This chapter covers VM Boot Diagnostics and Serial Console, two critical troubleshooting tools for Azure virtual machines. These features allow you to diagnose boot failures and access a VM even when network connectivity or the operating system is unresponsive. On the AZ-104 exam, this topic appears in approximately 5-10% of questions, often as part of scenario-based troubleshooting or configuration tasks. You must understand when to use each tool, how to enable them, and their limitations.
Jump to a section
Think of a VM as an airplane. The VM Boot Diagnostics is like the cockpit voice recorder and flight data recorder (the 'black box') that captures everything during startup — even if the plane crashes before the pilot can say anything. When you enable Boot Diagnostics, you are installing a dashcam that records the console output (the pilot's conversation with the tower) and a screenshot of the final state before a crash. The Azure Host (the control tower) stores this data in a managed storage account or one you provide. If the VM fails to boot, you can replay the console log to see the exact error — like hearing the pilot say 'engine failure' moments before impact. The Serial Console is like a direct radio link to the cockpit after the plane has landed but won't start. You can send commands (like 'try ignition again') even when the main radio (RDP/SSH) is down. This allows you to troubleshoot boot issues, GRUB problems, or firewall misconfigurations that lock you out. In the exam, you must know that Boot Diagnostics captures the VM's serial output and screenshot, while Serial Console gives you interactive, text-based access to the VM before the OS fully loads.
What Are VM Boot Diagnostics and Serial Console?
VM Boot Diagnostics and Serial Console are two complementary features in Azure that help administrators troubleshoot virtual machine startup issues. Boot Diagnostics captures console output logs and screenshots of a VM during boot, while Serial Console provides text-based, interactive access to the VM via the COM1 serial port, even when the OS is not fully loaded or network connectivity is broken.
Why They Exist
VMs can fail to boot for many reasons: corrupted OS files, misconfigured boot loaders, driver conflicts, or insufficient resources. Without these tools, diagnosing the root cause is nearly impossible because you cannot RDP or SSH into a VM that never reaches the login screen. Boot Diagnostics provides historical data (logs and screenshots) to analyze past boot failures. Serial Console gives real-time, out-of-band access to interact with the boot process, such as entering recovery mode or fixing GRUB configuration.
How Boot Diagnostics Works Internally
When Boot Diagnostics is enabled on a VM, the Azure Hypervisor captures two things during every boot: - Serial Console Output Log: The text output sent to the VM's serial port (COM1) during boot. This includes BIOS/UEFI messages, boot loader prompts, kernel logs, and OS startup messages. The log is stored as a .log file. - Screenshot: A screenshot of the VM's display at the moment the boot process stops or at a regular interval. This is stored as a .png file.
These files are written to a storage account. You can either use a managed storage account (Azure creates and manages it automatically) or specify your own custom storage account. If you use a managed storage account, it is created in the same region as the VM, with a name like bootdiagnostics-<vmname>-<randomstring>. The storage account uses locally redundant storage (LRS) by default. The data is retained for up to 30 days after the last boot event. After 30 days, the logs and screenshots are automatically deleted.
The screenshot is taken approximately every 5 seconds during boot. The console log is written continuously.
How Serial Console Works Internally
Serial Console provides a text-based console connection to the VM via the COM1 serial port. This is a physical port in the virtual hardware that is always present, even if the VM is stopped or deallocated (but not when deallocated — the VM must be running). The connection is established through the Azure portal or Azure CLI and uses a WebSocket connection to the Azure host. The host then forwards keystrokes and screen output to/from the VM's serial port.
To use Serial Console, the VM must have boot diagnostics enabled (because the serial port output is also captured by boot diagnostics). Additionally, the VM must be running and have a guest OS that supports serial console. For Linux, the kernel must have the CONFIG_SERIAL_8250_CONSOLE option enabled, and the boot loader (GRUB) must be configured to output to the serial port. For Windows, the VM must have the Special Administration Console (SAC) feature available, which is included in Windows Server 2012 and later.
Key Components, Values, Defaults, and Timers
Boot Diagnostics Storage Account: Managed (default) or custom. Managed storage accounts are created automatically with LRS. Custom storage accounts can use any redundancy (LRS, GRS, RA-GRS) but must be in the same region as the VM.
Retention Period: 30 days from the last boot. Logs and screenshots older than 30 days are automatically purged.
Screenshot Interval: Approximately every 5 seconds during boot.
Serial Console Access: Only available when the VM is running (not stopped or deallocated). Requires Boot Diagnostics enabled.
