be the extension to use on Chrome or Edge.
Firefox will be the only browser to retain support for uBlock Origin.
uBlock Origin Lite is a new variant of uBlock Origin from the same developers. It uses the Manifest v3 framework for reduced permissions. The uBlock Origin Lite GitHub contains an FAQ with more information on the differences.
For Chrome and Edge, uBlock Origin will continue to work until the full removal of Manifest v2, which is in the process of rolling out. See Google's progress blog on the removal for Chrome and Microsoft's docs on the removal for Edge. Google Chrome is already most of the way through the deprecation process. Microsoft Edge has not yet determined a timeline to remove Manifest v2.

Recommendations

  • Firefox: Use uBlock Origin or uBlock Origin Lite as per your preference. uBlock Origin offers more control, but requires more permissions.
  • Chrome: Use uBlock Origin Lite. Chrome is mostly done with the timeline to fully remove Manifest v2, so uBlock Origin will not work on Chrome for much longer.
  • Edge: uBlock Origin Lite is the future proof option, but you can choose uBlock Origin or uBlock Origin Lite as per your preference. uBlock Origin offers more control, but requires more permissions.
    • Edge will also remove Manifest v3 at some point, but unlike Chrome, the timeline has still not been decided, meaning a deployment of uBlock Origin on Edge will have a longer lifecycle before migration to uBlock Origin Lite becomes mandatory.
    • Once Edge determines a removal timeline, there will be a policy to extend Manifest v2 further for enterprises, as there currently is with Chrome. See the Edge documentation "Overview and timelines for migration to Manifest v3" for the latest info.

Prerequisites

For this walkthrough, you should have the following prerequisites:
  • An AWS account
  • An existing deployment of Amazon WorkSpaces or Amazon AppStream 2.0, as well as familiarity with which Active Directory OU or OUs your deployment(s) utilize.
    • The steps in this article only apply to domain joined Windows based instances.
  • An existing Active Directory deployment.
    • Permissions to import new Group Policy templates into Active Directory
    • Permissions to create and deploy Group Policies in Active Directory
    • Access to a domain joined computer with the Active Directory Remote Server Administration Tools installed. This computer will be referred to as your “management endpoint” in the steps going forward.
  • General knowledge of Active Directory administration

Mozilla Firefox

Download and Install the Mozilla Firefox templates

    1. Each update post will have a zip file with the templates, with a name syntax such as policy_templates_v6.5.zip.
  1. Extract the Mozilla Firefox policy templates .zip file. Navigate to the windows folder within the extracted files.
  2. The windows folder will contain firefox.admx and multiple language folders such as en-US. Each language folder will include a matching firefox.adml file.
  3. Open a separate Windows Explorer window, and navigate to \\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions , where ad.example.com corresponds to your Active Directory Fully Qualified Domain Name.
    1. Copy firefox.admx from your extracted folder into the root of the PolicyDefinitions folder.
    2. For each language you need require, copy the matching firefox.adml from within its folder, to the corresponding language folder within PolicyDefinitions.

Create a Firefox Group Policy - uBlock Origin

Now you will create the GPO which enforces uBlock Origin installation on Mozilla Firefox.
  1. On your management endpoint, open gpmc.msc.
  2. Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
    1. If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
      1. Alternate select the additional OU
      2. Select “Link an Existing GPO…”
      3. Select the policy.
  3. Select your newly created policy and choose “Edit…”
  4. Under “Computer Configuration”, expand Policies, Administrative Templates, Mozilla, Firefox, and then select Extensions.
  5. Under Extensions, select “Extensions Management”.
    1. Switch the “Not Configured” radio option to “Enabled”.
    2. Under “Options” choose “Show…”
    3. In the resulting panel window, paste the JSON from the following code block.
    4. Select “OK” in the “Show Contents” window, and then select OK in the “Extensions to Install” window.
The example format will install uBlock Origin, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This enables users to disable filtering on individual websites if they suspect it might be causing an issue.
If you wish to install uBlock Origin Lite instead, replace uBlock0@raymondhill.net with uBOLite@raymondhill.net in the JSON block.

