Added known issue about custom boot diagnostics and notice about moving off of boot diagnostics

Mitchell Bifeld · Mitchell Bifeld · commit d5f5c599f543 · 2025-07-29T10:39:13.000-05:00
diff --git a/support/azure/virtual-machines/linux/serial-console-linux.md b/support/azure/virtual-machines/linux/serial-console-linux.md
@@ -89,6 +89,13 @@ By default, all subscriptions have serial console access enabled. You can disabl
 
 ### Use Serial Console with custom boot diagnostics storage account firewall enabled
 
+> [!CAUTION]
+> There is a known issue where Azure Serial Console may fail to connect when a custom boot diagnostics storage account has firewall restrictions. This occurs because Azure Serial Console runs in Microsoft’s internal tenant, and firewall rules on the customer-managed storage account may block its access, even with correct permissions.
+> To avoid connectivity issues, either [switch to managed boot diagnostics](boot-diagnostics.md#enable-boot-diagnostics-on-existing-virtual-machine) (recommended) or remove the firewall on the custom boot diagnostics storage account.
+
+> [!IMPORTANT]
+> By the end of 2025, Azure Serial Console will no longer utilize boot diagnostics storage accounts for establishing a connection. No customer action is required for this change. This change does not affect serial logs or screenshots.
+
 Serial Console uses the storage account configured for boot diagnostics in its connection workflow. When a firewall is enabled on this storage account, the Serial Console service IPs must be added as exclusions. To do this, follow these steps:
 
 1. Navigate to the settings of the custom boot diagnostics storage account firewall you have enabled.
diff --git a/support/azure/virtual-machines/windows/serial-console-errors.md b/support/azure/virtual-machines/windows/serial-console-errors.md
@@ -33,7 +33,7 @@ Error                             |   Mitigation
 "Azure Serial Console requires boot diagnostics to be enabled. Click here to configure boot diagnostics for your virtual machine." | Ensure that the virtual machine (VM) or virtual machine scale set has [boot diagnostics](boot-diagnostics.md) enabled. When using serial console on a virtual machine scale set instance, ensure that your instance has the latest model.
 "Azure Serial Console requires a virtual machine to be running. Use the Start button to start your virtual machine."  | The VM or virtual machine scale set instance must be in a started state to access the serial console (your VM must not be stopped or deallocated). Ensure your VM or virtual machine scale set instance is running and try again.
 "Azure Serial Console is not enabled for this subscription, contact your subscription administrator to enable." | The Azure Serial Console can be disabled at a subscription level. If you're a subscription administrator, you may [enable and disable the Azure Serial Console](./serial-console-enable-disable.md). If you aren't a subscription administrator, you should reach out to your subscription administrator for next steps.
-A "Forbidden" response was encountered when accessing this VM's boot diagnostic storage account. | This error is often caused by enabling a storage account firewall on the custom boot diagnostics account. If you're using a storage account firewall on this account, follow [Storage Account firewall configuration instructions](../linux/serial-console-linux.md#serial-console-security).
+A "Forbidden" response was encountered when accessing this VM's boot diagnostic storage account. | There is a known issue where Azure Serial Console may fail to connect when a custom boot diagnostics storage account has firewall restrictions. This occurs because Azure Serial Console runs in Microsoft’s internal tenant, and firewall rules on the customer-managed storage account may block its access, even with correct permissions. To avoid connectivity issues, either [switch to managed boot diagnostics](boot-diagnostics.md#enable-boot-diagnostics-on-existing-virtual-machine) (recommended) or remove the firewall on the custom boot diagnostics storage account.
 You don't have the required permissions to use this VM with the serial console. Ensure you have at least Virtual Machine Contributor role permissions.| The serial console access requires you to have contributor level access on your VM or virtual machine scale set. For more information, see the [overview page](serial-console-overview.md).
 The storage account '' used for boot diagnostics on this VM couldn't be found. Verify that boot diagnostics is enabled for this VM, this storage account has not been deleted, and you have access to this storage account. | Double check that you have not deleted the boot diagnostics storage account for your VM or virtual machine scale set
 The serial console connection to the VM encountered an error: 'Bad Request' (400) | This can happen if your boot diagnostics URI is incorrect. For example, "http://" was used instead of "https://". The boot diagnostics URI can be fixed with this command: `az vm boot-diagnostics enable --name vmName --resource-group rgName --storage https://<storageAccountUri>.blob.core.windows.net/`
diff --git a/support/azure/virtual-machines/windows/serial-console-overview.md b/support/azure/virtual-machines/windows/serial-console-overview.md
@@ -99,7 +99,7 @@ To access the Serial Console on your VM or virtual machine scale set instance, y
 - Serial Console is not supported when the storage account has **Allow storage account key access** disabled.
 
 > [!IMPORTANT]
-> Serial Console is now compatible with [managed boot diagnostics storage accounts](boot-diagnostics.md) and custom storage account firewalls.
+> By the end of 2025, Azure Serial Console will no longer utilize boot diagnostics storage accounts for establishing a connection. This change does not affect serial logs or screenshots.
 
 ## Get started with Serial Console
 
diff --git a/support/azure/virtual-machines/windows/serial-console-windows.md b/support/azure/virtual-machines/windows/serial-console-windows.md
@@ -142,6 +142,13 @@ By default, all subscriptions have serial console access enabled. You can disabl
 
 ### Use Serial Console with custom boot diagnostics storage account firewall enabled
 
+> [!CAUTION]
+> There is a known issue where Azure Serial Console may fail to connect when a custom boot diagnostics storage account has firewall restrictions. This occurs because Azure Serial Console runs in Microsoft’s internal tenant, and firewall rules on the customer-managed storage account may block its access, even with correct permissions.
+> To avoid connectivity issues, either [switch to managed boot diagnostics](boot-diagnostics.md#enable-boot-diagnostics-on-existing-virtual-machine) (recommended) or remove the firewall on the custom boot diagnostics storage account.
+
+> [!IMPORTANT]
+> By the end of 2025, Azure Serial Console will no longer utilize boot diagnostics storage accounts for establishing a connection. No customer action is required for this change. This change does not affect serial logs or screenshots.
+
 Serial Console uses the storage account configured for boot diagnostics in its connection workflow. When a firewall is enabled on this storage account, the Serial Console service IPs must be added as exclusions. To do this, follow these steps:
 
 1. Navigate to the settings of the custom boot diagnostics storage account firewall you have enabled.
