How do I turn on the EC2 serial console, SAC, and boot menu to troubleshoot my Windows EC2 instance?

7 minute read

I want to troubleshoot the Amazon Elastic Compute Cloud (Amazon EC2) serial console, Special Admin Console (SAC), and boot menu in my Windows instance.

Short description

To turn on the EC2 serial console, the SAC, and the boot menu on your Windows instance, use the AWSSupport-EnableWindowsEC2SerialConsole automation runbook. For instances in the running state managed by AWS Systems Manager, the runbook runs a Systems Manager Run Command PowerShell script. This script turns on the SAC and boot menu. For instances in the stopped state or not managed by Systems Manager, the runbook uses the AWSSupport-StartEC2RescueWorkflow automation workflow. This workflow creates a temporary EC2 instance to perform changes offline.

Use the serial console to manually troubleshoot your Windows instance. Amazon EC2 serial console connects to your instance's serial port to help you troubleshoot boot, network configuration, and other issues. The serial console doesn't require your instance to have any networking capabilities and uses commands to function from your instance's serial port. The serial console session lasts during the instance reboot and stop. When your instance reboots, boot messages are viewed from the start.

For more information about supported instance families and AWS Regions, see Prerequisites for the EC2 Serial Console.

Resolution

Use the automation runbook

Prerequisites: Make sure that your AWS Identity and Access Management (IAM) user or role has the required permissions. For more information, see Required IAM permissions in AWSSupport-EnableWindowsEC2SerialConsole.

Important:

If you turn on SAC, then the EC2 services that rely on password retrieval don't work from the Amazon EC2 console. For more information, see (Windows instances) Use SAC to troubleshoot your instance.
To configure access to the serial console, you must grant serial console access at the AWS account level. Then, configure IAM policies to grant access to your users. You must also configure a password-based user on every instance. For more information, see Configure access to the EC2 Serial Console.
For information on how to determine if the serial console is turned on in your account, see View account access status to the serial console.
Serial console access is supported only on virtualized instances built on the Nitro System.

To use the runbook, complete the following steps:

Open the Systems Manager console.
In the navigation pane, choose Shared Resources, and then choose Documents.
Select Automation documents and then search for and choose AWSSupport-EnableWindowsEC2SerialConsole.
Choose Execute automation.
For the input parameters, enter the following values:
InstanceId (Required): The ID of EC2 instance.
AutomationAssumeRole (Optional): The ARN of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If a role isn't specified, then Systems Manager Automation uses the permissions of the user that starts this runbook.
HelperInstanceType (Conditional): The type of Amazon EC2 instance that the runbook provisions to configure EC2 Serial Console access for an offline instance.
HelperInstanceProfileName (Conditional): The name of an existing IAM instance profile for the helper instance. This information is required when you turn on SAC and boot menu on an instance in the stopped state. It's also required when the instance isn't managed by Systems Manager. If an IAM instance profile isn't specified, then the automation creates one for you.
SubnetId (Conditional): The subnet ID for the helper instance. By default, the automation uses the same subnet where the provided instance resides.
Note: If the target instance is in the stopped state or isn't managed by Systems Manager, then a custom subnet must meet the following requirements: must be in the same Availability Zone as the InstanceId and must allow access to the Systems Manager endpoints.
CreateInstanceBackupBeforeScriptExecution (Optional): Choose True to create an Amazon Machine Image (AMI) backup of the EC2 instance before the SAC and boot menu are turned on. The AMI persists after the automation completes. It's your responsibility to secure access to the AMI, or to delete it.
BackupAmazonMachineImagePrefix (Conditional): A prefix for the AMI that's created when the CreateInstanceBackupBeforeScriptExecution parameter is set to True.
Choose Execute.
Review detailed results in the Outputs section. The following are the sections contained in the output:
EnableSACAndBootMenu.Output: Output of command execution in EnableSACAndBootMenu step.
GetExecutionDetails.OfflineScriptOutput: Output of offline script executed in the RunAutomationToInjectOfflineScriptForEnablingSACAndBootMenu step.
GetExecutionDetails.BackupBeforeScriptExecution: Image ID of the backup AMI taken when the CreateInstanceBackupBeforeScriptExecution input parameter is True.

