A
Arun's Blog
← Back to all posts

EC2 Windows Serial Console: Enable SAC, Boot into Safe Mode, and Exit

AWSEC2WindowsTroubleshootingDisaster Recovery
TL;DR

Use AWS EC2 Serial Console with Windows SAC to troubleshoot unresponsive Windows instances. Enable Serial Console at the account level, run the AWS automation runbook to enable SAC, connect via the console, use bcdedit to boot into Safe Mode with Networking, and remove the safeboot flag when done. ESC+TAB switches between SAC channels.

Introduction

If you've ever had a Windows EC2 instance that won't boot properly, has a corrupted driver, or is stuck in a bad state, you know how frustrating it can be. Unlike physical servers where you can plug in a keyboard and monitor, cloud instances don't have that luxury - or do they?

AWS EC2 Serial Console gives you low-level access to your Nitro-based instances, similar to having a physical console connection. Combined with Windows Special Administration Console (SAC), you can troubleshoot boot issues, access Safe Mode, and recover instances that would otherwise require detaching volumes and mounting them elsewhere.

In this post, I'll walk you through the complete process of enabling Serial Console access, connecting via SAC, booting into Safe Mode with Networking, and returning to normal operation. This is an essential skill for any AWS administrator managing Windows workloads.

Prerequisites

  • Nitro-based EC2 instance (t3, m5, c5, r5, etc.)
  • Instance managed by SSM (or use the offline method via the runbook)
  • Serial Console access enabled at the account level
Warning

Serial Console only works with Nitro-based instances. Older instance types (t2, m4, c4, etc.) are not supported. Check the AWS documentation for a full list of supported instance types.

Step 1: Enable Serial Console Access at Account Level

Before you can use the Serial Console, you need to enable it for your AWS account. This is a one-time setup.

AWS Console Method

  1. Go to EC2 Dashboard
  2. Navigate to Account attributesEC2 Serial Console
  3. Click Manage and enable it

CLI Method

aws ec2 enable-serial-console-access
Note

Enabling Serial Console at the account level is a security consideration. Only users with the ec2-instance-connect:SendSerialConsoleSSHPublicKey permission can connect. Review your IAM policies to ensure only authorized users have access.

Step 2: Run the Automation Runbook to Enable SAC and Boot Menu

AWS provides an automation runbook that configures your Windows instance for Serial Console access. This enables SAC and the boot menu so you can interact with Windows during startup.

  1. Go to AWS Systems ManagerAutomation
  2. Click Execute automation
  3. Search for AWSSupport-EnableWindowsEC2SerialConsole
  4. Select it and click Next
  5. Fill in:
    • InstanceId: Your instance ID (e.g., i-0abc123def456)
    • CreateInstanceBackupBeforeScriptExecution: True (recommended)
  6. Click Execute
  7. Wait for completion (instance will reboot)
Pro Tip

Enable SAC proactively on critical Windows instances before you need it. When an instance is stuck and unresponsive, you won't be able to run the SSM automation. Having SAC pre-configured gives you a recovery path ready to go.

Step 3: Connect to Serial Console

Once SAC is enabled, you can connect to your instance's Serial Console.

  1. Go to EC2Instances → Select your instance
  2. Click ConnectEC2 Serial Console tab → Connect
  3. You should see the SAC> prompt (press Enter if screen is blank)
Warning

If the screen is completely blank and pressing Enter doesn't show the SAC> prompt, the instance may not have SAC enabled, or it may be completely hung. Try stopping and starting the instance (not just rebooting) as this forces a fresh boot on different hardware.

Step 4: Open a Command Prompt Channel

SAC provides a text-based interface to interact with Windows. To run commands, you need to open a command channel.

  1. At the SAC> prompt, type:
cmd
  1. You'll see: The Command Prompt session was successfully launched. and Channel: Cmd0001
  2. Press ESC then TAB to switch to the command channel
  3. Press Enter or any key to view the channel
  4. Log in with your Windows username and password
Note

SAC authentication uses local Windows credentials, not your AWS credentials. You need to know the local Administrator password or another local account with admin rights. If you've lost the password, you may need to use the EC2 password retrieval feature (for instances launched with key pairs).

Step 5: Boot into Safe Mode with Networking

Now that you have command-line access, you can configure Windows to boot into Safe Mode on the next restart.

From the command prompt, run:

bcdedit /set {current} safeboot network
shutdown /r /t 0

The instance will reboot. When the Windows Boot Manager appears, press Enter to boot into Safe Mode.