Supported OS:
Linux: Most modern distributions (Ubuntu 18.04+, CentOS 7+, RHEL 7+, SUSE 12+) with GRUB configured for serial output.
Windows: Windows Server 2012 and later, Windows 10/11 (but not Windows 7 or 8).
Configuration and Verification Commands
Enabling Boot Diagnostics via Azure Portal:
Navigate to the VM -> Boot Diagnostics -> Enable with managed storage account (recommended) or custom.
Enabling via Azure CLI:
# Enable Boot Diagnostics with managed storage account
az vm boot-diagnostics enable --name MyVM --resource-group MyRG
# Enable with custom storage account
az vm boot-diagnostics enable --name MyVM --resource-group MyRG --storage https://mystorageaccount.blob.core.windows.net/Viewing Boot Diagnostics Logs:
# Download the serial console log
az vm boot-diagnostics get-boot-log --name MyVM --resource-group MyRG
# Download the screenshot (Linux)
az vm boot-diagnostics get-boot-log --name MyVM --resource-group MyRG --screenshotAccessing Serial Console:
In Azure Portal: VM -> Serial Console (left pane). You must be a Contributor or Owner.
Using Azure CLI: Not directly available; must use portal or REST API.
Interaction with Related Technologies
Azure Bastion: Bastion provides secure RDP/SSH access via the portal. However, Bastion requires the VM to have a public IP or be reachable via the Bastion subnet. If the VM is unreachable due to a boot failure, Bastion cannot help. Serial Console works independently of network connectivity because it operates at the hypervisor level.
VM Extensions: Some VM extensions (e.g., Azure Monitor Agent) may output logs to the serial console. Serial Console can be used to debug extension failures.
Boot Diagnostics and Managed Disks: Boot Diagnostics does not depend on managed disks; it works with both managed and unmanaged disks.
Availability Sets and Scale Sets: Boot Diagnostics can be enabled per VM in an availability set or scale set. For scale sets, you can enable it at the scale set level, and it applies to all instances.
Common Exam Scenarios
Scenario 1: A Windows VM fails to boot after a driver update. You need to access the recovery console. Answer: Use Serial Console to access the Special Administration Console (SAC) and boot into safe mode.
Scenario 2: A Linux VM is unreachable via SSH after a kernel update. You suspect the GRUB configuration is broken. Answer: Use Serial Console to access the GRUB menu and boot into a previous kernel.
Scenario 3: You need to review the boot logs of a VM that failed to start last week. Answer: Use Boot Diagnostics to download the serial console log and screenshot from the storage account.
Important Limitations
Serial Console does not work if the VM is deallocated. The VM must be in the Running state.
Boot Diagnostics logs are only retained for 30 days. If you need longer retention, you must configure a custom storage account with a retention policy or export logs to a Log Analytics workspace.
Serial Console is text-only. It does not support mouse or GUI interaction. For Windows, you use the SAC prompt, which is a command-line interface.
Boot Diagnostics does not capture the entire boot process if the VM is using a custom image that does not output to serial port. Ensure your custom images have serial console output enabled.
Enable Boot Diagnostics on VM
First, you must enable Boot Diagnostics on the VM. This can be done during VM creation or after. In the Azure portal, navigate to the VM's 'Boot diagnostics' blade and select 'Enable with managed storage account' (recommended) or specify a custom storage account. The managed storage account is created automatically in the same region with LRS. This step is prerequisite for Serial Console.
VM Boots and Logs Are Captured
When the VM starts, the Azure Hypervisor begins capturing serial console output and taking screenshots every ~5 seconds. The serial console output includes all text sent to COM1, including BIOS messages, boot loader prompts, and OS kernel logs. These are written to the storage account as a .log file and .png screenshots. The capture continues until the VM reaches a stable state (e.g., login screen) or fails.
Access Boot Diagnostics Logs
If the VM fails to boot, you can access the logs via Azure portal or CLI. In the portal, under 'Boot diagnostics', you can view the screenshot and download the serial log. Using CLI: `az vm boot-diagnostics get-boot-log` retrieves the log. The log may show error messages like 'Kernel panic', 'Disk not found', or 'Boot device not found'. This helps pinpoint the failure.
Enable Serial Console (Prerequisite Already Met)
Serial Console requires Boot Diagnostics to be enabled. Once enabled, you can access Serial Console from the Azure portal by selecting the VM and clicking 'Serial console' in the left menu. You must be a Contributor or Owner. The connection is established via WebSocket to the Azure host, which then communicates with the VM's COM1 port.
Interact with VM via Serial Console
Once connected, you see a text-based console. For Linux, you may see a login prompt or GRUB menu if you interrupt the boot process. For Windows, you see the SAC prompt. You can send keystrokes to interact with the boot loader, enter recovery mode, or run commands. For example, on Linux, you can press Esc to enter GRUB and select a different kernel. On Windows, you can use SAC commands to enable RDP or check services.
Enterprise Scenario 1: Recovering a Linux VM After a Kernel Update Failure
A large e-commerce company runs its production web servers on Azure Linux VMs. After a routine kernel update, one of the VMs fails to boot and is unreachable via SSH. The operations team suspects a broken GRUB configuration. They use Serial Console to access the VM's boot process. By pressing the Esc key during boot, they interrupt the normal boot and enter the GRUB menu. They select the previous kernel version from the list, and the VM boots successfully. They then remove the faulty kernel package. Without Serial Console, they would have needed to redeploy the VM or use a recovery VM with the OS disk attached, causing significant downtime.
Enterprise Scenario 2: Troubleshooting a Windows VM Stuck at 'Getting Windows Ready'
A financial services firm has a Windows Server VM that gets stuck at the 'Getting Windows Ready' screen after a Windows Update. RDP is not available. The admin uses Serial Console to access the Special Administration Console (SAC). From the SAC prompt, they run cmd to open a command prompt, then use bcdedit to set the boot to safe mode. They restart the VM, which now boots into safe mode, allowing them to remove the problematic update. Boot Diagnostics screenshots from the failed boot helped confirm the stuck state.
Enterprise Scenario 3: Auditing Boot Failures Across a Scale Set
A SaaS provider runs hundreds of VM instances in a scale set. Occasionally, some instances fail to boot due to custom image issues. They enable Boot Diagnostics on the scale set with a custom storage account that has a longer retention policy (e.g., 90 days). They use Azure Monitor to collect boot diagnostic logs and set up alerts for 'Kernel panic' messages. This proactive monitoring allows them to detect and replace faulty instances before customers are affected. Performance consideration: Each boot generates ~100 KB of logs per instance, so storage costs are minimal. Misconfiguration: If the custom storage account is in a different region, boot diagnostics fails silently.
AZ-104 Exam Focus on VM Boot Diagnostics and Serial Console
Relevant Objective: Domain 3 (Compute), Objective 3.1: Configure virtual machines. Specifically, subtopics related to VM troubleshooting and monitoring.
Common Wrong Answers and Why Candidates Choose Them: 1. Wrong: 'Serial Console can be used to reset the VM password.' Why chosen: Candidates confuse Serial Console with the VM reset password feature. Serial Console does not have a built-in password reset; you can use it to access the OS and manually reset, but it's not a one-click feature. 2. Wrong: 'Boot Diagnostics requires a custom storage account.' Why chosen: Candidates think they must provide their own storage. Azure offers a managed storage account by default, which is simpler and recommended. 3. Wrong: 'Serial Console works when the VM is deallocated.' Why chosen: Candidates assume 'out-of-band' means always available. Serial Console requires the VM to be running. 4. Wrong: 'Boot Diagnostics captures all VM logs, including application logs.' Why chosen: Candidates overestimate the scope. Boot Diagnostics only captures serial port output and screenshots during boot, not application or OS logs after boot.
Specific Numbers and Terms That Appear on the Exam:
Retention period: 30 days.
Screenshot interval: every 5 seconds.
Managed storage account default redundancy: LRS.
Required role: Contributor or Owner to access Serial Console.
Windows SAC: Special Administration Console.
Edge Cases and Exceptions:
If the VM uses a custom Linux image that does not output to serial console, Boot Diagnostics will capture an empty log. The exam may test that you must configure GRUB to enable console output (console=ttyS0).
For Windows VMs, Serial Console requires the VM to have the SAC feature, which is available in Windows Server 2012 and later, but not in Windows 7/8 or Windows client SKUs (except Windows 10/11 Enterprise).
If Boot Diagnostics is enabled after the VM has already failed to boot, the logs for that failure are not captured — it only captures subsequent boots.
How to Eliminate Wrong Answers:
If a question asks for a tool to 'interactively troubleshoot a boot failure', eliminate Boot Diagnostics because it is read-only (logs/screenshots). Choose Serial Console.
If a question asks for 'historical boot logs', eliminate Serial Console because it is real-time. Choose Boot Diagnostics.
