How-to Convert Windows 10/2016+ VSS VM from BIOS to UEFI

Information Security recommends having your Windows VMs with Virtualization Based Security (VBS) and Virtual Trusted Platform Module (vTPM) enabled.

This how-to was contributed by Joe B. from the Architecture team at Information Security, ITS and edited and adapted by the ITS Private Cloud Team.

Prerequisites

The process cannot be performed for versions prior to Windows 10/2016 (or some early Windows 10 versions), as they are End-Of-Life (EOL) and are no longer licensed or viable for use in the environment, without valid Extended Security Updates (ESU).

Windows 10/2016+ Operating System.
Ensure C: Drive has a least 5GB of free space.
Server administrator rights.
ITS Private Cloud Command-Line Interface access.

 Instructions

Preparing the VM

  1. Verify if the virtual machine in question has any of the required security features:

    vss-cli --columns name,uuid,domain.name,version,vbs_enabled,firmware,tpm compute vm ls -f name=UTSGDEV-TEST name uuid domain.name version vbs_enabled firmware tpm -------------------- ------------------------------------ ------------- --------- ------------- ---------- ----- 1812D-UTSGDEV-TEST {{uuid}} FD1 vmx-19 False bios []
  2. Take a virtual machine snapshot. More details

    vss-cli compute vm set {vm-id} snapshot mk --description 'Before hardening OS' --lifetime 4

Note that Operating System changes cannot be undone. Reverting to previous snapshot is the ONLY way to recover should something go wrong. But there also no need to keep the snapshot for any extended period. (i.e. --lifetime 4)

Converting the OS from BIOS to EFI

  1. VSS Console (or RDP) in the VM and open a Privileged Command Prompt (NOT PowerShell).

  2. Validating before Converting

    mbr2gpt /validate /allowFullOS
  3. Assuming you are converting the system disk

    1. Successful migration:

       

    2. if you have a non-standard install you may specify the Disk # this the system and boot disk:

Converting the VM from BIOS to EFI

  1. Shutdown the Virtual Machine

  2. Enable VBS on the Virtual Machine

  3. Validate the VBS Change

  1. Startup the Virtual Machine

Validate Operating System and Server Operation

Validate VBS and TPM

  1. From a privileged PowerShell session run the following command to verify the UEFI partition information.

  2. From a privileged PowerShell session run the following command to verify the TPM information:

Hide System Reserved Partition

As part of the MBR2GPT conversion the “System Reserved” partition is temporarily assigned “E:”, but is not automatically rehidden after completion.

  1. Press W+R to bring up the run window.

  2. Type diskmgmt.msc and press Enter, which will open Disk Management.

  3. Right-click on the target System Reserved partition and choose the "Change drive letter and paths" button.

  4. Click on Remove in order to remove the assigned drive letter, and then click Yes as the warning window appears. This picture below sets E drive as an example:

    hide a partition via disk management
  5. Now, you can click open File Explorer and check if the System Reserved partition has been hidden.

Apply Credential Guard GPO or Local Security Settings

Virtual Machine Snapshot Cleanup

After you have verified your Operating System functions as expected, a snapshot deletion is due, and to do so, you have two options.

  1. Remove the snapshot manually:

  2. Wait until expires.

 

 Related articles

University of Toronto - Since 1827