Azure Serial Console for Azure VMs and Windows Server

Azure Serial Console is a game-changer for IT pros and system administrators. It allows you to access and manage your Azure VMs and Windows Server instances remotely, even when the network is down.

With Azure Serial Console, you can access your VMs and servers through a secure, web-based interface. This means you can troubleshoot and fix issues without having to physically access the devices.

You can use Azure Serial Console to access your VMs and servers from anywhere, at any time. This is especially useful for remote teams or when you're working on a project that requires 24/7 access.

Azure Serial Console supports both Azure VMs and Windows Server instances, making it a versatile tool for managing your infrastructure.

To access the Azure Serial Console, you'll need to meet some prerequisites. Boot diagnostics must be enabled for the VM.

You'll also need a user account that uses password authentication within the VM. This can be created using the reset password function of the VM access extension.

Make sure the Azure account accessing Serial Console has the Virtual Machine Contributor role for both the VM and the boot diagnostics storage account.

Classic deployments aren't supported, so your VM or virtual machine scale set instance must use the Azure Resource Manager deployment model.

Additionally, Serial Console is not supported when the storage account has Allow storage account key access disabled.

Here's a quick rundown of the prerequisites:

To access the Azure Serial Console, you'll need to meet certain prerequisites. Boot diagnostics must be enabled for the VM, and a user account with password authentication must exist within the VM. You can create a password-based user with the reset password function of the VM access extension.

You'll also need an Azure account with Virtual Machine Contributor role for both the VM and the boot diagnostics storage account. Classic deployments aren't supported, so your VM or virtual machine scale set instance must use the Azure Resource Manager deployment model. Additionally, Serial Console is not supported when the storage account has Allow storage account key access disabled.

Here are the specific requirements in a concise list:

To access the Serial Console via the Azure portal, follow these steps: Open the Azure portal, navigate to All resources and select a Virtual Machine, and then scroll down to the Help section and select Serial console. A new pane with the serial console will open and start the connection.

For Virtual Machine Scale Sets, you'll need to navigate to the individual instance of a virtual machine scale set before seeing the Serial console button. Ensure boot diagnostics is enabled for the virtual machine scale set, and then upgrade all instances to the new model to access serial console.

You can also access the Serial Console via Azure CLI using the az serial-console command. If you don't have Azure CLI installed, install it and ensure the serial-console extension is installed and up-to-date.

Access to the serial console is limited to users with an access role of Virtual Machine Contributor or higher to the virtual machine. If your Microsoft Entra tenant requires multi-factor authentication (MFA), you'll also need MFA to access the serial console.

Enabling Windows Server Functionality is a crucial step in accessing the Serial Console on Azure.

To access the Special Administration Console (SAC), you must enable Emergency Management Services (EMS) on your Windows Server.

Newer Windows Server images on Azure have SAC enabled by default, but older images require manual enablement.

You can enable EMS automatically through the Azure portal's run command feature on older images.

In the Azure portal, select Run command and choose the EnableEMS command from the list.

Alternatively, you can enable EMS using the CMD as shown below: bcdedit /enum.

However, if you've already rebooted the VM in safe mode and haven't enabled EMS, you won't be able to do so online using the run commands.

In this case, you'll encounter an error and must repair the VM offline.

Here's a summary of the steps to enable EMS on older Windows Server images:

Note that these steps only apply to older Windows Server images created before February 2018.

Troubleshooting the serial console can be a challenge, but it's often a matter of enabling boot diagnostics and Emergency Management Services (EMS) on your VM or virtual machine scale set.

If you're not seeing anything in the serial console, make sure boot diagnostics is enabled on your VM or virtual machine scale set. Newer Windows Server images on Azure have Special Administration Console (SAC) enabled by default, so that's one less thing to worry about.

Access to the serial console is limited to users with an access role of Virtual Machine Contributor or higher to the virtual machine. If your Microsoft Entra tenant requires multi-factor authentication (MFA), then access to the serial console will also need MFA.

