From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH docs 2/2] qm: bios/uefi: certificate expiration: mention steps for BitLocker earlier
Date: Wed, 18 Mar 2026 10:32:59 +0100 [thread overview]
Message-ID: <20260318093307.31645-3-f.ebner@proxmox.com> (raw)
In-Reply-To: <20260318093307.31645-1-f.ebner@proxmox.com>
Mention the steps required when using BitLocker earlier to avoid users
running the command first and only later reading on.
Suggested-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
qm.adoc | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/qm.adoc b/qm.adoc
index 27dec2c..e6b7918 100644
--- a/qm.adoc
+++ b/qm.adoc
@@ -1156,17 +1156,8 @@ enrolled.
If the `pve-edk2-firmware` package version is at least `4.2025.05-1`, newly
created EFI disks contain both the 2011 and 2023 certificates and will have the
-`ms-cert=2023k` marker. For EFI disks created before that, select the EFI disk
-in the 'Hardware' view in the UI and use 'Disk Action > Enroll Updated
-Certificates'. Alternatively, enroll the certificates via the
-`/nodes/{node}/qemu/{vmid}/config` API endpoint. The enrollment takes effect
-when the VM is next started. The
-
-----
-qm enroll-efi-keys <vmid>
-----
-
-CLI command achieves the same, but requires the VM to be shut down.
+`ms-cert=2023k` marker. For EFI disks created before that, you need to enroll
+the certificates:
For Windows with BitLocker, run the following command inside PowerShell:
@@ -1178,6 +1169,17 @@ For example, `<drive>` could be `C:`. This is required for each drive with
BitLocker before proceeding. Otherwise, you will be prompted for the BitLocker
recovery key on the next boot!
+Select the EFI disk in the 'Hardware' view in the UI and use
+'Disk Action > Enroll Updated Certificates'. Alternatively, enroll the
+certificates via the `/nodes/{node}/qemu/{vmid}/config` API endpoint. The
+enrollment takes effect when the VM is next started. The
+
+----
+qm enroll-efi-keys <vmid>
+----
+
+CLI command achieves the same, but requires the VM to be shut down.
+
For further steps on updating secure boot within Windows and signing the
bootloader with the new 2023 certificates, refer to the Microsoft support
articles about
--
2.47.3
next prev parent reply other threads:[~2026-03-18 9:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 9:32 [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Fiona Ebner
2026-03-18 9:32 ` [PATCH qemu-server 1/2] start vm: check efi vars: clarify when to run the commands for BitLocker Fiona Ebner
2026-03-18 9:32 ` Fiona Ebner [this message]
2026-03-18 10:25 ` [PATCH-SERIES qemu-server/docs 0/2] efi enroll: small improvements to documentation Maximiliano Sandoval
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318093307.31645-3-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox