From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id A50FE1FF138 for ; Wed, 18 Mar 2026 10:33:06 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 129E430F0C; Wed, 18 Mar 2026 10:33:15 +0100 (CET) From: Fiona Ebner To: pve-devel@lists.proxmox.com Subject: [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier Date: Wed, 18 Mar 2026 10:32:59 +0100 Message-ID: <20260318093307.31645-3-f.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260318093307.31645-1-f.ebner@proxmox.com> References: <20260318093307.31645-1-f.ebner@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1773826348471 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.004 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: 3ZFPDPQCFOYAGZTN424H6UPREEEIJCQM X-Message-ID-Hash: 3ZFPDPQCFOYAGZTN424H6UPREEEIJCQM X-MailFrom: f.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Mention the steps required when using BitLocker earlier to avoid users running the command first and only later reading on. Suggested-by: Maximiliano Sandoval Signed-off-by: Fiona Ebner --- qm.adoc | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/qm.adoc b/qm.adoc index 27dec2c..e6b7918 100644 --- a/qm.adoc +++ b/qm.adoc @@ -1156,17 +1156,8 @@ enrolled. If the `pve-edk2-firmware` package version is at least `4.2025.05-1`, newly created EFI disks contain both the 2011 and 2023 certificates and will have the -`ms-cert=2023k` marker. For EFI disks created before that, select the EFI disk -in the 'Hardware' view in the UI and use 'Disk Action > Enroll Updated -Certificates'. Alternatively, enroll the certificates via the -`/nodes/{node}/qemu/{vmid}/config` API endpoint. The enrollment takes effect -when the VM is next started. The - ----- -qm enroll-efi-keys ----- - -CLI command achieves the same, but requires the VM to be shut down. +`ms-cert=2023k` marker. For EFI disks created before that, you need to enroll +the certificates: For Windows with BitLocker, run the following command inside PowerShell: @@ -1178,6 +1169,17 @@ For example, `` could be `C:`. This is required for each drive with BitLocker before proceeding. Otherwise, you will be prompted for the BitLocker recovery key on the next boot! +Select the EFI disk in the 'Hardware' view in the UI and use +'Disk Action > Enroll Updated Certificates'. Alternatively, enroll the +certificates via the `/nodes/{node}/qemu/{vmid}/config` API endpoint. The +enrollment takes effect when the VM is next started. The + +---- +qm enroll-efi-keys +---- + +CLI command achieves the same, but requires the VM to be shut down. + For further steps on updating secure boot within Windows and signing the bootloader with the new 2023 certificates, refer to the Microsoft support articles about -- 2.47.3