Manually use the serial console to troubleshoot your Windows instance

To use the serial console to troubleshoot your Windows instance, complete one of the following tasks:

Note: Before you begin, make sure that you configure access to the serial console.

Turn on SAC

To turn on SAC, complete the following steps:

Use the Remote Desktop Protocol (RDP) to connect to your Windows instance, and then run the following commands:

Turn on SAC:

bcdedit /ems {current} on
bcdedit /emssettings EMSPORT:1 
EMSBAUDRATE:115200

Turn on the boot menu:

bcdedit /set {bootmgr} displaybootmenu yes
bcdedit /set {bootmgr} timeout 15
bcdedit /set {bootmgr} bootems yes

Reboot the instance to apply the updated configuration:
```
shutdown -r -t 0
```
Note: When you use the previous commands to turn on and configure SAC, you can directly connect SAC from the Amazon EC2 console.
Use SAC to troubleshoot your Windows instance.

Turn on SAC offline

To turn on SAC offline, complete the following steps:

Open the Amazon EC2 console.
In the navigation pane, choose Instances, and then choose Instances.
Select the affected instance and choose Instance state, and then choose Stop instance.
Choose Launch instances, and then create a temporary instance in the same Availability Zone as the affected instance.
Note: Make sure that you choose an instance type that uses a different version of Windows. For example, if your instance is Windows Server 2016, then choose a Windows Server 2012 R2 or 2019 instance.
In the navigation pane, choose Elastic Block Store and then choose Volumes.
Choose the root Amazon Elastic Block Store (Amazon EBS) volume of the affected instance.
Detach the Amazon EBS volume and use the default device name (xvdf) to attach the volume to the temporary instance.
Use RDP to connect to the temporary instance, and then use the Disk Management utility to make the volume available for use on Windows.

Open a command prompt and run the following command:

Note: Replace d with the drive letter of the secondary volume that you attached:

bcdedit /store d:\boot/bcd /set {default} ems on
bcdedit /store d:\boot/bcd /emssettings EMSPORT:1 EMSBAUDRATE:115200
bcdedit /store d:\boot/bcd /set {bootmgr} displaybootmenu yes
bcdedit /store d:\boot/bcd /set {bootmgr} timeout 15
bcdedit /store d:\boot/bcd /set {bootmgr} bootems yes

In the Disk Management utility, choose the drive that you attached. Open the context menu, and choose Offline.
In the Amazon EC2 console, detach the affected volume from the temporary instance. Reattach the original volume to your original instance with the device name /dev/sda1. To designate the volume as a root volume, make sure that you specify this device name.
Use SAC from the serial console to start the instance.
(Optional) Delete or stop the temporary instance.

Related information

AWS Support Automation Workflows (SAW)

Run an automated operation powered by Systems Manager Automation

Setting up Automation

EC2 Serial Console for instances

Topics: Compute End User Computing
Tags: Amazon EC2 AWS Support Automation Workflows Windows
Language: English

AWS OFFICIALUpdated 8 months ago

No comments

Relevant content

EC2 - Serial Console Black Screen
Accepted Answer
RamizSrour
asked 6 months ago
EC2 "Instance reachability check failed" network adapter disabled
SNR
asked a year ago
How to enable SAC with Cloud Shell
AWS-User-6176623
asked 3 years ago
Unable to access Spring Boot application deployed on AWS EC2 instance (Windows Server 2022)
localhost_8080
asked 3 years ago
Redhat 8 instance doesn't boot
Socius24
asked 4 months ago
How do I troubleshoot an EC2 Linux instance that failed the instance status check due to operating system issues?
AWS OFFICIALUpdated a year ago
Why does my EC2 Linux instance go into emergency mode when I try to boot it?
AWS OFFICIALUpdated 2 months ago
How can I troubleshoot an EC2 Windows instance that is unreachable or can't reach the DNS after upgrading the drivers?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot an instance status check failure on my Amazon EC2 Windows instance?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot and deep dive windows patching / updates installation failures on EC2 Windows Instances?
EXPERT
Phanindra V
published 4 months ago