If you make a mistake when configuring operating system firewall rules that block you from accessing the VM, or a service is stopping an IaaS VM from booting, or some other configuration problem such as a newly installed application is stopping you from accessing a Windows Server IaaS VM using RDP or remote PowerShell, you always have the option of interacting with the Special Administration Console (SAC), also known as Emergency Management Services (EMS) if you set it up beforehand.
Enabling EMS can provide you with another “get out of jail” card if something goes wrong with one of your Windows Server IaaS VMs.
Note: Serial Console access is also available for Linux VMs, and you can find out more about it in the following Docs article:
There are several steps that you need to take to enable Serial Console access to Windows Server IaaS VMs. The first is to configure the Windows Server VM operating system to support EMS, something that it isn’t configured for by default. You can do this by opening up an administrative command prompt (not PowerShell) on the VM once it is deployed and running the command:
Bcdedit /ems {current} on
You’ll then need to restart the VM.
When configuring Serial Console for a VM, you also need to ensure that you have an account configured as a member of the local Administrators group on the VM that uses password authentication. This is the account you’ll use to interact with the VM through EMS once you have authenticated.
The next step requires that you configure the VM to support boot diagnostics. It’s important to note that you’ll need to use a custom boot diagnostics account and that you can’t use managed boot diagnostics storage accounts at the time of writing. You can do this from CloudShell by running the command (substituting in the appropriate values for VM name, resource group and storage account that will store boot diagnostics data):
az vm boot-diagnostics enable --name MyVirtualMachine --resource-group MyResourceGroup --storage https://mystor.blob.core.windows.net/
Or by enabling it through the VM’s properties in the Azure portal in the Boot Diagnostics area of the Support + Troubleshooting section.
Once you’ve enabled boot diagnostics, the final step is to enable Serial Console at the subscription level. You can do this in CloudShell by running the following commands:
subscriptionId=$(az account show --output=json | jq -r .id)
az resource invoke-action --action enableConsole --ids "/subscriptions/$subscriptionId/providers/Microsoft.SerialConsole/consoleServices/default" --api-version="2018-05-01"
Once you’ve taken these steps you can access the Serial Console for the VM from the Serial Console area of the Support + Troubleshooting section.
Once you’ve made the connection to SAC, enter the following to create a channel that has the CMD instance
Cmd
You’ll then need to type the following to switch to the cmd channel
Ch -si 1
Press Enter and you’ll be presented with an authentication prompt. Authenticate with the account that has local credentials. Generally you’ll just press Enter when prompted for Domain and if you have to delete characters when authenticating, press <CTRL><H>
To start a PowerShell session from the command prompt, type PowerShell.exe
You can use PowerShell within a Serial Console to perform the following tasks:
- Edit the registry
- Enable RDP
- Manage services
- Configure service logon accounts
- Configure service startup types
- Configure service dependencies
- Perform network diagnostics
- Manage Windows Firewall settings
- Manage users and groups
- Manage the Windows Event Log
- View or remove installed applications
- Add and remove Windows roles and features
- Restart windows
- Configure network interfaces including setting IP addresses (remember that an Azure IaaS VM should always be configured from within the VM to use DHCP and any adapter address configuration should be performed external to the VM against the network adapter within the Azure console)
For more information on what you can do using cmd.exe and PowerShell within a Serial Console session, consult the following article:
Although you’ll probably not need it, you should enable EMS on all of your Windows Server IaaS VMs as a way of giving yourself a method of troubleshooting a VM you can’t connect to using RDP or Azure PowerShell.