IT Engineered

Preparing Your Virtual Environment for Windows 11: Tackling EFI, Secure Boot, and TPM Part – 2 Converting to GPT/EFI

by

Nathan
in , , , ,

So, you made it past part 1, thank you. I thought I lost you there.

As I mentioned before, in the virtual environment, many IT admins didn’t update the disk configuration in the template when we transitioned from Windows 7 to Windows 10. GPT/EFI is the starting point to get us where we need to be and probably takes the most time, so we’ll start there.

Quite a while back, Microsoft created a utility that converts your MBR (legacy partition) to GPT. While there are switches that allow you to do this from within Windows, I’ve experienced mixed results, so I typically recommend booting into Windows PE and then running the command to convert. You can use this link to learn or as a refresher for creating a WinPE boot ISO/WIM:

https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11

To run MBR2GPT, you will typically need the following:

  1. The disk using MBR partitioning. (Duh!)
  2. A small amount of space at the beginning and end of the disk (16KB and 2 sectors). I’ve never seen an issue with the command finding this space unless the disk is completely full. If that’s the case, edit the machine and add more space.
  3. An active partition (this is the system partition that the device uses to boot).
  4. A properly configured BCD store on the system partition (the partition that the device uses to boot).

In addition, the device cannot have any extended or logical partitions.

Okay, if you’re lucky, the process is as easy as this:

  1. Boot the virtual device with a WinPE ISO.
  2. Run MBR2GPT.exe /convert /disk:[the disk number you wish to convert]. This is typically 0.

It will do a bunch of stuff, and then BAM! You are converted to GPT and now have an EFI partition added to the end of the disk. If you reboot the device at this point, it will not boot into Windows because the BIOS setting needs to be switched to EFI.

In a vSphere environment, this can be achieved by doing the following:

  1. Turn off the virtual machine.
  2. Edit the device configuration by clicking the three vertical dots and choosing “Edit.”
  3. Go to the “Boot Options” tab, flip the BIOS to EFI, and save the settings.
  4. Start the VM.

Okay, what if the MBR2GPT command errors out?

Well, if it cannot find the disk to convert, it may be because the system partition is not set to active, or it’s because you have a messed-up BCD store on the MBR partition, or both.

To fix the BCD store, we’ll use the diskpart utility:

  1. From the Windows PE environment, start diskpart by typing diskpart.
  2. Type list disk to show the attached disks.
  3. Type sel disk 0 (this is typically the disk with the MBR and Windows partition that you want to work with).
  4. Type list part to get a list of all the partitions.
  5. Type sel part <partition number> (the number of the partition that is the MBR partition. It can be identified as a 500MB drive and typically doesn’t have a drive letter attached).
  6. Type assign letter=K: to assign the drive letter K: to that partition.
  7. Type sel part and choose the system partition (the partition that’s typically where Windows is stored and is the largest on the disk).
  8. Type active to mark the device as the boot partition.
  9. Type exit to get to the command prompt.
  10. Type BCDBoot c:\windows /s k: /f all (replace c: with the proper drive letter depending on what drive letter gets assigned in WinPE; sometimes it will be assigned to d:).
  11. Rerun the MBR2GPT.exe /convert /disk:0 command.

Set EFI in the Virtual Machine properties and reboot if it hasn’t already been done.

Sometimes, the OS still doesn’t load after the GPT conversion because the BCD store doesn’t have the right configuration.

It might show a system error 0000001 about OS needing to be repaired, and then show error 00000098 about no valid BCD.

To fix this issue, do the following:

  1. From the Windows PE environment, start diskpart by typing diskpart.
  2. Type list disk to show the attached disks.
  3. Type sel disk 0 (this is typically the disk with the MBR and Windows partition that you want to work with).
  4. Type list part to get a list of all the partitions.
  5. Type sel part <partition number> (the number of the partition that is the EFI partition. It can be identified as a 100MB drive and typically doesn’t have a drive letter attached).
  6. Type assign letter=K: to assign the drive letter K: to that partition.
  7. Type exit to get to the command prompt.
  8. Type cd /d K:\efi\microsoft\boot\.
  9. Type attrib BCD -s -h -r.
  10. Type rename BCD BCD.old.
  11. Type BCDBoot c:\windows /s k: /f all (replace c: with the proper drive letter depending on what drive letter gets assigned in WinPE; sometimes it will be assigned to d:).
  12. Reboot.

