# Troubleshooting
The following section discusses common issues you might encounter when you work in the AWS GovCloud (US-West) or AWS GovCloud (US-East) Regions.
# Client.UnsupportedOperation: Instances can only be launched within Amazon VPC in this region
**Service:** Amazon EC2
**Issue:** When I attempt to launch an instance by using the CLI or API, I get a "Client.UnsupportedOperation: Instances can only be launched within Amazon VPC in this region" error.
**Cause:** Your account might not have a VPC.
**Recommended Action:** Verify that your account has a VPC. If not, create a VPC and then use it to launch instances.
In some cases, your account might have a default VPC. For more information, see [Determining if your account has a default VPC](govcloud-ec2.md#govcloud-ec2-vpc). If you still receive this error when you run the `ec2-run-instances` command (or the `RunInstances` action) to launch an Amazon EC2 instance, you must specify the `subnet` parameter. Although the `subnet` parameter is optional in other regions, if you omit it in the AWS GovCloud (US-West) Region, you receive an error.
# AWS GovCloud (US) Administrator Account Password Reset
If you’ve lost access to your AWS GovCloud (US) account, please review the following options:
+ [Troubleshooting AWS GovCloud (US) sign-in or account issues](govcloud-sign-in-issues.md)
+ [Restore IAM Administrator access to the AWS Management Console for AWS GovCloud (US)](govcloud-account-root-user.md#restore-root-user-keys)
+ [Requesting root access keys for an AWS GovCloud (US) account](govcloud-account-root-user.md#requesting-root-user-keys)
# Deactivating AWS GovCloud (US) MFA devices
If you are having trouble signing in with a multi-factor authentication (MFA) device as an IAM user, contact your administrator for help.
As an administrator, you can deactivate the device for another IAM user. This allows the user to sign in without using MFA. You might do this as a temporary solution while the MFA device is replaced, or if the device is temporarily unavailable. However, we recommend that you enable a new device for the user as soon as possible. To learn how to enable a new MFA device, see [Enabling MFA devices for users in AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html).
## Deactivating MFA devices (console)
To deactivate an MFA device for another IAM user (console)
1. Sign in to the AWS Management Console and open the IAM console at https://signin.amazonaws-us-gov.com/iam/
1. In the navigation pane, choose **Users**.
1. To deactivate the MFA device for a user, choose the name of the user whose MFA you want to remove.
1. Choose the **Security credentials** tab. Next to **Assigned MFA device**, choose **Manage**.
1. In the **Manage MFA device** wizard, choose **Remove**, and then choose **Remove**.
The device is removed from AWS. It cannot be used to sign in or authenticate requests until it is reactivated and associated with an AWS user.
## Deactivating MFA devices (AWS CLI)
To [deactivate an MFA device](https://docs.aws.amazon.com/cli/latest/reference/iam/deactivate-mfa-device.html) for an IAM user (AWS CLI) run this command:
```
aws iam deactivate-mfa-device
```
Example to deactivate an MFA device:
```
aws iam deactivate-mfa-device --user-name Bob --serial-number arn:aws-us-gov:iam::210987654321:mfa/BobsMFADevice
```
This command deactivates the virtual MFA device with the ARN `arn:aws-us-gov:iam::210987654321:mfa/BobsMFADevice` that is associated with the user `Bob`.
## Deactivating MFA devices (AWS API)
**To deactivate an MFA device for an IAM user (AWS API)**
+ Call this operation: [DeactivateMFADevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html)