Recovering an Azure Windows VM when it won't boot
Your PC/Device needs to be repaired.
The Boot Configuration Data for your PC is missing or contains errors.
File: \Boot\BCD
Error code: 0xc0000034
Ah yes, the venerable boot config error. Easy to fix normally, a pain to fix with Azure...
As good as Azure (or most cloud platforms) are at times, one thing they generally lack is an easy way to access the pre-OS, or safe mode, state that an operating system can operate in either during installation, or when it fails to boot. Such as safe mode for Windows, GRUB bootloader for Linux or otherwise.
Luckily, Microsoft have thought of a way around this, that whilst not ideal, and is certainly clunky, does indeed work.
They call it 'Special Administration Console', SAC for short.
It's basically a web console that reads the serial output of a VM, which allows you to work on a VM without network access, and pre-OS boot if needed.
This mini-guide will go over the steps to access SAC with a windows host that needs to be rebooted to safe mode for one reason or another.
Enabling Serial Console in Azure/Windows VM
Dependent on the age of the windows image used to create your VM (pre-2018), you may not have the serial console output enabled.
Luckily, this is easy to enable in the settings for your VM:
Accessing safe mode from Azure
The steps below duplicate the steps you'd need to take to do safe mode operations on a windows VM, such as if you have to run a troubleshooting tool that only runs from safe mode.
If you aren't interested in these parts, you can skip down a few sections.
Rebooting a working Windows VM to safe mode
Its very easy to completely brick your VM if you do the wrong thing here, you've been warned!
Open the start menu on your VM, and type 'cmd', select the top option.
Type 'msconfig' and press enter.
Change to the 'boot' tab, tick 'safe boot' and click 'Apply'.
Click 'Restart' in the window that pop's up.
Accessing SAC/Safe mode CLI from Azure
At this point, go to your Azure subscription, find the VM you need serial access to and select it.
On the list of functions on the left, scroll down, and select 'Serial console'.
Once SAC has loaded, type in 'cmd' and press enter.
Type in -
ch -si 1
To change to the cmd channel you just created.
Press any key (space bar...)
Login with a local or domain account (it will ask username, then domain, then password).
You'll now be dropped into a standard command prompt, in safe mode.
From here, you can run whatever commands you need to get your system up and running again, or whatever troubleshooting you need.
You can also enter PowerShell to change over to PowerShell too.
Rebooting to 'normal' Windows
Enter the following commands -
bcdedit /deletevalue {default} safeboot
shutdown -r -t 0
Troubleshooting
'Access Forbidden...' errors when loading SAC.
This is caused by having a firewall active on the storage account associated with the VM's boot diagnostics. In order to access SAC, you will need to either -
A) Temporarily turn that firewall off.
You can do this by browsing to your Azure Storage Account -> Settings, then ensuring that the radio button for "Allow access from" (at the top) is set to "All Networks".
or
B) Add your existing location to its list of acceptable IPs.
...Yes, this is a dumb design from MS, with associated security implications.