How-to Convert Windows 10/2016+ VSS VM from BIOS to UEFI
Information Security recommends having your Windows VMs with Virtualization Based Security (VBS) and Virtual Trusted Platform Module (vTPM) enabled.
VBS is required for Windows Credential Guard
vTPM is required for Windows Credential Guard and BitLocker Encryption.
This how-to was contributed by Joe B. from the Architecture team at Information Security, ITS and edited and adapted by the ITS Private Cloud Team.
Prerequisites
The process cannot be performed for versions prior to Windows 10/2016 (or some early Windows 10 versions), as they are End-Of-Life (EOL) and are no longer licensed or viable for use in the environment, without valid Extended Security Updates (ESU).
C:
Drive has a least 5GB of free space.Instructions
Preparing the VM
Verify if the virtual machine in question has any of the required security features:
vss-cli --columns name,uuid,domain.name,version,vbs_enabled,firmware,tpm compute vm ls -f name=UTSGDEV-TEST name uuid domain.name version vbs_enabled firmware tpm -------------------- ------------------------------------ ------------- --------- ------------- ---------- ----- 1812D-UTSGDEV-TEST {{uuid}} FD1 vmx-19 False bios []
Take a virtual machine snapshot. More details Manage virtual machine snapshots
vss-cli compute vm set {vm-id} snapshot mk --description 'Before hardening OS' --lifetime 4
Note that Operating System changes cannot be undone. Reverting to previous snapshot is the ONLY way to recover should something go wrong. But there also no need to keep the snapshot for any extended period. (i.e. --lifetime 4
)
Converting the OS from BIOS to EFI
VSS Console (or RDP) in the VM and open a Privileged Command Prompt (NOT PowerShell).
Validating before Converting
mbr2gpt /validate /allowFullOS
Assuming you are converting the system disk
Successful migration:
if you have a non-standard install you may specify the Disk # this the system and boot disk:
Converting the VM from BIOS to EFI
Shutdown the Virtual Machine
Enable VBS on the Virtual Machine
Validate the VBS Change
Startup the Virtual Machine
Validate Operating System and Server Operation
Validate VBS and TPM
From a privileged PowerShell session run the following command to verify the UEFI partition information.
From a privileged PowerShell session run the following command to verify the TPM information:
Hide System Reserved Partition
As part of the MBR2GPT conversion the “System Reserved” partition is temporarily assigned “E:”, but is not automatically rehidden after completion.
Press
W+R
to bring up the run window.Type
diskmgmt.msc
and pressEnter
, which will open Disk Management.Right-click on the target
System Reserved
partition and choose the "Change drive letter and paths" button.Click on
Remove
in order to remove the assigned drive letter, and then click Yes as the warning window appears. This picture below sets E drive as an example:Now, you can click open File Explorer and check if the System Reserved partition has been hidden.
Apply Credential Guard GPO or Local Security Settings
Virtual Machine Snapshot Cleanup
After you have verified your Operating System functions as expected, a snapshot deletion is due, and to do so, you have two options.
Remove the snapshot manually:
Wait until expires.
Related articles
University of Toronto - Since 1827