If a question mentions 'no network connectivity', Serial Console is the answer because it works over the management plane, not the VM's network.
Boot Diagnostics captures serial console logs and screenshots every 5 seconds during VM boot, retained for 30 days.
Serial Console provides interactive text-based access to the VM via COM1, even without network connectivity.
Both features require Boot Diagnostics to be enabled; Serial Console additionally requires the VM to be running.
Managed storage account for Boot Diagnostics uses LRS by default; custom storage accounts allow different redundancy.
Windows VMs require the Special Administration Console (SAC) feature (Windows Server 2012+).
Linux VMs need GRUB configured to output to serial port (console=ttyS0) for full functionality.
Azure role 'Contributor' or 'Owner' is required to access Serial Console.
Boot Diagnostics does not capture OS-level logs after boot; only boot-time serial output.
Serial Console cannot be used to reset the VM password; it provides OS-level access for manual intervention.
Exam question trap: if the VM is deallocated, Serial Console is not available; use Boot Diagnostics logs instead.
These come up on the exam all the time. Here's how to tell them apart.
Boot Diagnostics
Captures serial console output and screenshots during boot.
Provides historical data for past boot failures (retained for 30 days).
Read-only: you can view logs but not interact with the VM.
Works regardless of VM state (running, stopped, or failed) as long as logs exist.
Enabled via Azure portal or CLI; requires a storage account (managed or custom).
Serial Console
Provides live, interactive text-based access to the VM's serial port.
Used for real-time troubleshooting of boot issues.
Allows sending keystrokes to the VM (e.g., to enter GRUB or SAC).
Requires the VM to be in the 'Running' state.
Requires Boot Diagnostics to be enabled; accessed via Azure portal.
Mistake
Boot Diagnostics and Serial Console are the same thing.
Correct
Boot Diagnostics captures boot logs and screenshots for later review. Serial Console provides live, interactive access to the VM's serial port. They are complementary but distinct.
Mistake
Serial Console can be used to reset the VM password.
Correct
Serial Console does not have a built-in password reset feature. You can use it to access the OS and manually change the password, but it is not a one-click operation like the 'Reset password' blade.
Mistake
Boot Diagnostics requires a custom storage account.
Correct
Azure provides a managed storage account by default. You only need a custom storage account if you want to control redundancy, retention, or location.
Mistake
Serial Console works even when the VM is deallocated.
Correct
Serial Console requires the VM to be in the 'Running' state. If the VM is stopped or deallocated, Serial Console is unavailable.
Mistake
Boot Diagnostics captures all VM logs, including application and system logs.
Correct
Boot Diagnostics only captures the serial console output (text sent to COM1) and screenshots during boot. It does not capture OS-level logs like Event Viewer or syslog after the OS is running.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, navigate to the VM, select 'Boot diagnostics' under 'Help', then click 'Enable' and choose either managed storage account (recommended) or custom. You can also use Azure CLI: `az vm boot-diagnostics enable --name MyVM --resource-group MyRG`. The VM does not need to be restarted for the change to take effect; it applies to the next boot.
Yes, Serial Console is ideal for this. Connect to the VM via Serial Console, interrupt the boot process (e.g., press Esc for Linux GRUB, or use SAC for Windows), and boot into safe mode or recovery mode. From there, you can disable problematic services, remove updates, or repair the boot configuration.
Boot Diagnostics captures boot-time serial output and screenshots, stored in a storage account. Azure Monitor collects metrics and logs from the VM after the OS is running, including performance data and application logs. They serve different purposes: Boot Diagnostics for boot failures, Azure Monitor for ongoing monitoring.
By default, Boot Diagnostics logs and screenshots are retained for 30 days from the last boot event. After 30 days, they are automatically deleted. To extend retention, you must use a custom storage account with a lifecycle management policy or export logs to a Log Analytics workspace.
No, Serial Console does not require the VM to have a public IP address. It works through the Azure management plane via the hypervisor. This is why it is useful for troubleshooting VMs that are unreachable due to network misconfiguration.
Yes, but the custom image must have serial console output enabled. Specifically, the kernel must have the `CONFIG_SERIAL_8250_CONSOLE` option, and the boot loader (GRUB) must be configured to output to the serial port (e.g., add `console=ttyS0` to kernel command line). If not, the Serial Console will show a blank screen.
You need at least the 'Contributor' role on the VM or the resource group. The 'Reader' role is not sufficient. Additionally, the VM must be in the 'Running' state.
You've just covered VM Boot Diagnostics and Serial Console — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?