Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Virtual Machine Boot Diagnostics

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VirtualMachines-014

Ensure that Boot Diagnostics feature is enabled for your Azure virtual machines (VMs) in order to capture server serial console output and the operating system screenshots, required for diagnosing and troubleshooting VM startup issues.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Boot Diagnostics enables you to see the state of your Azure virtual machine as it boots up. Enabling Boot Diagnostics feature allows Microsoft Azure cloud platform to inspect the virtual machine operating system (OS) for provisioning errors, helping to provide deeper information on the root causes of the startup failures.

Audit

To determine if your Azure virtual machines (VMs) are configured to use Boot Diagnostics, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to show only the virtual machines available in the selected subscription.

05 Click on the name of the virtual machine that you want to examine.

06 In the navigation panel, under Support + troubleshooting, select Boot diagnostics to access the Boot Diagnostics feature data (serial log and screenshots), generated for the selected Azure VM. If the requested log data is not available, instead the following informational message is displayed: "Boot diagnostics isn't configured for this virtual machine. Click here to enable it.", the Boot Diagnostics feature is not enabled for the selected Microsoft Azure virtual machine.

07 Repeat step no. 5 and 6 for each Azure virtual machine available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the ID of each virtual machine (VM) provisioned in the current Azure subscription: 

az vm list
    --query '[*].id'

02 The command output should return the requested virtual machine identifiers (IDs): 

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-warehouse-app-server",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-internal-app-server"
]

03 Run vm show command (Windows/macOS/Linux) using the ID of the Azure virtual machine that you want to examine as identifier parameter, to get the Boot Diagnostics feature configuration status for the selected VM: 

az vm show
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-warehouse-app-server"
    --query '{"BootDiagnosticsStatus": diagnosticsProfile.bootDiagnostics.enabled}'

04 The command output should return the requested configuration status (true for enabled, null/false for disabled): 

{
  "BootDiagnosticsStatus": false
}

If the vm show command output returns null or false as the value for the "BootDiagnosticsStatus" attribute, the Boot Diagnostics feature is not enabled for the selected Microsoft Azure virtual machine.

05 Repeat step no. 3 and 4 for every Azure virtual machine deployed in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

Boot Diagnostics collects serial log information and screenshots from virtual machines to help you to diagnose startup issues. To enable this feature for your Microsoft Azure virtual machines, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list the virtual machines (VMs) available in the selected subscription.

05 Click on the name of the virtual machine that you want to reconfigure (see Audit section part I to identify the right resource).

06 In the navigation panel, under Support + troubleshooting, select Boot diagnostics to access the Boot Diagnostics feature page, then click on the Settings button to open its configuration panel.

07 On the Boot diagnostics panel, perform the following commands:

  1. Under Status, select On to initiate the setup process.
  2. Choose an existing Azure Storage account from the Storage account dropdown list or click Create new to deploy a new storage account using the Azure Portal setup wizard.
  3. Click Save to apply the configuration changes and enable Boot Diagnostics feature for the selected virtual machine (VM). To take effect, the VM must be restarted.

08 In the navigation panel, select Overview, then click the Restart button from the panel top menu to restart the selected virtual machine. Click Yes to confirm the action.

09 Repeat steps no. 5 – 8 to enable Boot Diagnostics for other Azure virtual machines deployed in the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure Portal

01 Run storage account list command (Windows/macOS/Linux) using custom query filters to describe the identifier for each storage account available in the current Azure subscription: 

az storage account list
    --query '[*].name'

02 The command output should return the requested identifiers (i.e. storage account names). These resource identifiers can be used later to enable Boot Diagnostics for your virtual machines: 

[
  "abcdabcdabcd123412341234",
  "abcd1234abcd1234abcd1234",
  "123412341234abcdabcdabcd"
]

03 Run vm boot-diagnostics enable command (Windows/macOS/Linux) using the ID of the virtual machine that you want to reconfigure as identifier parameter (see Audit section part II to identify the right VM resource) and the name of the storage account that will hold the log data, to enable the Boot Diagnostics feature for the selected Azure virtual machine (the command does not produce an output): 

az vm boot-diagnostics enable
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-warehouse-app-server"
    --storage abcdabcdabcd123412341234

04 In order to take effect, the selected virtual machine must be restarted. Run vm restart command (Windows/macOS/Linux) to restart the specified Microsoft Azure VM (the command does not return an output): 

az vm restart
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-warehouse-app-server"

05 Repeat step no. 3 and 4 to enable Boot Diagnostics for other Azure virtual machines available in the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Nov 28, 2019

Related VirtualMachines rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Virtual Machine Boot Diagnostics

Risk Level: Medium