Create a Firefox Group Policy - uBlock Origin Lite

Now you will create the GPO which enforces uBlock Origin Lite installation on Mozilla Firefox.
  1. On your management endpoint, open gpmc.msc.
  2. Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
    1. If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
      1. Alternate select the additional OU
      2. Select “Link an Existing GPO…”
      3. Select the policy.
  3. Select your newly created policy and choose “Edit…”
  4. Under “Computer Configuration”, expand Policies, Administrative Templates, Mozilla, Firefox, and then select Extensions.
  5. Under Extensions, select “Extensions Management”.
    1. Switch the “Not Configured” radio option to “Enabled”.
    2. Under “Options” choose “Show…”
    3. In the resulting panel window, paste the JSON from the following code block.
    4. Select “OK” in the “Show Contents” window, and then select OK in the “Extensions to Install” window.
The example format will install uBlock Origin Lite, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This enables users to disable filtering on individual websites if they suspect it might be causing an issue.

Google Chrome

Download and Install the Google Chrome templates

  1. On your management endpoint, download the latest Google Chrome Group Policy definition templates.
  2. Extract the Google Chrome policy_templates.zip file. It will contain three folders, chromeos, mac and windows. Navigate to the windows folder.
  3. The windows folder will contain three subfolders, adm, admx, and examples. Navigate to admx.
  4. The admx folder will contain chrome.admx and multiple language folders such as en-US. Each language folder will include a matching chrome.adml file.
  5. Open a separate Windows Explorer window, and navigate to \\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions , where ad.example.com corresponds to your Active Directory Fully Qualified Domain Name.
  6. Copy chrome.admx from your extracted folder into the root of the PolicyDefinitions folder.
  7. For each language you require, copy the matching chrome.adml from within its folder, to the corresponding language folder within PolicyDefinitions.

Create a Google Chrome Group Policy - uBlock Origin Lite

Now you will create the GPO which enforces uBlock Origin Lite installation on Google Chrome.
  1. On your management endpoint, open gpmc.msc.
  2. Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
    1. If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
      1. Alternate select the additional OU.
      2. Select “Link an Existing GPO…”
      3. Select the policy.
  3. Select your newly created Group Policy and choose “Edit…”.
  4. Under “Computer Configuration”, expand Policies, Administrative Templates, Google, Google Chrome, and then select Extensions.
  5. Under Extensions, select “Extension management settings” to open the extended configuration menu.
    1. Switch the “Not Configured” radio option to “Enabled”.
    2. Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
      1. The complete block is provided next, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
    3. Select “OK” in the “Show Contents” window, and then select OK in the “Extension management settings” window. The policy is now saved.
Here is the example install JSON as one line, ready to be pasted into the configuration:
Here is the example install JSON in block format:
The example format will install uBlock Origin Lite, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This allows users to disable filtering on individual websites if they suspect it might be causing an issue.

Create a Google Chrome Group Policy - uBlock Origin

Now you will create the GPO which enforces uBlock Origin installation on Google Chrome.
  1. On your management endpoint, open gpmc.msc.
  2. Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
    1. If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
      1. Alternate select the additional OU.
      2. Select “Link an Existing GPO…”
      3. Select the policy.
  3. Select your newly created Group Policy and choose “Edit…”.
  4. Under “Computer Configuration”, expand Policies, Administrative Templates, Google, Google Chrome, and then select Extensions.
  5. Under Extensions, select “Extension management settings” to open the extended configuration menu.
    1. Switch the “Not Configured” radio option to “Enabled”.
    2. Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
      1. The complete block is provided next, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
    3. Select “OK” in the “Show Contents” window, and then select OK in the “Extension management settings” window. The policy is now saved.
Here is the example install JSON as one line, ready to be pasted into the configuration:
Here is the example install JSON in block format:
The example format will install uBlock Origin, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This allows users to disable filtering on individual websites if they suspect it might be causing an issue.

