From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier
Date: Wed, 18 Mar 2026 10:32:59 +0100 [thread overview]
Message-ID: <20260318093307.31645-3-f.ebner@proxmox.com> (raw)
In-Reply-To: <20260318093307.31645-1-f.ebner@proxmox.com>
Mention the steps required when using BitLocker earlier to avoid users
running the command first and only later reading on.
Suggested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
qm.adoc | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/qm.adoc b/qm.adoc
index 27dec2c..e6b7918 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -1156,17 +1156,8 @@ enrolled.
If the `pve-edk2-firmware` package version is at least `4.2025.05-1`, newly
created EFI disks contain both the 2011 and 2023 certificates and will have the
-`ms-cert=2023k` marker. For EFI disks created before that, select the EFI disk
-in the 'Hardware' view in the UI and use 'Disk Action > Enroll Updated
-Certificates'. Alternatively, enroll the certificates via the
-`/nodes/{node}/qemu/{vmid}/config` API endpoint. The enrollment takes effect
-when the VM is next started. The
-
-----
-qm enroll-efi-keys <vmid>
-----
-
-CLI command achieves the same, but requires the VM to be shut down.
+`ms-cert=2023k` marker. For EFI disks created before that, you need to enroll
+the certificates:
For Windows with BitLocker, run the following command inside PowerShell:
@@ -1178,6 +1169,17 @@ For example, `<drive>` could be `C:`. This is required for each drive with
BitLocker before proceeding. Otherwise, you will be prompted for the BitLocker
recovery key on the next boot!
+Select the EFI disk in the 'Hardware' view in the UI and use
+'Disk Action > Enroll Updated Certificates'. Alternatively, enroll the
+certificates via the `/nodes/{node}/qemu/{vmid}/config` API endpoint. The
+enrollment takes effect when the VM is next started. The
+
+----
+qm enroll-efi-keys <vmid>
+----
+
+CLI command achieves the same, but requires the VM to be shut down.
+
For further steps on updating secure boot within Windows and signing the
bootloader with the new 2023 certificates, refer to the Microsoft support
articles about
--
2.47.3
next prev parent reply other threads:[~2026-03-18 9:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 9:32 [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Fiona Ebner
2026-03-18 9:32 ` [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker Fiona Ebner
2026-03-18 9:32 ` Fiona Ebner [this message]
2026-03-18 10:25 ` [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Maximiliano Sandoval
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318093307.31645-3-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.