Unhide the C: drive on Amazon WorkSpaces Personal and Core

Overview

By default, initial Amazon WorkSpaces (Personal and Core) images hide the C: drive from Windows Explorer. This is not a security measure, as it does not prevent access to the drive, but does make it less discoverable.

This article will show you how to use Group Policy to remove this setting, so that the C: drive is visible by default in Windows Explorer.

Prerequisites

For this walkthrough, you should have the following prerequisites:

An AWS account
A pre-existing Windows WorkSpaces deployment
Access to your Active Directory, with sufficient privileges to create new Group Policy
A Windows computer joined to the domain you need to manage

Prerequisite: Install the Active Directory Administration Tools

This is a prerequisite section, to assist if you do not already have the Active Directory administration tools installed on your Windows domain management computer (such as your WorkSpace). If you already have these installed, you can skip to the next section.

These steps need to be performed on a Windows machine which is connected to the same Active Directory you will be administering. A Windows WorkSpace joined to the same domain is an option.

Begin by logging into the Windows WorkSpace or EC2 instance you will use for Active Directory administration.
Open an Administrative PowerShell console by right-selecting on the Start logo and choosing Windows PowerShell (Admin) or Terminal (Admin).
Run winver and note whether your system is based on Windows Server or Windows 10/11.
Run one of the following two commands, based on the result:

If your WorkSpace is based on Windows Server:

Install-WindowsFeature GPMC,RSAT-AD-Tools,RSAT-AD-PowerShell

If your WorkSpace is based on Windows 10 or 11:

Add-WindowsCapability -Name Rsat.GroupPolicy.Management.Tools -Online

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools -Online

This will install the Active Directory MMC tools, Active Directory PowerShell commandlets, and the Group Policy console.

Prerequisite: Identify the WorkSpaces Organizational Unit

To scope this Group Policy to be specific to your WorkSpaces, you will need to identify the Organizational Unit your WorkSpaces’ Active Directory Computer Objects are placed into.

Open the WorkSpaces console. Validate your Region in the top right of the console, and change it if appropriate.
In the left menu, select Directories.
Select your Directory.
In the “Summary” section at the top, you will see “Organizational unit.” Note this for future reference (or keep this console open in a separate tab).

Create the Group Policy

Now that you have identified the Organizational Unit your WorkSpaces are on, you will create a Group Policy targeting that OU. If you have more than one OU, apply the GPO to the relevant OUs as needed after creation.

Open the Group Policy Management Console – gpmc.msc from the Run menu or the PowerShell prompt.
In the left console, expand Forest, Domains, and your domain Fully Qualified Domain Name. Locate the Organization Unit you identified previously.
Right select the OU and choose “Create a GPO in this domain, and Link it here…”
Provide a name and description which identify the GPO for the future, such as "Unhide the C drive".
If you need to associate your new Group Policy Object to multiple Organizational Units:
1. Right select the additional OU.
2. Choose Link an Existing GPO.
3. Choose the GPO you just created, and then OK.
4. Repeat for every additional OU you need to associate.
Right select your new GPO in the list, and choose “Edit”.
In the resulting Group Policy Management Editor window, expand Computer Configuration > Preferences > Windows Settings and select Registry.
Right select the Registry choice and then choose New > Registry Item.
In the resulting Properties window, make the following selections:
1. Action: Delete
2. Hive: HKEY_LOCAL_MACHINE
3. Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
4. Value name: NoDrives
Select OK to close the Properties window, and then close the Group Policy Management Editor.

You have now created the Group Policy to unhide the C drive.

Testing

To test, log into a WorkSpace instance in one of the OUs linked to your new Group Policy. Group Policy automatically refreshes on certain intervals, such as on restart, login, and every 90 minutes with a randomized offset of up to 30 minutes.

Log into a Windows WorkSpace, and open Windows Explorer.
Select "This Computer" in the left column.
You should see the C: and D: drive available.

If you do not see the C: drive, run gpupdate /force and then refresh Windows Explorer.

If the `D:` drive is still not present after updating Group Policy, run gpresult /h $env:userprofile\desktop\gp.html from your admin PowerShell session. This will put a gp.html file on the desktop. You can review this report to determine which Group Policies are and are not being applied, and adjust your settings accordingly.

The relevant section of the report is: Computer Details > Settings > Preferences > Windows Settings > Registry.

If the Computer Details section is empty, it means the gpresult command was run from a non-Admin PowerShell or Command Prompt session. Delete the file and re-run the command from an Admin session.

Rollback

To remove this setup, you must alter the Group Policy, rather than simply deleting it. Deleting the Group Policy will not roll back the changes to any computer which already applied the policy. This is because the policy is deleting the original registry value, so we must restore the original value to roll back.

To roll back the change and hide the `C:` drive again, follow these steps.

Open the Group Policy Management Console – gpmc.msc from the Run menu or the PowerShell prompt.
In the left console, expand Forest, Domains, and your domain Fully Qualified Domain Name. Locate the Organization Unit you identified in the previous section.
Right select the previously created "Unhide the C drive" GPO, and choose “Edit”.
In the resulting Group Policy Management Editor window, expand Computer Configuration > Preferences > Windows Settings and select Registry.
Right select the value you created previously. In the resulting Properties window, make the following changes:
1. Action: Update
2. Value data: 4
  1. Base: Decimal
3. Value type: REG_DWORD
  1. The "type" dropdown will remain greyed out and unavailable to select until something is entered into the Value data field.
Select OK to close the Properties window.

This will recreate the original value, hiding the C: drive once again (after their next Group Policy refresh).

Note that hiding the C: drive is not a security measure, as it does not prevent users from reading/writing to the drive. It only makes it slightly less discoverable. They can still type C: into the Windows Explorer navigation bar and navigate to the C: drive by that method.

Conclusion

In this article, you learned how to make the C: drive visible within Windows Explorer on Amazon WorkSpaces, as well as how to hide it again if needed.

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.