How-to Convert Windows 10/2016+ Build 1703 or later VSS VM from BIOS to UEFI

Information Security recommends having your Windows VMs with Virtualization Based Security (VBS) and Virtual Trusted Platform Module (vTPM) enabled.

• VBS is required for Windows Credential Guard

• vTPM is required for Windows Credential Guard and BitLocker Encryption.

Prerequisites

 Instructions

Preparing the VM

1. Verify if the virtual machine in question has any of the required security features:

   vss-cli --columns name,uuid,domain.name,version,vbs_enabled,firmware,tpm compute vm ls -f name=UTSGDEV-TEST name uuid domain.name version vbs_enabled firmware tpm -------------------- ------------------------------------ ------------- --------- ------------- ---------- ----- 1812D-UTSGDEV-TEST {{uuid}} FD1 vmx-19 False bios []

2. Take a virtual machine snapshot. More details Manage virtual machine snapshots

   vss-cli compute vm set {vm-id} snapshot mk --description 'Before hardening OS' --lifetime 4

Converting the OS from BIOS to EFI

1. VSS Console (or RDP) in the VM and open a Privileged Command Prompt (NOT PowerShell).

2. Validating before Converting

   mbr2gpt /validate /allowFullOS

3. Assuming you are converting the system disk

   mbr2gpt /convert /allowFullOS

   1. Successful migration:

      Open

      

       

   2. if you have a non-standard install you may specify the Disk # this the system and boot disk:

      mbr2gpt /convert /disk:0 /allowFullOS

Converting the VM from BIOS to EFI

1. Shutdown the Virtual Machine

   vss-cli --wait compute vm set {{uuid}} state -c shutdown

2. Enable VBS on the Virtual Machine

   vss-cli --wait compute vm set {{uuid}} vbs on

3. Validate the VBS Change

   vss-cli --columns name,uuid,domain.name,version,vbs_enabled,firmware,'tpm[*].label' compute vm ls -f name=UTSGDEV-RD name uuid domain.name version vbs_enabled firmware tpm[*].label -------------------- ------------------------------------ ------------- --------- ------------- ---------- -------------- 1812D-UTSGDEV-RD-GW1 {{uuid}} FD1 vmx-15 True efi Virtual TPM

4. Startup the Virtual Machine

   vss-cli --wait compute vm set {{uuid}} state on

Validate Operating System and Server Operation

Validate VBS and TPM

1. From a privileged PowerShell session run the following command to verify the UEFI partition information.

   Get-WmiObject -query 'Select Type from Win32_DiskPartition Where Type = "GPT: System"'

2. From a privileged PowerShell session run the following command to verify the TPM information:

   Get-WmiObject -Namespace "Root\CIMV2\Security\MicrosoftTpm" -query "Select * from Win32_Tpm"

Hide System Reserved Partition

As part of the MBR2GPT conversion the “System Reserved” partition is temporarily assigned “E:”, but is not automatically rehidden after completion.

1. Press W+R to bring up the run window.

2. Type diskmgmt.msc and press Enter, which will open Disk Management.

3. Right-click on the target System Reserved partition and choose the "Change drive letter and paths" button.

4. Click on Remove in order to remove the assigned drive letter, and then click Yes as the warning window appears. This picture below sets E drive as an example:

   Open

   

5. Now, you can click open File Explorer and check if the System Reserved partition has been hidden.

Apply Credential Guard GPO or Local Security Settings

Open

Virtual Machine Snapshot Cleanup

After you have verified your Operating System functions as expected, a snapshot deletion is due, and to do so, you have two options.

1. Remove the snapshot manually:

   vss-cli compute vm set {vm-id} snapshot rm {snapshot-id}

2. Wait until expires.

 Related articles