Configuring the Virtual Machine to Boot from EFI and Enabling Secure Boot (Optional)

Method 1: Using the vCenter Console

  1. Connect to your vCenter Server: Use the vSphere Client (HTML5 or Flash-based) to connect to your vCenter Server instance.
  2. Locate Your Virtual Machine: Navigate to the inventory where your target virtual machine is located.
  3. Edit Virtual Machine Settings: Right-click on the virtual machine and select Edit Settings….
  4. Access VM Hardware Options: In the “Edit Settings” dialog box, go to the VM Hardware tab.
  5. Expand Boot Options: Scroll down and expand the Boot Options section.
  6. Select EFI Firmware: Under the “Firmware” dropdown menu, choose EFI.
  7. Enable Secure Boot (Optional):
    • Once EFI is selected, look for an option related to Secure Boot. This might be a checkbox labeled Secure Boot enabled or a similar setting.
    • Check the box or select the appropriate option to enable Secure Boot. Remember that the guest operating system must support Secure Boot for this to function correctly.
  8. Save Changes: Click OK at the bottom of the “Edit Settings” dialog to save your configuration.
  9. Power On the VM: You can now power on your virtual machine. It will boot using the EFI firmware, and Secure Boot will be active if you enabled it.

Method 2: Using PowerShell

For those who prefer automation or need to configure multiple VMs, you can also use PowerShell to enable EFI and Secure Boot. Here’s a script you can use:

Prerequisites:

  • PowerCLI: Ensure you have VMware PowerCLI installed and connected to your vCenter Server.
  • VM Variable: You’ll need to define a variable $VM containing the name of the virtual machine you want to configure.

The PowerShell Script:

PowerShell

# Define the name of your virtual machine
$VM = "YourVMName"

# Get the VM object
$VcenterVM = Get-VM -Name $VM

# Stop the virtual machine (required to change BIOS settings)
Stop-VM -VM $VcenterVM -Confirm:$false

# Configure BIOS to EFI and enable Secure Boot
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$bootOptions = New-Object VMware.Vim.VirtualMachineBootOptions
$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi
$bootOptions.EfiSecureBootEnabled = $true
$spec.BootOptions = $bootOptions

$vcenterVM.ExtensionData.ReconfigVM($spec)

# Power on the virtual machine
Start-VM -VM $VcenterVM -Confirm:$false

Write-Host "Successfully configured $($VcenterVM.Name) to boot with EFI and Secure Boot enabled."

How to Use the Script:

  1. Replace "YourVMName" in the first line with the actual name of the virtual machine you want to modify.
  2. Ensure you are connected to your vCenter Server using Connect-VIServer before running the script.
  3. Run the script.

Important Considerations for Both Methods:

  • VM State: The virtual machine needs to be powered off to change the firmware settings. The PowerShell script handles this. For the console method, ensure the VM is powered off before editing settings.
  • Error Handling (PowerShell): For production environments, consider adding error handling (e.g., try-catch blocks) to manage potential issues like the VM not being found or PowerCLI connection problems.
  • VM Compatibility: Enabling Secure Boot might require a certain virtual machine compatibility level. We will discuss updating VM compatibility (along with TPM) in the next post.
  • Guest OS Support: Ensure the guest operating system supports EFI and Secure Boot.
  • Potential Timing Issues (PowerShell): In some environments, you might encounter issues if the vCenter Server hasn’t fully processed the stop command before the reconfiguration. If you experience this with the PowerShell script, you can try adding a Start-Sleep -Seconds <number> command after the Stop-VM line, adjusting the number of seconds as needed.

Discover more from IT Engineered

Subscribe now to keep reading and get access to the full archive.

Continue reading