<b>Attention : </b> For those using Debian and Whonix templates, a vulnerability affects the latest stable Qubes OS release. Follow the instructions below to fix it.
<p>Immediately after installing Qubes 4.0.1, upgrade all of your Debian and Whonix TemplateVMs by executing the following commands in a dom0 terminal:</p>
and patched in [QSB #46], which followed the release of Qubes 4.0.1.
This method is simpler than the method recommended in [QSB #46], and it is just as safe/effective as long as it is performed immediately after installing Qubes OS.
Even on supported hardware, you must ensure that [IOMMU-based virtualization](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit#Virtualization) is activated in the BIOS.
Without it, Qubes OS won't be able to enforce isolation.
For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**).
This parameter should be activated in your computer's BIOS, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions.
This [external guide](https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html) made for Intel-based boards can help you figure out how to enter your BIOS to locate and activate those settings.
If those settings are not nested under the Advanced tab, you might find them under the Security tab.
<b>Note : </b> As Qubes OS has no control over what is happening before it takes control over the hardware, the motherboard firmware, which is responsible for bootstrapping the hardware and checking it, must be trusted, alongside the hardware itself.
One can think of <ahref="https://www.coreboot.org/">Coreboot</a> and its security-oriented implementation <ahref="http://osresearch.net/">Heads</a>, or <ahref="https://github.com/merge/skulls">Skulls</a>, which strives to be easy to use.
See the [downloads] page for ISO downloads. Remember, Qubes OS' team have absolutely no control over those servers, so you should consider that they might be compromised, or just be serving compromised ISOs because their operators decided so, for whatever reason.
Always verify the digital signature on the downloaded ISO. Read our guide on [verifying signatures] for more information about how to download and verify our PGP keys and verify the downloaded ISO.
Once the ISO has been verified as authentic, you should copy it onto the installation medium of your choice, such as a dual-layer DVD, a Blu-ray disc, or a USB key.
(The size of each Qubes ISO is listed on the [downloads] page.)
(Note that there are important [security considerations] to keep in mind when choosing an installation medium.)
If you are an advanced user and you would like to customize your installation, please see [Custom Installation]. Otherwise, follow the instructions below.
Just after you power on your machine, make the Qubes OS medium available to the computer by inserting the DVD or USB key you have previously copied the Qubes OS image to.
Shortly after the Power-on self-test (POST) is completed, you should be greeted with the Qubes OS boot screen.
From there, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options.
You can choose one of three options : install Qubes OS ; test this media and install Qubes OS ; troubleshooting. Select the option to test this media and install Qubes OS.
If the boot screen does not appear, there are several options to troubleshoot.
First, try rebooting your computer.
If it still loads your currently installed operating system or does not pick up your installation medium, make sure the boot order is set up appropriately.
The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer.
If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
Ideally, you would temporarily select the USB device or DVD drive as a boot up option, so that the next time you boot, your internal storage device will be selected first.
Do not panic : it may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS.
Return to the [Hardware Requirements](/doc/installation-guide/#hardware-requirements) section to learn how to activate it.
If the setting is not configured correctly, it means that your hardware won't be able to leverage some of Qubes OS security features such as a strict isolation of the network and USB adapter.
If the test passes, you will reach the Installation summary screen.
<divclass="alert alert-info"role="alert">
<iclass="fa fa-info-circle"></i>
<b>Note : </b> The installer loads Xen right at the beginning, so if you can see the installer's graphical screen and you pass the compatibility check that runs immediately after that, Qubes OS is likely to work on your system !
Under the Software section, you can change the installation source.
As we are demonstrating a simple installation, it is assumed that you are installing Qubes OS using a local medium such as a DVD, so this option won't be illustrated.
Under the System section, you need to pick the installation destination.
For this step to be completed, you need to select which storage device you would like your system to be installed on. Under the Device Selection section, make sure that you select the correct installation destination.
Ensure that your your target destination has a least 32 GiB of free space available.
<b>Attention : </b> Any data on the target storage device will eventually be deleted during the installation process, so make your selection carefully (a separate confirmation dialog will appear if there are available partitions on the disk).
While the installation is ongoing, a new user needs to be created. Click on "User Creation" to define a new user with administrator privileges and a password.
Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
You're almost done. Before you can start using Qubes OS, some configuration is needed.
By default, Qubes OS will create a number of qubes, based on Fedora templates or Whonix templates, so that you can have a more ready-to-use environnement from the get-go.
* **Create default system qubes** : it is recommended to use system qubes as they offer some of the core functionalities brought by Qubes OS, including network isolation and disposable qubes
* **Create default application qubes** : application qubes are pre-configured qubes meant to be used for specific purposes, such as work or personal.
* **Create Whonix Gateway and Workstation qubes** : in order to be able to use Tor for dedicated qubes, you need this option to be activated.
* **Enabling system and template updates over the Tor anonymity network using Whonix** : this option allows the use of Tor system-wide rather than only for specific qubes.
* **Create USB qube holding all USB controllers** : just like the network qube for the network stack, the USB qube allows to capture the USB controller and to manage USB devices through it.
* **Use sys-net qube for both networking and USB devices** : it saves some memory as only sys-net will be running, instead of sys-net and sys-usb, but also allows easy use of USB networking devices (like 3G/LTE modems) directly in sys-net.
* **Do not configure anything** : This is only for advanced users, as you won't have network access out of the box.
* If you don't find your answer in the documentation, it may be time to consult the [mailing lists], as well as the many other available sources of [help].