Pro Tip

Use "safeboot network" instead of just "safeboot minimal" to retain networking capabilities. This allows you to use RDP to connect once the instance boots, making troubleshooting much easier than using the text-only SAC interface.

Step 6: Verify You're in Safe Mode

After reboot, reconnect to SAC to confirm you're running in Safe Mode.

  1. Type cmd at the SAC> prompt
  2. Press ESC then TAB
  3. Press Enter to view
  4. Log in with Windows credentials
  5. Run:
bcdedit /enum {current}

Look for safeboot Network in the output to confirm you're in Safe Mode.

Step 7: Exit Safe Mode (Return to Normal Boot)

Once you've completed your troubleshooting, you'll want to return to normal Windows operation.

Run:

bcdedit /deletevalue {current} safeboot
shutdown /r /t 0

The instance reboots back into normal Windows.

Warning

Do not forget to remove the safeboot flag! If you leave it set, your instance will boot into Safe Mode every time it restarts, which can cause issues with auto-scaling, maintenance windows, and normal operations.

Quick Reference - SAC Navigation

Action Keys
Create command channel Type cmd at SAC> prompt
Switch to command channel ESC then TAB
View channel Press Enter or any key
Return to SAC ESC then TAB then 0
Advanced boot options (at boot menu) F8 or ESC + 8

Troubleshooting

Common Issues and Solutions

Issue: Serial Console option is grayed out or unavailable

Cause: Serial Console is not enabled at the account level, or the instance is not a Nitro-based type.

Solution: Enable Serial Console access with aws ec2 enable-serial-console-access. Verify your instance type is Nitro-based (t3, m5, c5, r5, etc.).

Issue: Blank screen when connecting to Serial Console

Cause: SAC is not enabled on the instance, or the instance is completely hung.

Solution: Press Enter several times. If no response, stop and start the instance (not reboot). If SAC was never enabled, you'll need to use the offline method or mount the volume on another instance.

Issue: "The Command Prompt session failed to start"

Cause: Windows services may not be running properly, or the instance is resource-constrained.

Solution: Wait a few minutes and try again. If persistent, the instance may need a stop/start cycle to clear the issue.

Issue: Cannot authenticate - password not accepted

Cause: Incorrect local Windows credentials or the account is locked out.

Solution: Use the correct local Administrator password. For instances launched with a key pair, you can retrieve the password via EC2 console (Actions → Security → Get Windows Password). If locked out, you may need to mount the volume on another instance and reset the password via registry.

Issue: Instance stuck at Windows Boot Manager

Cause: Boot configuration may have multiple entries or timeout is set very high.

Solution: Press Enter to boot the default entry, or use arrow keys to select the correct Windows installation. In Safe Mode, you can adjust the timeout with bcdedit /timeout 10.

Issue: Safe Mode boots but no network connectivity

Cause: You used "safeboot minimal" instead of "safeboot network", or the network driver is the problematic component.

Solution: Ensure you used bcdedit /set {current} safeboot network. If network driver is the issue, use SAC to uninstall or roll back the driver, then exit Safe Mode.

Issue: ESC+TAB not switching channels

Cause: Your terminal or SSH client may be intercepting the key combination.

Solution: Try pressing ESC, releasing, then pressing TAB. Some clients require a slight delay between keys. Also ensure your terminal is not capturing ESC for other purposes.

Issue: bcdedit returns "The boot configuration data store could not be opened"

Cause: Running without administrator privileges or the BCD store is corrupted.

Solution: Ensure you're logged in as Administrator. If the BCD is corrupted, you may need to rebuild it using Windows Recovery tools or by mounting the volume on another instance.

Conclusion

EC2 Serial Console with SAC is a powerful recovery tool that every Windows administrator on AWS should know about. It transforms what used to be a complex recovery operation (detaching volumes, mounting to another instance, editing registry) into a straightforward console-based troubleshooting session.

Key takeaways:

  • Enable Serial Console at the account level - it's a one-time setup
  • Use the AWS automation runbook to enable SAC on your instances
  • SAC navigation uses ESC + TAB to switch between channels
  • bcdedit commands control Safe Mode boot options
  • Always remove the safeboot flag when done troubleshooting

I recommend enabling SAC proactively on your critical Windows instances before you need it. When an instance won't boot properly at 2 AM, you'll be glad you have this recovery option ready to go.

Have you used Serial Console to recover a Windows instance? I'd love to hear about your experience!