Connecting to the serial console of a Windows VM instance

Written by

Updated at June 18, 2026

Connect to Windows SAC
Start the command line shell

Warning

When assessing the risks associated with enabling VM access via the serial console, keep in mind the following:

The VM will remain manageable over the internet even without an external IP address.

A user who has successfully authenticated in the Yandex Cloud management console and has the required access permissions for the VM will be able to access the serial console.

One can also access the VM serial console via SSH client applications, such as PuTTY, or through the CLI by authenticating with an SSH key. Therefore, make sure to prevent any unauthorized access to your SSH key and always end the web session to reduce interception risks.
Your serial console session will simultaneously be shared by all users who have access to the serial console. Users will be able to see each other's actions if concurrently viewing the serial console output.
A valid serial console session can be accessed by another user.

We recommend enabling serial console access only when absolutely necessary, granting access permissions to a limited group of trusted users, and using strong VM passwords.

When you are done using the management console, do not forget to ban access to it.

To connect to the serial console of a VM instance, first enable access to the serial console.

Connect to Windows SAC

You can connect to the serial console of a Windows VM instance using the management console or Yandex Cloud CLI by running a command shell in Windows SAC:

Management console

CLI

In the management console, select the folder the VM instance resides in.
Navigate to Compute Cloud.
In the left-hand panel, select Virtual machines and select the VM instance from the list that opens.
In the left-hand menu, select Serial console.
In the drop-down list at the top of the screen, select the serial port used by the serial console for VM connections.

By default, serial port COM2 is used on Windows VMs. To use a different port, configure it manually on your VM OS side.

Make sure you have the Yandex Cloud CLI installed and configured on your machine.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
See the description of the CLI command for connecting to a serial console:
```
yc compute connect-to-serial-port --help
```

Enable metadata authorization when connecting to the serial console by specifying the virtual machine name or ID in this command:

yc compute instance update <VM_name_or_ID> \
  --serial-port-settings ssh-authorization=INSTANCE_METADATA

To learn how to find out the VM name or ID, see this section.

Result:

done (6s)
id: fhm0b28lgfp4********
folder_id: b1g9d2k0itu4********
created_at: "2024-03-28T19:53:23Z"
name: first-instance
zone_id: ru-central1-a
platform_id: standard-v3
resources:
  memory: "1073741824"
  cores: "2"
  core_fraction: "20"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdu3ce920e7********
  auto_delete: true
  disk_id: epdu3ce920e7********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:5c:**:**:**
    subnet_id: e2luhnr3rhf8********
    primary_v4_address:
      address: 192.168.1.21
      one_to_one_nat:
        address: 51.250.***.***
        ip_version: IPV4
    security_group_ids:
      - enpjauvetqfb********
serial_port_settings:
  ssh_authorization: INSTANCE_METADATA
gpu_settings: {}
fqdn: sample-vm.ru-central1.internal
scheduling_policy:
  preemptible: true
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V1

Note

If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If OS Login access is disabled in the organization, the default value of this field will be INSTANCE_METADATA.

Connect to the virtual machine's Windows SAC:
```
yc compute connect-to-serial-port \
  --instance-name <VM_name> \
  --port 2
```
Where:
- --instance-name: VM name. Instead of the VM name, you can provide its ID in the --instance-id parameter.
- --port: Number of the serial port used by the serial console for VM connections.
  
  By default, serial port COM2 is used on Windows VMs. To use a different port, configure it manually on your VM OS side.
For more information about the yc compute connect-to-serial-port command, see the CLI reference.

This will open the Windows SAC shell.

Start the command line shell

To access the virtual machine's data and settings, start the command line shell:

The serial console window that opens will display the command entry prompt:
```
SAC>
```

Show the list of open channels:

ch

Result:

Channel List

(Use "ch -?" for information on using channels)

# Status  Channel Name
0 (AV)    SAC

Create a new channel with the CMD command shell instance:

cmd

Result:

The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001

To switch to the new channel, press ESC+TAB or run the following command:

ch -sn Cmd0001

Result:

Name:                  Cmd0001
Description:           Command
Type:                  VT-UTF8
Channel GUID:          e203fb79-d80d-11ea-87e3-c2679e14957d
Application Type GUID: 63d02271-8aa4-11d5-bccf-00b0d014a2d0

Press <esc><tab> for next channel.
Press <esc><tab>0 to return to the SAC channel.
Use any other key to view this channel.

Press Enter and then enter the following one by one:
- Username.
- Domain if using a domain account to log in. Otherwise, enter the host name or leave empty.
- Password.
```
Please enter login credentials.
Username: Administrator
Domain  :
Password: ***************
```
This will launch an instance of the CMD command line shell:
```
C:\Windows\system32>
```
To run a PowerShell instance, run this command:
```
powershell
```
Result:
```
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>
```
Tip
Configure Windows language settings to enable English input in PowerShell sessions accessed via the serial console.

Navigate as follows: Control Panel → Region → Administrative → Welcome screen and new user accounts settings. Under Welcome Screen, specify:
- Display Language: English (United States).
- Input Language: English (United States) — US.
To return to the SAC interface, press ESC + TAB + 0.

Warning

When you are done using the management console, do not forget to ban access to it.

Connecting to the serial console of a Windows VM instance

Connect to Windows SAC

Start the command line shell

See also

Was the article helpful?

Connecting to the serial console of a Windows VM instance

Connect to Windows SACConnect to Windows SAC

Start the command line shellStart the command line shell

See alsoSee also

Was the article helpful?

Connect to Windows SAC

Start the command line shell

See also