Serial Console Access for Azure Virtual Machines

access hero
This post will show you how to access an Azure Windows or Linux virtual machine console using serial access when you can no longer log in using RDP or SSH over the network.
 

 

Troubleshooting Network Connectivity

What do you do when you can no longer sign into an Azure virtual machine? Imagine that RDP (Windows) or SSH (Linux) has failed and the repair and redeploy actions from the Azure Portal don’t help. The issue is internal to the virtual machine’s guest OS? Or what if you made the rookie mistake of configuring a static IP address in the guest OS?
Before Microsoft added serial console access, the only way to sign into an Azure virtual machine was over the virtual network using SSH or RDP. There was no console access. A feature called Boot Diagnostics gave us a simple screenshot (a low-resolution BMP file in a storage account) of the machine to show us what the console looked like recently.
I’ve not had a situation where I’ve needed this console access. I have had some customers who needed access because of issues caused by misbehaving antivirus. And, according to Corey Sanders, Corporate Vice President of Azure:
Ever since I started working on the Virtual Machine (VM) platform in Azure, there has been one feature request that I consistently hear customers asking for us to build.

Serial Console Access (Preview)

Today, we cannot get access to the console of an Azure virtual machine like we can with vSphere or Hyper-V. However, Microsoft has just launched a preview of the next-best-thing. You might not have known this but it is possible to connect to a Windows or Linux server via a serial cable. Microsoft is using that mechanism to make it possible to log into an Azure virtual machine even if that machine has no network connectivity. This feature, just launched in preview, is called Serial Console for Virtual Machines.
When you connect, you’ll get a text-based interface. In the case of Windows, you can launch a command line (CMD.EXE) “channel”, connect to that channel, and then run commands or even launch PowerShell.

Security

To access a virtual machine via Serial Console, a few things are required:

  1. The virtual machine must be configured for Boot Diagnostics; this will store a low-resolution BMP image of the virtual machine’s console in a storage account (blob storage).
  2. You must have contributor (or higher) access to the aforementioned diagnostics storage account.
  3. You must also have contributor (or higher) access to the virtual machine in Azure.

In the case of Windows, to get CMD access you will also need to be able to sign into the guest OS of the virtual machine (local login rights).

Pre-Requisites

The main requirement is that Boot Diagnostics is enabled on the virtual machine. Then you must ensure that the guest OS is configured to allow serial console access. The Linux images in Azure do support serial access. However, if you require single user access, then there will be some configuration required.
If you deploy a Windows Server image from the Marketplace today, it will be ready for serial console access. If you have an older deployment, you will probably need to configure it before you need serial console access. The steps are as follows:

  1. Log into the virtual machine using RDP.
  2. Open command prompt with administrative rights.
  3. Run bcdedit /ems {current} on
  4. Run bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200
  5. Reboot the virtual machine.

More options can be found here.

Accessing the Serial Console

Open the virtual machine in the Azure Portal, scroll down to Support + Troubleshooting, and click Serial Console. A serial connection will be attempted. It will connect quickly if the machine has already been configured (see above).

Connecting to the Azure serial access console for Windows [Image Credit: Aidan Finn]
Connecting to the Azure Serial Access Console for Windows [Image Credit: Aidan Finn]
 
You can type ch -? to learn how to use this console. Type cmd to spawn a CMD.EXE channel; you will be told the name of the new channel, which was Cmd0001 in this example.
Start a new CMD.EXE channel in the Azure serial access console for Windows [Image Credit: Aidan Finn]
Start a New CMD.EXE Channel in the Azure Serial Access Console for Windows [Image Credit: Aidan Finn]
 
You can switch to the Cmd0001 channel by running ch -sn Cmd0001. Press <Enter>. The channel will connect and you will be asked to enter a username/domain/password combination that is valid for logging into the guest OS of the virtual machine. You can leave domain blank for local usernames/passwords. The command prompt will appear if you successfully log in.
A command prompt in an Azure Windows virtual machine serial access console [Image Credit]
A Command Prompt in an Azure Windows Virtual Machine Serial Access Console [Image Credit]
 
I can then run PowerShell and run PowerShell cmdlets in the virtual machine, without relying on the machine having network access.
Running PowerShell in an Azure virtual machine via serial console access [Image Credit: Aidan Finn]
Running PowerShell in an Azure Virtual Machine Via Serial Console Access [Image Credit: Aidan Finn]

Opinion

Serial Console access isn’t perfect. We would all love to have a real “KVM” experience via the Azure Portal, similar to how we can do it with Hyper-V Enhanced Session Mode. This routes via the host’s protected channels to the guest OS. But in the meantime, we do have a console connection, even if it is limited to command-line execution.