Microsoft Edge

Download and Install the Microsoft Edge templates

The Microsoft Edge templates are packaged in a cab file which contains a zip file.
    1. Under “download the latest”, look for the Windows 64-bit section, and the “Download Windows 64-bit Policy” link.
  1. Open the cab file named MicrosoftEdgePolicyTemplates.cab, which will contain MicrosoftEdgePolicyTemplates.zip.
  2. Open the zip file. Windows will prompt you for a folder to place the zip file into.
  3. Navigate to the folder you selected, and extract the zip file.
  4. The extracted folder will contain four subfolders, examples, html, mac, and windows. Navigate to windows.
  5. Within the windows folder, choose the admx folder.
  6. The admx folder will contain msedge.admx and multiple language folders such as en-US. Each language folder will include a matching msedge.adml file.
  7. Open a separate Windows Explorer window, and navigate to \\ad.example.com\SYSVOL\ad.example.com\Policies\PolicyDefinitions , where ad.example.com corresponds to your Active Directory Fully Qualified Domain Name.
  8. Copy msadge.admx from your extracted folder into the root of the PolicyDefinitions folder.
  9. For each language you require, copy the matching msedge.adml from within its folder, to the corresponding language folder within PolicyDefinitions.

Create a Microsoft Edge Group Policy - uBlock Origin Lite

Now you will create the group policy which enforces uBlock Origin Lite installation on Microsoft Edge.
  1. On your management endpoint, open gpmc.msc.
  2. Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
    1. If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
      1. Alternate select the additional OU.
      2. Select “Link an Existing GPO…”
      3. Select the policy.
  3. Select your newly created Group Policy and choose “Edit…”
  4. Under “Computer Configuration”, expand Policies, Administrative Templates, Microsoft Edge, and then select Extensions.
  5. Under Extensions, select “Configure extension management settings”.
    1. Switch the “Not Configured” radio option to “Enabled”.
    2. Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
      1. The full block is provided, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
  6. Select “OK” in the “Extension management settings” window. The policy is now saved.
Here is the example install JSON as one line, ready to be pasted into the configuration:
Here is the example install JSON in block format:
The example format will install uBlock Origin Lite, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This enables users to disable filtering on individual websites if they suspect it might be causing an issue.

Create a Microsoft Edge Group Policy - uBlock Origin

Now you will create the group policy which enforces uBlock Origin installation on Microsoft Edge.
  1. On your management endpoint, open gpmc.msc.
  2. Expand your forest and domain until you locate the OU which contains your WorkSpaces. Select the OU, and choose “Create a new GPO in this domain, and Link it here…”
    1. If you need to associate the policy to multiple OUs, you can link them to the policy after creation.
      1. Alternate select the additional OU.
      2. Select “Link an Existing GPO…”
      3. Select the policy.
  3. Select your newly created Group Policy and choose “Edit…”
  4. Under “Computer Configuration”, expand Policies, Administrative Templates, Microsoft Edge, and then select Extensions.
  5. Under Extensions, select “Configure extension management settings”.
    1. Switch the “Not Configured” radio option to “Enabled”.
    2. Under “Options” there will be an “Extension management settings” open text field. In this field, you will need to paste a single line of JSON which contains the valid configuration.
      1. The full block is provided, as is a one-line version. If you’d like to alter the settings, do so in the large block version. To shrink the JSON to one line, you can use your preferred advanced text editor’s methods to make a one-line JSON. For example, here is the method for Visual Studio Code.
  6. Select “OK” in the “Extension management settings” window. The policy is now saved.
Here is the example install JSON as one line, ready to be pasted into the configuration:
Here is the example install JSON in block format:
The example format will install uBlock Origin, and prevent users from disabling the extension. The extension’s icon will be pinned next to the URL bar automatically. This enables users to disable filtering on individual websites if they suspect it might be causing an issue.

Testing

You may now close the Group Policy Editor and test the policy. Note that while the policy should replicate quickly, every Active Directory environment is different. If the Group Policy Object was created on a domain controller in a different Site, there might be a replication delay. This will vary depending on the size and configuration of your Active Directory setup.
To test the policy:
  1. Log into a WorkSpace or AppStream instance whose Computer Object is in the OU linked to the Group Policy object you created.
  2. Open a PowerShell or Command Prompt window with administrative rights
  3. Run the following command: gpupdate /force
Chrome and Edge will apply the new policy immediately, even if they were open when the policy was being updated. uBlock Origin will install and be visible in the list of extensions, and will be pinned to the right of the navigation URL bar.
However, if Firefox was running when the policy was updated, it will need to be restarted for the policy to take effect. If you need to ensure the policy is applied right away, you can Reboot your WorkSpaces. After the policy applied, you will see uBlock Origin the list of extensions, and it will be pinned to the right of the navigation bar.
If you do not see uBlock Origin, you can use gpresult /r /scope:computer in an administrator PowerShell or Command Prompt window. This will confirm if the WorkSpaces instance is receiving the intended group policy configuration. You must open PowerShell or Command Prompt with administrator permissions to see Computer scoped Group Policy objects.
Additionally, each browser has an internal URL where you can validate the policies it is receiving. They are:
Google Chrome:
chrome://policies
chrome://extensions
Microsoft Edge:
edge://policies
edge://extensions
Mozilla Firefox:
about://policies
about://addons

Rollback

If you would like to roll back the changes at any point, you can do so with the following procedure.
For Chrome and Edge, the only action required is either disabling or deleting the Group Policy object which installs the extension.
You can disable a Group Policy by disabling the link between the Group Policy Object and the OU that your computer objects are in. The next time Windows updates group policy, the extension will be removed automatically.
For Firefox, disabling or deleting the Group Policy will not uninstall the extension. In order to uninstall the extension, you will need to alter the Group Policy object to uninstall the extension instead of installing it.
  1. In the Group Policy Management Editor, edit your Firefox policy. Navigate to Computer Configuration > Policies > Administrative Templates > Mozilla > Firefox > Extensions.
  2. Open the “Extensions Management” setting.
  3. In the resulting window, under “Options”, you’ll see the JSON which configures the extension installation.
  4. In the JSON block, the value for installation_mode will be set to either force_installed or normal_installed. Change this value to blocked as shown in the following code block. This will remove the extension and prevent it from being reinstalled.
    1. If you would like to leave it as an option for end users, you can also use allowed instead of blocked. This will not remove the extension, and users will be allowed to add it.
  5. Close out of the settings for the Group Policy.
Blocking uBlock Origin:
Blocking uBlock Origin Lite:
Windows updates group policy every 90 minutes with a randomized offset of up to 30 minutes by default. You can also update immediately with gpupdate /force. Chrome and Edge will immediately update with the changes from Group Policy with no need for the user to restart their browser. Firefox will not apply the settings until the next time the browser is restarted.
To complete the rollback, remove any admx and adml template files which were added to your domain’s SYSVOL folder.

Conclusion / Further Reading

In this post, you imported Group Policy templates for managing Microsoft Edge, Google Chrome, and Mozilla Firefox. You deployed Group Policy Objects for those browsers. These ensure the uBlock Origin or uBlock Origin Lite extension is installed automatically for your Windows WorkSpaces or AppStream instances on those web browsers.
The uBlock Origin/uBlock Origin Lite extension, depending on which was installed, will be visible in the extensions toolbar of your browser. When selected, the extension offers additional controls, such as the ability to allowlist a website with no adblocking. There is a useful reference guide for that functionality on the development team's GitHub, available here. There is additional reading on the administrative configurations available here.
With uBlock Origin or uBlock Origin Lite deployed, end users browsing the internet will see a decrease in CPU/RAM usage from the web browser on many websites. The reduction in resource usage can be attributed to blocking the loading of unnecessary web elements, freeing system resources for usage elsewhere. This also helps increase organizational security by reducing the attack surface for malware.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments