Merge pull request #8814 from MicrosoftDocs/genlin-patch-19

AB#5547 Update Prerequisites  for serial-console

Author: genlin

support/azure/virtual-machines/linux/serial-console-linux.md

@@ -33,25 +33,18 @@ For Serial Console documentation for Windows, see [Serial Console for Windows](.
 > [!NOTE]
 > Serial Console is compatible with a managed boot diagnostics storage account.
 
-## Prerequisites
+## Prerequisites to access the Azure Serial Console
 
-- Your VM or virtual machine scale set instance must use the resource management deployment model. Classic deployments aren't supported.
+To access the Serial Console on your VM or virtual machine scale set instance, you will need the following:
 
-- Your account that uses serial console must have the [Virtual Machine Contributor role](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) for the VM and the [boot diagnostics](../windows/boot-diagnostics.md) storage account
+- Boot diagnostics must be enabled for the VM.
+- A user account that uses password authentication must exist within the VM. You can create a password-based user with the [reset password](/azure/virtual-machines/extensions/vmaccess#reset-password) function of the VM access extension. Select **Reset password** from the **Help** section.
+- The Azure account accessing Serial Console must have [Virtual Machine Contributor role](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) for both the VM and the [boot diagnostics](../windows/boot-diagnostics.md) storage account.
+- Classic deployments aren't supported. Your VM or virtual machine scale set instance must use the Azure Resource Manager deployment model.
+- Serial Console is not supported when the storage account has **Allow storage account key access** disabled.
 
-- Your VM or virtual machine scale set instance must have a password-based user. You can create one with the [reset password](/azure/virtual-machines/extensions/vmaccess#reset-password) function of the VM access extension. Select **Reset password** from the **Help** section.
-
-- Your VM or virtual machine scale set instance must have [boot diagnostics](../windows/boot-diagnostics.md) enabled.
-
-    :::image type="content" source="media/serial-console-linux/diagnostics-settings.png" alt-text="Screenshot of the Diagnostics settings page in Azure portal. The Boot diagnostics option is enabled.":::
-
-- For settings specific to Linux distributions, see [Serial console Linux distribution availability](#serial-console-linux-distribution-availability).
-
-- Your VM or virtual machine scale set instance must be configured for serial output on `ttys0`. This is the default for Azure images, but you will want to double check this on custom images. Details [below](#custom-linux-images).
-
-> [!NOTE]
-> The serial console requires a local user with a configured password. VMs or virtual machine scale sets configured only with an SSH public key won't be able to sign in to the serial console. To create a local user with a password, use the [VMAccess Extension](/azure/virtual-machines/extensions/vmaccess), which is available in the portal by selecting **Reset password** in the Azure portal, and create a local user with a password.
-> You can also reset the administrator password in your account by [using GRUB to boot into single user mode](./serial-console-grub-single-user-mode.md).
+> [!IMPORTANT]
+> Serial Console is now compatible with [managed boot diagnostics storage accounts](../windows/boot-diagnostics.md) and custom storage account firewalls.
 
 ## Serial Console Linux distribution availability
 
@@ -143,7 +136,7 @@ After the IP addresses are successfully added to the storage account firewall, r
 
 ### Access security
 
-Access to the serial console is limited to users who have an access role of [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) or higher to the virtual machine. If your Microsoft Entra tenant requires multi-factor authentication (MFA), then access to the serial console will also need MFA because the serial console's access is through the [Azure portal](https://portal.azure.com).
+Access to the serial console is limited to users who have an access role of [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) or higher to the virtual machine. If your Microsoft Entra tenant requires multifactor authentication (MFA), then access to the serial console will also need MFA because the serial console's access is through the [Azure portal](https://portal.azure.com).
 
 ### Channel security
 

support/azure/virtual-machines/linux/troubleshoot-ssh-connection.md

@@ -81,7 +81,7 @@ Use Network Watcher's [Next hop](/azure/network-watcher/diagnose-vm-network-rout
 
 ## Use the Azure VM Serial Console
 
-The [Azure VM Serial Console](./serial-console-linux.md) provides access to a text-based console for Linux virtual machines. You can use the console to troubleshoot your SSH connection in an interactive shell. Ensure you have met the [prerequisites](./serial-console-linux.md#prerequisites) for using Serial Console and try the commands below to further troubleshoot your SSH connectivity.
+The [Azure VM Serial Console](./serial-console-linux.md) provides access to a text-based console for Linux virtual machines. You can use the console to troubleshoot your SSH connection in an interactive shell. Ensure you have met the [prerequisites](./serial-console-linux.md#prerequisites-to-access-the-azure-serial-console) for using Serial Console and try the commands below to further troubleshoot your SSH connectivity.
 
 ### Check that SSH service is running
 

support/azure/virtual-machines/windows/serial-console-windows.md

@@ -33,17 +33,18 @@ For serial console documentation for Linux, see [Azure Serial Console for Linux]
 > [!NOTE]
 > Serial Console is compatible with a managed boot diagnostics storage account.
 
-## Prerequisites
+## Prerequisites to access the Azure Serial Console
 
-* Your VM or virtual machine scale set instance must use the resource management deployment model. Classic deployments aren't supported.
+To access the Serial Console on your VM or virtual machine scale set instance, you will need the following:
 
-* Your account that uses serial console must have the [Virtual Machine Contributor role](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) for the VM and the [boot diagnostics](boot-diagnostics.md) storage account
+- Boot diagnostics must be enabled for the VM.
+- A user account that uses password authentication must exist within the VM. You can create a password-based user with the [reset password](/azure/virtual-machines/extensions/vmaccess#reset-password) function of the VM access extension. Select **Reset password** from the **Help** section.
+- The Azure account accessing Serial Console must have [Virtual Machine Contributor role](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) for both the VM and the [boot diagnostics](boot-diagnostics.md) storage account.
+- Classic deployments aren't supported. Your VM or virtual machine scale set instance must use the Azure Resource Manager deployment model.
+- Serial Console is not supported when the storage account has **Allow storage account key access** disabled.
 
-* Your VM or virtual machine scale set instance must have a password-based user. You can create one with the [reset password](/azure/virtual-machines/extensions/vmaccess#reset-password) function of the VM access extension. Select **Reset password** from the **Help** section.
-
-* The VM for virtual machine scale set instance must have [boot diagnostics](boot-diagnostics.md) enabled.
-
-    :::image type="content" source="media/serial-console-windows/diagnostics-settings.png" alt-text="Screenshot of the Boot diagnostics option under the Diagnostics settings.":::
+> [!IMPORTANT]
+> Serial Console is now compatible with [managed boot diagnostics storage accounts](boot-diagnostics.md) and custom storage account firewalls.
 
 ## Enable Serial Console functionality for Windows Server
 
@@ -197,7 +198,7 @@ After the IP addresses are successfully added to the storage account firewall, r
 
 ### Access security
 
-Access to the serial console is limited to users who have an access role of [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) or higher to the virtual machine. If your Microsoft Entra tenant requires multi-factor authentication (MFA), then access to the serial console will also need MFA because the serial console's access is through the [Azure portal](https://portal.azure.com).
+Access to the serial console is limited to users who have an access role of [Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) or higher to the virtual machine. If your Microsoft Entra tenant requires multifactor authentication (MFA), then access to the serial console will also need MFA because the serial console's access is through the [Azure portal](https://portal.azure.com).
 
 ### Channel security
 
@@ -215,7 +216,7 @@ The Azure portal or [Azure CLI](/cli/azure/serial-console) act as remote termina
 
 ### Audit logs
 
-All access to the serial console is currently logged in the [boot diagnostics](./boot-diagnostics.md) logs of the virtual machine. Access to these logs are owned and controlled by the Azure virtual machine administrator.
+All access to the serial console is currently logged in the [boot diagnostics](./boot-diagnostics.md) logs of the virtual machine. Access to these logs is owned and controlled by the Azure virtual machine administrator.
 
 > [!CAUTION]
 > No access passwords for the console are logged. However, if commands run within the console contain or output passwords, secrets, user names, or any other form of personally identifiable information (PII), those will be written to the VM boot diagnostics logs. They will be written along with all other visible text, as part of the implementation of the serial console's scroll back function. These logs are circular and only individuals with read permissions to the diagnostics storage account have access to them. However, we recommend following the best practice of using the Remote Desktop for anything that may involve secrets and/or PII.
@@ -243,7 +244,7 @@ The serial console has screen reader support built in. Navigating around with a
 
 Scenario          | Actions in the serial console
 :------------------|:-----------------------------------------
-Incorrect firewall rules | Access serial console and fix Windows firewall rules.
+Incorrect firewall rules | Access Serial Console and fix Windows Firewall rules.
 Filesystem corruption/check | Access the serial console and recover the filesystem.
 RDP configuration issues | Access the serial console and change the settings. For more information, see the [RDP documentation](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access).
 Network lock down system | Access the serial console from the Azure portal to manage the system. Some network commands are listed in [Windows commands: CMD and PowerShell](serial-console-cmd-ps-commands.md).
@@ -261,7 +262,7 @@ SAC does not take up the entire Serial Console area in the browser | This is a k
 Unable to type at SAC prompt if kernel debugging is enabled. | RDP to VM and run `bcdedit /debug {current} off` from an elevated command prompt. If you can't RDP, you can instead attach the OS disk to another Azure VM and modify it while attached as a data disk by running `bcdedit /store <drive letter of data disk>:\boot\bcd /debug <identifier> off`, then swapping the disk back.
 Pasting into PowerShell in SAC results in a third character if the original content had a repeating character. | For a workaround, run `Remove-Module PSReadLine` to unload the PSReadLine module from the current session. This action will not delete or uninstall the module.
 Some keyboard inputs produce strange SAC output (for example, **[A**, **[3~**). | [VT100](/windows/console/console-virtual-terminal-sequences) escape sequences aren't supported by the SAC prompt.
-Pasting long strings doesn't work. | The serial console limits the length of strings pasted into the terminal to 2048 characters to prevent overloading the serial port bandwidth.
+Pasting long strings doesn't work. | The serial console limits the length of strings pasted into the terminal to 2,048 characters to prevent overloading the serial port bandwidth.
 
 ## Frequently asked questions