Here are some common scenarios for accessing the Serial Console:

To access the serial console for a virtual machine scale set, you'll need to navigate to the individual instance of the scale set.

First, ensure boot diagnostics is enabled on your VM or virtual machine scale set. This is a crucial step, as the serial console relies on boot diagnostics to function.

Newer Windows Server images on Azure have the Special Administration Console (SAC) enabled by default, which allows access to the serial console.

To access the serial console via the Azure portal, follow these steps:

If your virtual machine scale set doesn't have boot diagnostics enabled, you'll need to update the virtual machine scale set model to enable boot diagnostics, and then upgrade all instances to the new model.

The serial console has screen reader support built in, making it accessible with a screen reader turned on.

Troubleshooting is a crucial part of maintaining the health and security of your virtual machine. Boot diagnostics must be enabled on your VM or virtual machine scale set to access the serial console.

To troubleshoot issues, you can use the serial console to access the Special Administration Console (SAC) on Windows. Newer Windows Server images on Azure have SAC enabled by default, making it easier to access the serial console.

In case you're not seeing anything in the serial console, check that Emergency Management Services (EMS) is enabled on Windows. This will allow you to access the SAC.

If you're experiencing common scenarios such as a broken FSTAB file, incorrect firewall rules, filesystem corruption, or SSH configuration issues, the serial console can be a lifesaver. Here are some common scenarios and actions you can take:

The serial console is a powerful tool for troubleshooting and can be used to fix a range of issues, including those mentioned above.

Access security is a top priority when it comes to troubleshooting and security in Azure. To access the serial console, you need an access role of Virtual Machine Contributor or higher to the virtual machine.

If your Microsoft Entra tenant requires multi-factor authentication (MFA), you'll also need MFA to access the serial console, as it's accessed through the Azure portal.

To ensure secure access, make sure the Azure account accessing the serial console has the Virtual Machine Contributor role for both the VM and the boot diagnostics storage account.

Here's a checklist to ensure you meet the prerequisites for accessing the Azure Serial Console:

By following these security measures, you'll be able to access the serial console securely and troubleshoot any issues that may arise.

Data Storage and Encryption is a key aspect of Azure Serial Console.

Azure Serial Console doesn't review, inspect, or store any data that's transmitted in and out of the virtual machine serial port.

This means there's no data to encrypt at rest.

To ensure in-memory data is encrypted, use host-based encryption.

Host-based encryption is enabled by default for all Azure Serial Console connections.

Disabling the serial console is a great way to add an extra layer of security to your Azure setup.

You can disable the serial console at either the subscription level or VM/virtual machine scale set level.

For detailed instructions, visit Enable and disable the Azure Serial Console.

Disable the serial console to prevent unauthorized access to your virtual machines.

As you're troubleshooting and securing your systems, you may encounter some known issues with the serial console and the VM's operating system. These issues are not uncommon, and I've outlined the most common ones below.

One of the issues is that pressing Enter after the connection banner does not cause a sign-in prompt to be displayed. This is often due to GRUB not being configured correctly.

To fix this, you can run the following commands: grub2-mkconfig -o /etc/grub2-efi.cfg and/or grub2-mkconfig -o /etc/grub2.cfg. This will ensure that GRUB is properly configured and you can access the sign-in prompt.

Another issue you may encounter is that serial console text only takes up a portion of the screen size, often after using a text editor. This is because serial consoles don't support negotiating about window size (RFC 1073).

To resolve this, you can install xterm or a similar utility to provide you with the resize command, and then run resize. This will allow you to adjust the screen size to your liking.

You may also experience issues with pasting long strings, which are limited to 2048 characters to prevent overloading the serial port bandwidth.

If you're using SLES BYOS images, you may encounter erratic keyboard input, where keyboard input is only sporadically recognized. This is due to an issue with the Plymouth package.

To fix this, you can remove Plymouth with sudo zypper remove plymouth and then reboot. Alternatively, you can modify the kernel line of your GRUB config by appending plymouth.enable=0 to the end of the line.

Here's a summary of the issues and their mitigations: