Restrict Workspace access to Trusted devices

Requirements

1. Windows Server instance joined to the AD connected to the WorkSpace
2. Client (Mac, Windows, etc.) that tries to connect to the WorkSpace

In this test, both the AD-joined instance and the client used to connect to the WorkSpace were Windows Server 2022 instances. To make the client device a trusted device, you must install a client authentication certificate issued by a Standalone Windows Root CA (created with a private key and configured for client authentication, connected to a root certificate). A trusted device must also have the root CA certificate installed in the Trusted Root Certification Authorities store, and this certificate must be uploaded to the WorkSpaces console.

---

Steps

1. Log in to the Windows Server joined to the AD, open Server Manager, and click Manage > Add roles and features.

Select Role-based or feature-based installation, and under Server Roles, click Active Directory Certificate Services. Continue clicking Next until Role services appear → select “Certification Authority” and “Certification Authority Web Enrollment.”

2. After installation, click the warning flag icon and select Configure Active Directory Certificate Services…

Set the credentials to an AD Admin account, and in Role Services select “Certification Authority” and “Certification Authority Web Enrollment.”

Select Standalone CA > Root CA > Create a new private key > RSA#Microsoft Software Key Storage Provider, key length 2048, SHA256.

Keep all other values as default and click Next until finished. Remember the Common Name for this CA — this is the SSL certificate name. Through this process, the Windows Server becomes a Standalone Windows Root CA.

3. Once configuration is complete, open IIS Manager. Click Default Web Site in the left panel and click Bindings in the top-right corner.

Set it to https, All Unassigned, 443, and enter the server’s FQDN in the Host Name field. Choose the SSL certificate from the dropdown menu (the Common Name you remembered in step 2).

4. Open Internet Explorer and navigate to https://FQDN of the server/certsrv. (It is recommended to use Internet Explorer instead of Edge or Firefox, as different browsers may behave differently in the next steps.)

Click Request a certificate → Advanced certificate request → Create and submit a request to this CA. If a warning appears, click Yes.

5. Enter detailed identifying information below Identifying Information.

6. Type of certificate: select Client Authentication Certificate. Key options: Create a new key set, CSP: Microsoft Enhanced RSA and AES Cryptographic Provider, Key usage: Both, Key size: 2048, Automatic key container name, Mark keys as exportable. Additional options: PKCS10, hash algorithm: sha256, specify a Friendly name, and click Submit (do not select Save request). If CSP remains in Loading status, see the Troubleshooting section below.

7. Open Certification Authority, click Pending Requests, right-click the request → All Tasks → Issue. The certificate will now appear under Issued Certificates.

8. Go to https://FQDN/certsrv → view the status of a pending certificate request → click the client authentication certificate → click Yes if a warning appears → click Install this certificate.

After installation, a message will appear: “Your new certificate has been successfully installed.”

9. Run mmc.exe → File → Add/Remove Snap-in → Certificate → Add > My user account → OK.

10. Expand Certificates - Current User → Personal → Certificates and check that the client certificate is installed.

11. Right-click the certificate → All Tasks → Export… → Next.

Select Yes, export the private key → PKCS #12 format → Include all certificates in the certification path if possible.

Enter a password and click Next. Save it to your Desktop with a recognizable name. This certificate must be installed on the client device(s) connecting to the WorkSpace.

12. Copy the saved .pfx file to the client device (= trusted device). Right-click the file and select Install PFX. Keep all settings as default, click Next, and select Yes if a warning appears. Repeat this step for every client device connecting to the WorkSpace. On the client device, open mmc.exe → File → Add/Remove Snap-in → Certificate → Add > My user account → OK. You should see the client certificate under Personal > Certificates.

Under Trusted Root Certification Authorities > Certificates, verify that the root certificate associated with it is installed.

13. Next, import the Root CA certificate into the WorkSpaces console.

14. On the Standalone CA server, open mmc → File → Add/Remove Snap-in → Certificate → Computer account → Local computer → Finish.

15. In Personal → Certificates, you can find the Root Certificate.

Right-click the certificate → All Tasks → Export… → No, do not export the private key → Base-64 encoded X.509. Save it to your Desktop with an easy-to-remember name. Open the saved certificate with Notepad.

Copy the entire text content.

16. Go to the WorkSpaces console, open the directory associated with the WorkSpace → Access control options → Edit. Set Windows as Trusted devices, click Import certificate, and paste the copied text to import it.

17. Repeat step 12 on every client device to install both the root certificate and the client certificate.

18. Now the client can connect to the WorkSpace using the WorkSpaces client.

---

Troubleshooting

If CSP and Hash algorithm stay in Loading status during step 6, Go to Internet Explorer > Settings > Internet Options > Security tab and add the server FQDN to Trusted sites.

---

Reference

[1] Restrict WorkSpaces access to trusted devices - https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html